Table of Contents
RFC 7858
RFC 7858 is the document that formally defines DNS over TLS (DoT), a protocol designed to enhance the privacy and security of DNS queries by encrypting them using TLS (Transport Layer Security). Published in May 2016, RFC 7858 addresses the long-standing issue of DNS queries being transmitted in plaintext, which leaves them vulnerable to interception, surveillance, and manipulation by attackers or unauthorized third parties. DNS is a foundational component of the internet, and the need for privacy in DNS transactions has grown as more users become aware of the risks associated with unencrypted network traffic.
The primary motivation behind RFC 7858 is to protect the confidentiality of DNS queries and responses. Without encryption, DNS traffic can be easily intercepted by ISPs, network administrators, or malicious actors, allowing them to see which websites users are visiting. This lack of privacy has raised concerns, especially in environments where users need to protect their browsing activity from monitoring. By using TLS to encrypt DNS traffic, RFC 7858 ensures that only the DNS client and the DNS resolver can view the queries and responses, protecting them from eavesdropping.
One of the main features of RFC 7858 is the use of TLS to establish a secure communication channel between the DNS client and the DNS resolver. Before any DNS queries are exchanged, the client and the resolver must perform a TLS handshake, which authenticates both parties and negotiates an encrypted session. This process ensures that the communication is both confidential and tamper-proof. Once the TLS session is established, DNS queries and responses can be securely transmitted over the encrypted channel.
RFC 7858 specifies that DNS over TLS operates over a dedicated port, port 853, which distinguishes it from traditional unencrypted DNS traffic that typically runs on port 53. By using a different port, DNS over TLS is easily identifiable by network administrators and devices that support the protocol. However, in situations where network policies or firewalls block access to port 853, some implementations of DNS over TLS allow the use of DNS on other ports, such as port 443, which is the standard port for HTTPS traffic.
Another important aspect of RFC 7858 is its support for both strict and opportunistic privacy modes. In strict mode, the DNS client requires that the DNS resolver supports DNS over TLS, and if the resolver does not support it, the query will fail. This mode is ideal for users who prioritize privacy and security. In opportunistic mode, the client attempts to use DNS over TLS, but if the resolver does not support it, the client can fall back to traditional unencrypted DNS. This provides more flexibility, ensuring that DNS queries can still be resolved even if DNS over TLS is unavailable.
Despite its privacy benefits, RFC 7858 introduces some performance overhead due to the TLS handshake process. Establishing a TLS session requires additional round trips between the client and the resolver, which can increase the latency of DNS queries. However, this performance impact is mitigated by the ability to reuse TLS connections for multiple DNS queries, reducing the need for repeated handshakes. Additionally, the widespread adoption of TLS optimization techniques, such as TLS session resumption, helps minimize the performance penalties associated with encrypted DNS traffic.
One of the key concerns addressed by RFC 7858 is the potential impact on DNS resolver trust. Although DNS over TLS encrypts the communication between the client and the resolver, it does not prevent the DNS resolver from accessing the unencrypted queries once they are decrypted. As a result, users must trust the DNS resolver to handle their queries responsibly. To mitigate this risk, privacy-conscious users are encouraged to choose DNS resolvers that adhere to strict no-logging policies and respect user privacy.
The adoption of RFC 7858 has grown steadily since its publication, with many public DNS resolvers now offering support for DNS over TLS. Major DNS providers, such as Cloudflare and Google Public DNS, have implemented DNS over TLS as part of their services, making it easier for users to configure their devices to use encrypted DNS. This widespread support has helped DNS over TLS become a key tool for users seeking to enhance their online privacy.
In addition to public DNS resolvers, some operating systems and network devices have begun to include native support for DNS over TLS. For example, Android 9 and higher include a feature called “Private DNS” that allows users to enable DNS over TLS across all apps and services on their devices. This feature ensures that DNS queries are encrypted at the system level, providing privacy for all network traffic. Similarly, some routers and home networking equipment have added support for DNS over TLS, enabling users to secure their DNS traffic at the network level.
While RFC 7858 primarily focuses on improving privacy, it also enhances security by protecting DNS queries from tampering. In unencrypted DNS, attackers can launch man-in-the-middle attacks to modify DNS responses and redirect users to malicious websites. By encrypting DNS traffic, DNS over TLS helps prevent such attacks, ensuring that DNS responses are authentic and have not been altered in transit.
Conclusion
RFC 7858 defines DNS over TLS, a protocol designed to encrypt DNS queries and responses, addressing the privacy and security concerns associated with traditional unencrypted DNS traffic. By using TLS to protect DNS communication, RFC 7858 ensures that DNS queries are confidential and protected from tampering. Although it introduces some performance overhead, the benefits of enhanced privacy and security make DNS over TLS a vital tool for protecting user data in an increasingly surveillance-prone internet. With growing adoption across DNS providers and operating systems, RFC 7858 continues to play a key role in improving DNS privacy.