Our Blog »

DNS-over-TLS available now on our resolvers

03 May 2018 by Michael Tremer

We have now enabled DNS-over-TLS on our resolvers to protect our users’ privacy even better.

DNS, the Domain Name Service, is suddenly experiencing a second spring. New features are reshaping the protocol that has been the backbone of the Web since day one.

One of the services we specialise in and that we use very heavily for our own infrastructure is DNS. DNS is the service that resolves a domain name like lightningwirelabs.com to an IP address. Without it, no browser would now how to contact your favourite search engine or news portal.

DNS in a nutshell

When a browser wants to know the IP address to a domain name, it sends a small packet called query to a name server on the Internet and waits for a reply with the requested IP address. It is a very simple protocol.

But since it has been developed when all parties on the Internet were considered trustworthy, there is no encryption built into the protocol. A kind of fatal design flaw for many other protocols, but one cannot simply replace the entire DNS system by something modern. This would be incredibly hard to since every single system that is connected to a network needs to be updated and there is besides the encryption no need for a better DNS. It is simple. It is extensible for the future. And it just works.

So what about creating a secure connection to the name server and then sending the queries through that secure tunnel? That is precisely what has become the consensus now and it is called DNS-over-TLS.

Securing travelling packets

TLS is short for Transport Layer Security and also responsible for the S in HTTPS. Another procotol that is widely used to protect your online banking as well as becoming standard for every website that you open. It is designed to create end-to-end encryption between parties that are transferring information. Certificates are used to authenticate against each other and it virtually requires no preparation to create a secure connection with TLS.

Now, we have extended the DNS protocol with two more features:

  • We can authenticate against our resolver, so that we know that we are not talking to a resolver that is sending us spoofed DNS responses.
  • Nobody on the way can read the DNS requests any more.

The second point adds privacy, so that no ISP or other party that is monitoring a network can find out what websites you are trying to open. I personally do not want to share my entire browsing history with my ISP or any of those companies that do big-data analysis.

How to use this?

You just need to open a TLS connection to our resolver on port 853. Then, you can send any DNS queries to the resolver as usual.

At the moment, there is not much support for DNS-over-TLS in many operating systems, but we are working on integrating it into IPFire, so that not only the entire network is securely sending DNS queries without allowing anybody else to eavesdrop on them. Stay tuned for that.

The TLS hostname is recursor01.dns.lightningwirelabs.com or recursor01.dns.ipfire.org, the IPv4 address is and for users that have IPv6 access: 2001:678:b28::54

You can of course use our resolver using the classic DNS protocol.