LLMpediaThe first transparent, open encyclopedia generated by LLMs

DNS over TLS

Generated by GPT-5-mini
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: Mozilla Firefox Hop 4
Expansion Funnel Raw 70 → Dedup 4 → NER 1 → Enqueued 1
1. Extracted70
2. After dedup4 (None)
3. After NER1 (None)
Rejected: 3 (not NE: 3)
4. Enqueued1 (None)
DNS over TLS
NameDNS over TLS
Introduced2016
StandardRFC 7858
DeveloperInternet Engineering Task Force
GenreNetwork protocol; encryption

DNS over TLS DNS over TLS is a network protocol that encrypts Domain Name System traffic between a client and a resolver using Transport Layer Security. It was standardized to protect name resolution privacy and integrity by the Internet Engineering Task Force and has been implemented across software stacks and operating systems by vendors such as Google, Mozilla, Apple, and Cloudflare. Debate over its deployment has involved organizations and events including the Internet Engineering Steering Group, the Internet Architecture Board, the World Wide Web Consortium, and national regulators.

Overview

DNS over TLS provides confidentiality and authentication for DNS queries by encapsulating DNS messages inside Transport Layer Security sessions, aligning with earlier efforts like DNSSEC while addressing different threat models involving on-path adversaries and passive eavesdroppers. The design goal traces to work in the Internet Engineering Task Force and discussion at the IETF 2015 meetings, with related protocols and investigations by groups such as the Internet Research Task Force and the European Telecommunications Standards Institute. Deployments intersect operational practices of providers like Cloudflare, Google (company), Quad9, and enterprises including Mozilla Foundation and Apple Inc..

Specification and Protocol Details

The protocol was formalized in RFC 7858 and extends standard DNS over UDP/TCP by using TLS 1.2 and later TLS 1.3 to negotiate encrypted channels, with cipher suites and certificate validation guided by the Internet Engineering Task Force and the CA/Browser Forum practices. Session establishment relies on the TLS handshake and certificate verification mechanisms tied to public key infrastructure actors such as Let's Encrypt, DigiCert, and national certificate authorities subject to oversight in forums like the Forum of Incident Response and Security Teams. Name obfuscation and metadata reduction techniques relate to research from institutions including MIT, Stanford University, University of Cambridge, and ETH Zurich.

Adoption and Deployment

Adoption has been driven by major operating system vendors and service providers; for example Android (operating system) introduced system-level support while Mozilla Corporation enabled options in Firefox and Cloudflare promoted public resolvers. Enterprise adoption and routing considerations were discussed at industry events such as Black Hat USA, DEF CON, and standards meetings at the IETF. National authorities and regulatory bodies such as the European Commission and agencies in countries like United Kingdom and Germany have considered implications for lawful interception and consumer protection, influencing deployment choices by providers including AT&T, Verizon Communications, BT Group, and content platforms like Facebook and Netflix.

Privacy and Security Considerations

By encrypting queries, DNS over TLS reduces exposure to passive surveillance performed by actors referenced in reports from Edward Snowden, European Parliament, and civil society groups like Electronic Frontier Foundation and Access Now. It complements integrity mechanisms from DNSSEC but does not replace signature validation; interactions with censorship practices examined in case studies involving Great Firewall of China and practices in Russia and Turkey have revealed trade-offs between privacy and traffic filtering. Cryptographic choices reference standards bodies such as the Internet Engineering Task Force and research from labs at Google Research, Microsoft Research, and academic centers at UC Berkeley.

Performance and Compatibility

Using TLS introduces connection setup overhead tied to TLS handshake latencies and potential session resumption strategies evaluated by teams at Akamai Technologies, Cloudflare, and research groups at ETH Zurich, but mitigations like multiplexing and TLS 1.3 zero round trip time were promoted in follow-up specifications and best practices documented by the IETF. Compatibility issues with existing middleboxes and recursive resolvers emerged in operational reports from RIPE NCC, ARIN, and network operators collaborating through MANRS and industry working groups, prompting fallback behaviors and policy guidance from organizations such as the IETF Operations and Management Area and the Internet Architecture Board.

Implementations and Clients

Implementations span resolver software, stub resolvers, and operating system libraries produced by projects and companies including Unbound (software), BIND, Knot DNS, PowerDNS, systemd-resolved, dnsmasq, Google Public DNS, and Cloudflare DNS. Client integrations appear in applications and systems such as Firefox, Android (operating system), iOS, Windows 10, macOS, and networking tools from vendors like Cisco Systems and Juniper Networks. Open-source projects and research prototypes have been developed by communities at GitHub, universities like Carnegie Mellon University and University of Illinois Urbana-Champaign, and labs at Google (company) and Mozilla Foundation.

Category:Network protocols