DNS-over-TLS Resolvers

DNS-over-TLS Resolvers are available at RIPE 78 on a best-effort basis. They are available on TCP port 853, on the same IPv4 / IPv6 addresses as the regular DNS resolvers:

  • 2001:67c:64:53::53:1
  • 2001:67c:64:53::53:2
  • 193.0.31.237
  • 193.0.31.238

These experimental resolvers are using Knot-resolver and provide the following security and privacy-related features:

  • DNS-over-TLS
  • DNSSEC validation
  • Aggressive Use of DNSSEC-Validated Cache
  • Qname Minimisation

To use them, you need client software such as Unbound or Stubby, configured to forward upstream queries to these resolvers over TLS. They use a LetsEncrypt certificate, with a TLS hostname of:

nscache.ripemtg.ripe.net

For strict verification, your client should use CA-based verification for this hostname. Do not configure an SPKI pinset, as we may change the certificate at any time.

An example Stubby config:

upstream_recursive_servers:
  - address_data: 2001:67c:64:53::53:1
    tls_auth_name: "nscache.ripemtg.ripe.net"
  - address_data: 2001:67c:64:53::53:2
    tls_auth_name: "nscache.ripemtg.ripe.net"

For more information about configuring clients, you can visit:
https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Clients

Presentation from Colin Petrie at RIPE 76:
Deploying DNS over TLS for the RIPE Meeting

Troubleshooting

The RIPE NCC staff can only offer limited support for investigating problems with these resolvers.

If your issue is related to client configuration, please see the available documentation linked above, or for further support, contact the DNS Working Group.

There may be issues resolving certain domain names due to interactions with Qname Minimisation (which is an experimental protocol).

If these issues cause you a problem, please fall back to using the regular resolvers and send a report of the problem to opsmtg [at] ripe [dot] net. If the problem is with the resolver software we are using, it is unlikely we will be able to fix it during the meeting. You can also discuss any issues encountered on the DNS Working Group Mailing List.

Background

This service has been set up for RIPE 78 as an experimental service at the request of the DNS Working Group Co-Chairs.