blog.robur.coop

The Robur cooperative blog.
Back to index

DNSvizor with DNS over TLS and DNS over HTTPS support

2025-05-29

TL;DR: DNSvizor now has DoT and DoH support. We are continuing our work on DNSvizor (repository).

DNS was originally communicating over UDP (a connectionless, unreliable protocol). Today, still most DNS traffic is via UDP. Some bigger queries/answers (such as zone transfer) are usually done via TCP. While TCP offers a reliable connection, there's no data confidentiality, data integrity and authenticity.

DNS over TLS

In 2016, DNS over TLS was specified to eliminate opportunities for eavesdropping and on-path tampering with DNS queries and answers in the network.

Some deployed DNS resolvers - when using UDP - tamper with the queries and answers by intercepting them, giving an answer to everything that is unknown, or blocking certain queries. Using a TLS connection remedies such network tampering, and the user can be sure to talk with their desired DNS resolver (i.e. their own).

The protocol modification for DNS over TLS is that the client needs the trust anchor, and needs to be able to communicate to the remote resolver (on TCP port 853). Each DNS packet is prefixed by a 2 byte length field - as specified for DNS over TCP.

Since we implemented more than 10 years ago TLS in OCaml, the change in DNSvizor was marginal: on the resolver side we need a way to generate or retrieve the X.509 certificate.

DNS over HTTPS

In 2018, DNS over HTTPS was standardized. The learning from DNS over TLS was that port 853 is blocked in some networks, but port 443 (for HTTPS) is nearly nowhere filtered. In addition, with HTTP2 a single connection can be used (multiplexed) for multiple connections.

In DNS over HTTPS, the query is the payload of a GET (query parameter, base64 encoded) or POST request (body, binary). The answer is the body of the HTTP reply. Special care is taken that this works fine with HTTP caching proxies, the max-age HTTP header must be set to the smallest time to live of the DNS reply.

We use the same certificate as for DNS over TLS in DNSvizor to provide our DNS over HTTPS service.

The implementation work was done in DNSvizor, and also in DNS.

Conclusion

DNSvizor provides DNS resolution and DHCP service for your network - and now provides DNS over TLS and DNS over HTTPS. It already exists :). Please report issues you encounter and questions you may have. Also, if you use dnsmasq, please show us your configuration.

If you're interested in MirageOS and using it in your domain, don't hesitate to reach out to us (via eMail: team@robur.coop) - we're keen to deploy MirageOS and find more domains where it is useful.

Our work is only partially funded, we cross-fund our work by commercial contracts and public (EU) funding. We are part of a non-profit company, you can make a (in the EU tax-deductible) donation (select "DONATION robur" in the dropdown menu), or sponsor us via the GitHub sponsor button.