How To Use OARC's DNS Privacy Resolver Testbed

OARC is pleased to offer dual-stack (IPv4 and IPv6), open DNS Privacy resolvers that anyone can use to experiment with secured DNS over TLS services (see RFC 7858). These listen for DNS queries over TLS on TCP port 853.

Two instances are available - one uses the ISI ANT T-DNS server proxy, with a back-end hooked into OARC's BIND ODVR server which provides packet capture as well as some modicum of logging. The second server uses Unbound as the front-end, which then forwards queries to the Unbound version of the ODVR service.

Please note this service is experimental, and makes no guarantees of availability, RFC compliance/interoperability, data privacy, or suitability for live, production use. We do however aim to contribute to the understanding of operating these services, seeking to improve their deployment towards these aims. Feedback as to how well or whether they actually work would be appreciated.

The IP addresses for the DNS Privacy nameservers are:

Instance   Name   IPv4   IPv6
T-DNS   tls-dns.odvr.dns-oarc.net   184.105.193.77   Not currently available
Unbound   tls-dns-u.odvr.dns-oarc.net   184.105.193.78   2620:ff:c000:0:1::64:25  

Configuration

Both the ISI ANT software and the unbound server use the same self-signed certificates and keys: Cert Key The pin is: pOXrpUt9kgPgbWxBFFcBTbRH2heo2wHwXp1fd4AEVXI=

Data Collection

OARC collects data from these DNS Privacy nameservers and makes this data available to our members for research purposes. If you are interested in analyzing data from any of OARC's testbed tools, information about becoming an OARC member is available here.

Frequently Anticipated Questions

Q: Why are you doing this?

A: A few reasons:

  1. So that you can play with DNS Privacy and verify it works with your clients
  2. To provide an easy-to-use testbed for implementors and operators to verify operation of DNS Privacy with their systems
  3. To collect and publish data on adoption of DNS Privacy over time.

Q: What is OARC's Privacy Policy for use of its testbed nameservers ?

A: In line with OARC's mission, query data from our various testbed resolvers is logged and stored for non-commercial, public benefit research purposes. Users of the service should be aware this may include personally identifiable information. OARC has strict policies and processes in place, set out in the DNS-OARC Data Sharing Agreement to limit access to this data too bona-fide OARC Members and researcher Participants. If your DNS query data is sensitive, you should probably not be trusting it to an experimental 3rd-party research testbed. OARC makes no commitments on the suitability of this service for live, production use.

Q: Will OARC anonymize data gathered by its testbed nameservers ?

Depending on experience gathered from operating these testbeds, level of uptake, and/or OARC Member consensus, we may decide in future to anonymize, not-anonymize or offer a choice on different server(s). This is all subject to what complies with the jurisdictions OARC operates its own infrastructure in, and best pursues OARC's mission in the wider interest.

Q: I thought open resolvers were a bad thing?

A: It's true that open resolvers are usually considered to be a problem and have been used — in combination with source address spoofing — to conduct large-scale DDoS attacks. Such attacks are made possible because (1) there are hundreds of thousands, if not millions, of open resolvers, and (2) their owners/operators are unaware of the openness. OARC's open nameservers are rate-limited and closely monitored. If we have reason to suspect abuse of our open nameservers, we will act quickly to stop it. Please contact the OARC Admin if you have abuse concerns.