You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »


  1. Scope/Audience 
    • This category includes both open and closed public resolvers. Examples of open public resolvers include CloudFlare’s 1.1.1.1, Google’s 8.8.8.8, and Quad9’s 9.9.9.9. Closed public resolvers are typically commercial DNS filtering/scrubbing services, such as DNSfilter and OpenDNS. These service providers are typically not Internet Service Providers, and the clients sending queries to them are located on remote networks. Note that some operators of closed public resolvers may also offer a free tier service, which also makes them open public resolvers.


  1. DNS security and privacy
    1. MUST: Enable DNSSEC validation.
    2. MUST: Enable QNAME minimization to minimize leakage of domain names.

    3. SHOULD: Offer DoT (DNS-over-TLS), or DoH (DNS-over-HTTPS) service to clients, alongside traditional, unencrypted DNS.

      1. Deploying either is the easiest way to protect against eavesdropping and manipulation of DNS queries and man-in-the-middle attacks by encrypting DNS queries.

    4. SHOULD: Data collected through passive logging of DNS queries should only be retained for as long as is necessary for the sound operation of the service offered, including troubleshooting, research, and to satisfy local legal requirements on data retention.

  • No labels