Versions Compared

Old Version 3

changes.mady.by.user Steven Kim

Saved on

compared with

New Version 4

changes.mady.by.user Steven Kim

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. MUST: Enable DNSSEC validation.
  2. MUST: Enable QNAME minimization to minimize leakage of domain names.

  3. SHOULD: Enable DoT

    . This provides additional privacy to the users of your DNS recursive resolver service, as their queries are forwarded outside your network. It

    (DNS-over-TLS), or DoH (DNS-over-HTTPS). Deploying either is the easiest way to protect against eavesdropping and manipulation of DNS queries and man-in-the-middle attacks by encrypting DNS queries between stub and recursive resolvers, or between a forwarding and recursive resolver.

    In the context of shared private resolvers, it is recommended that DoT or DoH be enabled between the resolver on the local network(s), and an external, trusted DoT/DoH enabled forwarding resolver. This ensures that DNS queries being forwarded from local clients are encrypted between the local resolver, and the external forwarder.

    Additionally, a DoT and/or DoH service should be offered to local clients and resolvers. While DoT and DoH may reduce the visibility that local administrators have into the queries being forwarded by the local recursive resolver to an upstream DoT service, it will still be possible to

    analyze

    monitor queries

    on

    between clients and the

    DNS resolver itself before they are forwarded to a DoT upstream service, or by logging queries

    local DNS resolver, either using passive DNS analysis (if using unencrypted DNS), or query logging.

    Finally, DoT and DoH do not guarantee end-to-end privacy, only protection from third party eavesdropping between hops that use DoT/DoH: the resolver that queries are being forwarded to should also use DoT/DoH when performing resolution.