What is DNS over TLS (RFC-7858)?

December 29, 2017 | Views: 3951

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

There is a new security mechanism coming to DNS  which is called DNS over TLS the current DNS infrastructure uses UDP traffic that is sent in clear text which means it can be read by anyone who is sniffing traffic  Also for some it provides that extra privacy

The current DNS implementations use UDP port 53  to accept connections from clients. The traditional DNS setup has no encryption and also does not have any spoofing protection as UDP inherently has no security mechanism and does not check against source traffic.

With DNS over TLS, the client and the server will establish a secure channel over TCP port 853 there will be a handshake between the client and the server which will protect the traffic using TLS.

If you are not familiar with TLS or (Transport Layer Security) it is a technology that provides encryption it is commonly used in websites and VPN’s.

Software vendors on the host and server side will need to enable support for these types of servers as there will most likely be a mix of traditional and secure DNS servers for a while before it completely becomes a norm I mean HTTPS has been around for ages but we still see HTTP sites around so the transition will be slow.

For security admins, you will need to consider the ramifications of encrypting DNS traffic as we cant see the hostnames being resolved content filtering and others like it will need to adapt.

With cloud blowing up we cant even block a certain IP as many websites and content are using shared resources such as AWS or AZURE blocking an IP can potentially block 10’s or 100’s of websites.

You can read the full RFC for DNS over TLS article. As of recent DNS over TLS  support is being pushed in the latest versions of Android OS.

Please check out my blog @ www.seanmancini.com

Share with Friends
Use Cybytes and
Tip the Author!
Share with Friends
Ready to share your knowledge and expertise?
1 Comment
  1. With cloud blowing up it includes also Akamai technologies.

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge


We recommend always using caution when following any link

Are you sure you want to continue?