Authoritative Namservers: DoT or DoH?

I manage a number of authoratative nameservers with the recent DNS over HTTPS Firefox changes, have been looking into DNS privacy.

I have DNSSEC configured for a couple of zones (not privacy related obviously), however I understand there can be some value in providing DoT and DoH for these nameservers also. Obviously the key issue that these two protocols resolve is client->isp related and at the moment the only use case is to pin the end user device/browser/router to a single recursive resolver. It would appear the dust has yet to settle on the best practice for encrypting queries to authoritative nameservers.

I would expect the bulk of DoH or DoT queries to my authoritative nameservers to come from Cloudflare (rather than the clients themselves), and I see in this blog that there was a pilot with Facebook using DoT: https://blog.cloudflare.com/dns-encryption-explained/ , should I take this to mean that Cloudflare intend to or already do resolve 1.1.1.1 using DoT?

1.1.1.1 is a Recursive Resolver itself, so it goes to the roots/authoritative nameservers (using regular port 53) on behalf of clients that have set 1^4 as it’s DNS.

As you’ve said above,

It would appear the dust has yet to settle on the best practice for encrypting queries to authoritative nameservers.

That is the current state - there is no specification or even much discussion about using TLS for the connections between RRs and authoritative nameservers. There is just little need for it since validity/authenticity are done by dnssec and encryption isn’t a big deal since most everything in DNS is “known to the world”, and someone tapping an IX or the lines isn’t a threat vector to be wary of.

Thanks for the reply. However, the linked cloudflare blog that mentions the PoC between 1.1.1.1 and Facebook suggests that there is a conversation on this.

While I agree that Cloudflare to authoritative server traffic is low risk for the average user, I respectfully disagree that this means the traffic shouldnt be encrypted. This conversation is only going to increase with Operating System support (MS having announced DoH and possibly DoT support). The current use case of users pinning a DoH client to a supporting resolver will potentially expand to stub resolvers or clients to authoritative server queries

Perhaps I should have been more direct with this question. I was wondering if Cloudflare plan to query authoritative servers with DoT or DoH?

I haven’t seen anyone seriously considering DoH for the authoritative side. Standards-making for DNS encryption belongs to the dprive workgroup in IETF. Lately most attention has been stolen by other topics and the side towards authoritatives isn’t easy without specific arrangements (like in the PoC you mention), so it seems mostly stalled.

1 Like