What is DNS over TLS (RFC-7858) ?

There is a new security mechanism coming to DNS  which is called DNS over TLS the current DNS infrastructure uses UDP traffic that is sent in clear text which means it can be read by anyone who is sniffing traffic  Also for some it provides that extra privacy

 

Security Stock Image

The current DNS implementations use UDP port 53  to accept connections from clients  the traditional DNS setup has no encryption and also does not really have any spoofing protection as UDP inherently has no security mechanism or checks against source traffic

With DNS over TLS the client and the server will establish a secure channel over TCP port 853 there will be a handshake between the client and the server which will protect the traffic using TLS.

If you are not familiar with TLS or (Transport Layer Security) it is a technology that provides encryption it is commonly used in websites and VPN’s.

Software vendors on the host and server side will need to enable support for these types of servers as there will most likely be a mix of traditional and secure DNS servers for a while before it completely  becomes a norm I mean HTTPS has been around for ages but we still see HTTP sites around so the transition will be slow.

For security admins, you will need to consider the ramifications of encrypting DNS traffic as we cant see the hostnames being resolved content filtering and others like it will need to adapt.

With cloud blowing up we cant even block a certain IP as many websites and content are using shared resources such as AWS or AZURE blocking an IP can potentially block 10’s or 100’s of websites.

You can read the full RFC for DNS over TLS here https://tools.ietf.org/html/rfc7858

As of recent DNS over TLS  support is being pushed in the latest versions of Android OS.

 

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *