DNS encryption in OX PowerDNS: where we are

Jul 13, 2021

DNS_encryption

Back in 2018, when the IETF introduced two standards on DNS encryption, Open-Xchange and PowerDNS were amongst the first to adopt and offer encrypted DNS through DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT).

From the very beginning, we were convinced that encrypted DNS (in line with our company vision) is a great privacy-enhancing addition to every DNS installation aiming at protecting the privacy of its users and offering additional security.

When DNS encryption, and DoH in particular, was leveraged to move internet users’ DNS traffic from their regional internet or DNS provider to public over-the-top DNS vendors, Open-Xchange emphasized the important role which DNS services play in maintaining a federated and safe internet. We supported a decentralized DNS landscape by keeping DNS services available at users' Internet Service Providers.

In the meantime, our customers are starting to adopt DNS encryption solutions by using the PowerDNS DNS proxy and load balancer DNSdist. They see the importance of offering encrypted DNS services, while also keeping their subscribers’ DNS traffic local, and all the advantages that come with it – both to end-users (in terms of latency, privacy, access to local content caches, and the possibilities of providing additional security features like malware filtering) and the network itself (better control over CDN caching, control over the end-to-end latency experience for subscribers).

Over the past two years, we have released three major versions of DNSdist, enhancing DNS encryption step by step. DNSdist 1.4.0 initially allowed ISPs to provide DoH and DoT. What is more, ISPs could implement DNSdist not only in front of OX PowerDNS Recursor, but also in front of any other legacy resolving service. We gradually added further DoH improvements to DNSdist , such as the interaction with generic HTTPS caches through a cache control header, and, with the recent release of DNSdist 1.6.0, additional enhancements to encrypt DNS traffic, such as the support of out-of-order processing for TCP and DNS over TLS connections and support for accepting a Proxy Protocol header on incoming connections.

The next step is encrypting the other parts of the DNS traffic, and, at Open-Xchange, we are currently working on encrypting a user’s entire ‘DNS process’. Like other DNS encryption solutions available in the market, DNSdist encrypts the traffic between a client, i.e., a user’s device, and the load balancer.

With upcoming releases of DNSdist and OX PowerDNS Recursor, we will deliver the first version that goes beyond that, including encrypted DNS traffic between DNSdist and the backends like the Recursor. This allows DNSdist to be deployed on different systems or networks but still retain the advantages of encryption between them.

In addition to encrypting DNS traffic between DNSdist and OX PowerDNS Recursor, we have implemented the capabilities to encrypt the traffic to the authoritative server’s domain name hosting servers. Up to now, that traffic has been unencrypted and could – in principle – show privacy sensitive information.

With those additions, the entire DNS path can be encrypted in case OX PowerDNS components are involved, which allows, once implemented more broadly, complete encrypted DNS requests, from a user’s device over a load balancer to the resolver and finally arriving at the authoritative solution.

Open-Xchange’s PowerDNS solutions provide encryption in all steps and significantly add to the privacy and security efforts of the Internet around the world. Stay tuned for more information on encrypting DNS and implementing DoH and DoT. Please reach out to us or your OX account manager if you want to learn more about encrypted DNS with OX PowerDNS.

About this article

About the Author

Alexander ter Haar

Alexander ter Haar

PowerDNS Product Management

Share this article