- use udp for 512 bytes or less - use tcp for over 512 bytes
- dns port 53 - dns-over-tls port 853
a dns request like the following contains:
00 1d AA AA 01 00 00 01 00 00 00 00 00 00 07 65 78 61 6d 70 6c 65 03 63 6f 6d 00 00 01 00 01 Headers (12 bytes): transaction ID: (2 bytes) (ensures the response you receive came from the server you requested it from) Flags (2 bytes): QR: (1 bit) Query (0) / Response (1) Opcode: (4 bits) Standard query (0) / Inverse query (1) / Server status request (2) / reserved for future use (3-15) AA: (Authoritatve answer - 1 bit) non authoritative (0) / authoritative (1) TC: (Truncation - 1 bit) Not truncated (0) (512 bytes or less) / Truncated (1) (greater than 512 bytes on udp) RD: (Recursion desired - 1 bit) Don't require recursion (0) / Do query recursively (1) RA: (Recursion Available - 1 bit) No (0) / Yes (1) Z: (3 bits) reserved (0) RCODE: (Response Code - 4 bits) No Error (0) / Format Error (1) / Server Failure (2) / Name Error (3) / Not Implemented (4) / Refused (5) / Reserved (6-15) QDCOUNT: (Question Count - 2 bytes) (1) ANCOUNT: (Answer Count - 2 bytes) (#) [Answer RR (Resource Records)] NSCOUNT: (Name Server Count - 2 bytes) (0) (we wont use it) [Authority RR: -> records for the authoritative name servers for the record (not required when making an authoritative name server)] ARCOUNT: (Additional Records Count - 2 bytes) (0) (we wont use it) [Additional RR: -> records for other name servers which hold the record] Body: Queries: Name: mydomain.com Type: (A, CNAME, MX) Class: IN (Internet 0x0001)
Authoritative Name Server will only serve requests for domain it controls and has records for.
dns-over-tls has performance impact due to the cost of establishing a tls connection.
There are 3 competing implementations for DNS resolution encryption:
- DNSCrypt - DNS over TLS - DNS over HTTPS
If you are looking for something well tested and well supported, check out DNSCrypt (and the awesome DNSCrypt-proxy):
It doesn't get a much love as it should, but it is probably the best way to securely encrypt your DNS requests right now. The protocol was initially developed by OpenDNS, but many resolvers support it right now (cisco, cleanbrowsing, etc). The list of supporting services is impressive.
On the other hand, DNS over [HTTPS|TLS] are pretty new and don't have as much support, except for a few players. A good list can be found here.