Skip to content

Encrypt your DNS traffic with DNSdist 1.4.0

Nov 27, 2019 4:30:00 PM

Open-Xchange is excited to announce the release of a new version of its DNS loadbalancer DNSdist. DNSdist is a unique DNS proxy and load balancer that brings out the best possible performance in any DNS deployment and optimizes the internet experience of hundreds of millions of internet subscribers. The 1.4.0 version adds important DNS encryption features to DNSdist, namely DNS over HTTPS (DoH) and improved DNS over TLS (DoT), as well as a number of other improvements.


DNSdist ensures the best possible performance out of your DNS deployment. It optimizes DNS traffic in front of the PowerDNS Recursor or existing legacy recursive DNS servers and delivers low latency responses to subscribers based on location, time and content. DNSdist is highly optimized to protect against malicious and abusive traffic such as DDoS attacks, DNS tunneling and exfiltration, and includes a flexible policy engine to enable new rules and filters to be created and combined to suit the characteristics of local traffic.

In recent years, encryption of internet traffic has risen to the point that most web traffic uses HTTPS. DNS remained one of the few non-encrypted internet protocols. To encrypt DNS traffic, two standards have been introduced, which are DNS over TLS (DoT) and DNS over HTTPS (DoH) . Both of these protocols provide privacy and integrity protection for DNS traffic. They are used to encrypt the traffic between the DNS client (the laptop, mobile device, IoT device, etc.) and the DNS resolver.  These standards are currently gaining a lot of traction in mobile device software and web browsers.

However, many Internet Service Providers currently do not yet provide a DoH/DoT capable DNS service to their customers.  The potential impact of this is that (encrypted) DNS traffic could move to centralized ‘over the top’ DNS resolvers and bypass the service provider’s DNS. This is a threat for the federated nature of the internet and also results in serious consequences for providers. Network operators use their DNS servers to coordinate with CDNs to ensure users get access to the fastest and most local content-servers; they block malware, phishing, and botnet activities; and they enforce governmental blocklists using DNS. If DNS is no longer under their control, network operators will lose the possibility to handle those issues. In addition, since DNS influences the end-user experience, this also means that the perceived quality of a network operator is now influenced by a third-party. End-users are unlikely to understand the difference and potentially will blame the operator for any (third-party) DNS outage, slowness or security issue.

DNSdist 1.4.0 provides network operators with a solution to this. By placing DNSdist in front of PowerDNS Recursor or your legacy recursive DNS solution, you are able to offer encrypted DNS in the form of DoH and DoT to your subscribers; making it much less likely that their DNS will move to other providers.

Provide your subscribers with an optimal DNS solution while adding an additional layer of protection with DNSdist. Please reach out to your account manager or contact Open-Xchange directly if you have any questions.

Back to overview

Related Articles