Encrypt your DNS traffic with DNSdist 1.4.0

Nov 27, 2019

Open-Xchange is excited to announce the release of a new version of its DNS loadbalancer DNSdist. DNSdist is a unique DNS proxy and load balancer that brings out the best possible performance in any DNS deployment and optimizes the internet experience of hundreds of millions of internet subscribers. The 1.4.0 version adds important DNS encryption features to DNSdist, namely DNS over HTTPS (DoH) and improved DNS over TLS (DoT), as well as a number of other improvements.

DNSdist ensures the best possible performance out of your DNS deployment. It optimizes DNS traffic in front of the PowerDNS Recursor or existing legacy recursive DNS servers and delivers low latency responses to subscribers based on location, time and content. DNSdist is highly optimized to protect against malicious and abusive traffic such as DDoS attacks, DNS tunneling and exfiltration, and includes a flexible policy engine to enable new rules and filters to be created and combined to suit the characteristics of local traffic.

In recent years, encryption of internet traffic has risen to the point that most web traffic uses HTTPS. DNS remained one of the few non-encrypted internet protocols. To encrypt DNS traffic, two standards have been introduced, which are DNS over TLS (DoT) and DNS over HTTPS (DoH) . Both of these protocols provide privacy and integrity protection for DNS traffic. They are used to encrypt the traffic between the DNS client (the laptop, mobile device, IoT device, etc.) and the DNS resolver.  These standards are currently gaining a lot of traction in mobile device software and web browsers.

However, many Internet Service Providers currently do not yet provide a DoH/DoT capable DNS service to their customers.  The potential impact of this is that (encrypted) DNS traffic could move to centralized ‘over the top’ DNS resolvers and bypass the service provider’s DNS. This is a threat for the federated nature of the internet and also results in serious consequences for providers. Network operators use their DNS servers to coordinate with CDNs to ensure users get access to the fastest and most local content-servers; they block malware, phishing, and botnet activities; and they enforce governmental blocklists using DNS. If DNS is no longer under their control, network operators will lose the possibility to handle those issues. In addition, since DNS influences the end-user experience, this also means that the perceived quality of a network operator is now influenced by a third-party. End-users are unlikely to understand the difference and potentially will blame the operator for any (third-party) DNS outage, slowness or security issue.

DNSdist 1.4.0 provides network operators with a solution to this. By placing DNSdist in front of PowerDNS Recursor or your legacy recursive DNS solution, you are able to offer encrypted DNS in the form of DoH and DoT to your subscribers; making it much less likely that their DNS will move to other providers.

Provide your subscribers with an optimal DNS solution while adding an additional layer of protection with DNSdist. Please reach out to your account manager or contact Open-Xchange directly if you have any questions.

About the author

Alexander ter Haar

Alexander ter Haar

PowerDNS Product Management


Related Articles

dnsdist 1.0.0 released!

We are pleased to announce the release of the 1.0.0 version of dnsdist. dnsdist is a highly DNS-, DoS- and abuse-aware...

Pieter Lexis 04/5/16

First release candidate for dnsdist 1.5.0

We are very happy to announce the first release candidate of dnsdist 1.5.0. 1.5.0 contains several new exciting features and...

Remi Gacogne 04/5/20

Second beta release of dnsdist 1.7.0

Hello! We are happy to announce the second beta release of dnsdist 1.7.0, with few fixes since the first beta, the most...

Remi Gacogne 11/2/21

dnsdist 1.7.3 released

Hello! We are very happy to release dnsdist 1.7.3 today, a maintenance release with no functional changes. This release...

Peter van Dijk 11/4/22