Versions Compared

Old Version 2

changes.mady.by.user Steven Kim

Saved on

compared with

New Version 3

changes.mady.by.user Steven Kim

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


  1. Scope/Audience 
      Closed and Public Resolvers - Commercial
      • This category includes both open and closed public resolvers. Examples of open public resolvers include CloudFlare’s 1.1.1.1, Google’s 8.8.8.8, and Quad9’s 9.9.9.9. Closed public resolvers are typically commercial DNS filtering/scrubbing
      service (DNSfilter, OpenDNS, …). Access is determined either by the source IP address or by some other mechanism (TSIG key, TLS certificate).
      • services, such as DNSfilter and OpenDNS. These service providers are typically
      NOT
      • not Internet Service Providers, and the clients sending
      the
      • queries to them are located on remote networks. Note that some operators of
      Closed and
      • closed public resolvers may also offer a free tier service, which also makes them
      Open and Public Resolvers.
    • Open and Public Resolvers -  “Fully open” public DNS resolvers such as CloudFlare’s 1.1.1.1, Google 8.8.8.8, Quad9’s 9.9.9.9, etc. All users on the Internet are free to use the service, whether they are stub resolvers (clients) or recursive servers using the open resolver as a forwarding service.
      • Due to the scale and complexity of operating such services, it is assumed that operators of Public Resolvers have significant experience in maintaining a public facing Internet service with little or no access restrictions. For this reason, we will only make recommendations pertaining to privacy and protection of end users
      • open public resolvers.


  1. DNS security and privacy
    1. MUST: Enable DNSSEC validation.
    2. MUST: Enable QNAME minimization to minimize leakage of domain names.

    3. SHOULD: Offer DoT (DNS-over-TLS), or DoH (DNS-over-HTTPS) service to clients, alongside traditional, unencrypted DNS.

      1. Deploying either is the easiest way to protect against eavesdropping and manipulation of DNS queries and man-in-the-middle attacks by encrypting DNS queries.

    4. SHOULD: Data collected through passive logging of DNS queries should only be retained for as long as is necessary for the sound operation of the service offered, including troubleshooting, research, and to satisfy local legal requirements on data retention.