Page History
...
- Scope/Audience
- Closed and Public Resolvers - Commercial DNS filtering / scrubbing service (DNSfilter, OpenDNS, …). Access is determined either by the source IP address or by some other mechanism (TSIG key, TLS certificate). These service providers are typically NOT Internet Service Providers, and the clients sending the queries are located on remote networks. Note that some operators of Closed and public resolvers may also offer a free tier service, which also makes them Open and Public Resolvers.
- Open and Public Resolvers - “Fully open” public DNS resolvers such as CloudFlare’s 1.1.1.1, Google 8.8.8.8, Quad9’s 9.9.9.9, etc. All users on the Internet are free to use the service, whether they are stub resolvers (clients) or recursive servers using the open resolver as a forwarding service.
- Due to the scale and complexity of operating such services, it is assumed that operators of Public Resolvers have significant experience in maintaining a public facing Internet service with little or no access restrictions. For this reason, we will only make recommendations pertaining to privacy and protection of end users.
- DNS security and privacy
- MUST: Enable DNSSEC validation.
- MUST: Enable QNAME minimization to minimize leakage of domain names.
SHOULD: Offer DoT (DNS-over-TLS), or DoH (DNS-over-HTTPS) service to clients, alongside traditional, unencrypted DNS.
Deploying either is the easiest way to protect against eavesdropping and manipulation of DNS queries and man-in-the-middle attacks by encrypting DNS queries.
SHOULD: Data collected through passive logging of DNS queries should only be retained for as long as is necessary for the sound operation of the service offered, including troubleshooting, research, and to satisfy local legal requirements on data retention.
