PowerDNS’ progress in DNS encryption

Feb 27, 2024

Like many other internet protocols, DNS started life as an unencrypted protocol. With the increasing recognition of internet users’ right to more privacy and security, the IETF started to introduce encryption to Internet Protocols; However, for many years, DNS was not included. This meant that third parties could gain access to DNS requests (intentionally or through attacks) and either see users' internet behavior or maliciously change the results of their DNS queries. Considering that almost every action on the internet (e.g. browsing, app usage, messaging) starts with a DNS request, this is a very scary thought for many.

For this reason, the IETF introduced two standards to encrypt DNS traffic back in 2018: DoH and DoT. From the very beginning, we at PowerDNS were convinced that encrypted DNS (in line with our company vision) was a great privacy-enhancing addition to every DNS installation aiming at protecting the privacy of users and offering additional security. That's why we've made DNS encryption a cornerstone of our roadmap since 2018 and have continuously worked on improving our DNS encryption features.

Our recently released DNSdist 1.9 represents another milestone in this mission. With this latest version, PowerDNS now supports all of the IETF standardized DNS encryption mechanisms:

  • DNS over TLS (DoT): DoT establishes a secure communication channel between clients and resolvers. We added DoT to our solutions with the release of DNSdist 1.4 in 2019.
  • DNS over HTTPS (DoH): Similar to the encryption used by the World Wide Web, DNS queries and responses are transported over a secure HTTPS stream. DoH was added to PowerDNS together with DoT in the DNSdist 1.4 version in 2019.
  • DNS over QUIC (DoQ): DoQ sends DNS queries and responses over the QUIC (Quick UDP Internet Connections) transport protocol, which adds additional security and reduces latency. The latest version of DNSdist (1.9) supports DoQ.
  • DNS over HTTP/3 (DoH3): DoH3 provides the advantages of DoH, plus performance and efficiency enhancements, especially in challenging environments. As DoH3 is based on QUIC, we added it together with DoQ to DNSdist 1.9.

 We are proud to be a pioneer in the implementation of encrypted DNS. At the same time, we are working on expanding the possible use cases of our encrypted DNS solutions.

DNSdist, as a transmitter of our encryption options, can be implemented conventionally in front of PowerDNS Recursor. In this case, DNSdist acts as a proxy and load balancer, and can also encrypt DNS traffic.

In addition to being used in front of PowerDNS Recursor, DNSdist can also be placed in front of other, legacy DNS resolvers. This means that the advantages of DNSdist, such as encryption, can be used without having to immediately replace the entire recursive DNS installation.

Mobile operators implement DNSdist on the edge-nodes of their 5G networks. In addition to advantages such as tiered caching and malware filtering at the edge, this also offers encryption of DNS traffic at the edge of a network. DNS encryption is very important to 5G networks because communications (i.e. DNS traffic) between IoT devices, one of the prime use cases of 5G, and the services they use need to be protected from being intercepted, monitored, or modified. 

In this scenario, but also independent of 5G, DNSdist is often deployed as a cloud-native variant via PowerDNS Cloud Control on a Kubernetes cluster using Helm charts. The cloud-native version of DNSdist has the advantage that a large number of instances can be deployed and maintained automatically. Of course, the cloud-native version of DNSdist also supports DNS encryption.

Since the encryption of DNS traffic provides additional privacy, it poses a challenge to solutions that protect against malicious content based on filtering DNS traffic. These solutions cannot read encrypted DNS traffic and therefore are no longer able to protect their users. This is the case, for example, for security vendors who filter and block malicious content on routers before it is even available to a subscriber. DNSdist helps these solutions to work with encrypted DNS traffic and keep protecting subscribers from malicious content, and can now also be installed on customer premise equipment (CPE) using dedicated OpenWrt repositories.

We are proud of the progress that PowerDNS has made so far in adding DNS encryption to our solutions and enabling the use of encrypted DNS in different scenarios. We will continue to be a pioneer in advancing and developing innovations in DNS encryption, because the privacy of our communication providers’ subscribers is very important to us.

If you have any questions about DNS encryption in PowerDNS, let us know and we can discuss in more detail.

About the author

Andrea Carpani

Andrea Carpani

PowerDNS Product Manager


Related Articles

PowerDNS DNSdist 1.9.6 released

We released PowerDNS DNSdist 1.9.6 today, fixing minor bugs:

Remi Gacogne Jul 16, 2024

PowerDNS DNSdist 1.9.5 released

We released PowerDNS DNSdist 1.9.5 today, fixing minor bugs:

Remi Gacogne Jun 20, 2024

PowerDNS DNSdist 1.9.4 released

We released PowerDNS DNSdist 1.9.4 today. This release fixes CVE-2024-25581, a denial of service security issue affecting...

Remi Gacogne May 13, 2024

PowerDNS DNSdist 1.9.3 released

Less than an hour after the release of PowerDNS DNSdist 1.9.2 today, we received reports of DNSdist crashing in some setups....

Remi Gacogne Apr 5, 2024