In this blogpost we outline OARC’s position regarding DNS-over-TLS, DNS-over-HTTPS and related technologies.
Ensuring that the DNS infrastructure and traffic is secure aligns well with OARC’s mission, and with DNSSEC now widely available to detect tampering with the integrity of DNS traffic, it’s clear the next effort should focus on protecting the privacy of DNS traffic against interception while in transit.
Part of OARC’s role is to help bridge the gap between DNS protocol standards/development and actual operational practice, and we aim to support this process in the industry for encrypted DNS as we have for other new DNS technologies.
OARC supports the development of DNS technologies based on open, interoperable standards and open-source software. At the same time, we are careful to be neutral regarding the various competing technologies that are on offer, and do not prefer one technology over another where there are diverse offerings.
… we are careful to be neutral regarding the various competing technologies that are on offer, and do not prefer one technology over another where there are diverse offerings …
We thus don’t take a view on whether DoT, DoH, or other potential encrypted DNS technologies are superior to each other. This is in line with OARC’s neutrality policy, that stems from our roots as a membership organization with over 100 organizations that are sometimes competitors yet strive to work together for a better DNS.
Our approach is to support the scientific method for determining which DNS technologies are best suited in diverse environments, through data collection, measurement and testing, and open sharing and peer-review of results/knowledge within the community.
Industry support to OARC
To this end, we are very pleased to announce that OARC has been awarded funding by two grant bodies to add capabilities to our dnsperf performance testing tool which include enhanced support for DoT and DoH.
[The grants build] on OARC’s longstanding support from and to the DNS community, allowing us to combine these grants to build the tools and ecosystem needed to measure, analyze and support encrypted DNS.
The funded works includes a re-factoring of dnsperf’s’ code to make it more stand-alone and future proof, addition of session management capabilities more suited to connection-oriented DNS testing, and full DoH support. This builds on OARC’s longstanding support from and to the DNS community, allowing us to combine these grants to build the tools and ecosystem needed to measure, analyze and support encrypted DNS.
The addition of DoH/DoT capabilities to our existing dnsperf tool is in line with OARC’s neutral, evidence-based approach — it will allow testing, measurement, comparison and analysis of the various different encrypted technologies. We are hopeful it will generate some answers about the merits of the various approaches to Encrypted DNS, helping operators decide which of these are most suitable for deployment, how best to deploy them, and for which use cases.