RFC 8094 – DNS over Datagram Transport Layer Security (DTLS) – was recently published as an experimental specification.
This was the result of the ongoing activity of the DNS PRIVate Exchange (dprive) Working Group at the IETF to develop mechanisms to provide confidentiality to DNS transactions and to address concerns surrounding pervasive monitoring.
DNS queries and responses are normally exchanged unencrypted on the network between a DNS client and server, and can be monitored to reveal potentially sensitive information. RFC 8094 therefore proposes to use DTLS for encrypting queries and responses between DNS clients and servers.
The DTLS protocol is based on the Transport Layer Security (TLS) protocol and is intended to provide similar security guarantees, but is more suited to datagram transport that supports low latency and loss tolerant communication but which does not require or provide reliable or in-order delivery of data.
As latency is critical for the DNS, the outlined specification aims to reduce DTLS round trips and reduce the DTLS handshake size, as well as minimise the computational load on the DNS servers. This is an experimental update to the DNS in order to evaluate implementations, interoperability and effect on the DNS infrastructure.