Aller au contenu principal

RFC 7858 - DNS over Transport Layer Security (TLS)

Published: May 2016
Status: Standards Track
Authors: Z. Hu, L. Zhu, J. Heidemann (USC/ISI), A. Mankin (Independent), D. Wessels (Verisign Labs), P. Hoffman (ICANN)

Abstract

This document describes the use of Transport Layer Security (TLS) to provide privacy for DNS. Encryption provided by TLS eliminates opportunities for eavesdropping and on-path tampering with DNS queries in the network, such as discussed in RFC 7626. In addition, this document specifies two usage profiles for DNS over TLS and provides advice on performance considerations to minimize overhead from using TCP and TLS with DNS.

This document focuses on securing stub-to-recursive traffic, as per the charter of the DPRIVE Working Group. It does not prevent future applications of the protocol to recursive-to-authoritative traffic.

Table of Contents

Appendices

Significance of This RFC

DNS over TLS (DoT) provides critical privacy protection for DNS communication by adding a TLS encryption layer to DNS queries and responses:

  • Privacy Protection: Prevents third parties from eavesdropping on user DNS queries
  • Integrity Protection: Prevents man-in-the-middle tampering with DNS responses
  • Authentication: Optional server identity verification
  • Dedicated Port: Uses TCP port 853, separate from traditional DNS (port 53)

Core Technical Features:

  • Uses TLS 1.2 or higher
  • Supports connection reuse for improved performance
  • Defines two privacy profiles: Opportunistic Privacy and Key-Pinned Privacy
  • Primarily designed to protect client-to-recursive-resolver communication

Related Protocols:

  • RFC 8484: DNS over HTTPS (DoH)
  • RFC 7626: DNS Privacy Considerations
  • RFC 8310: Usage Profiles for DNS over TLS and DNS over DTLS
Dernière mise à jour le