Send in your ideas. Deadline October 1, 2024
More info available :
Theme fund: NGI0 PET
Start: 2019-08
End: 2022-10

Privacy Enhancements for PowerDNS and DNSdist

Make it easier to deploy private DoT/DoH resolvers

DNS over TLS (DoT) and DNS over HTTPS (DoH) are two recent developments in the DNS field, and currently these are dominated by US based providers. The project will enhance the availability of open, trustworthy, privacy respecting DNS Resolvers in such a way that it allows any DNS provider, operator, or user to provide encrypted DNS service. This project aims to speed up implementation, improvement and standardisation of the most important Privacy enhancing features of DNSdist and PowerDNS resolvers to allow for the entire DNS-chain (from client, to caching-resolver, to authoritative nameserver) to be encrypted. The project will add support to the (open source) PowerDNS components (dnsdist, recursor and Authoritative server) for the privacy features necessary.

Why does this actually matter to end users?

If you want to look something up online, send an email to a friend or read the morning news, your computer panics and starts asking for help. How does it know where to retrieve or send anything? Luckily, it is connected to the domain name system. This naming system has been translating names users can remember (like or into numbers (or with a fancy word: addresses). Your computer has such a unique number itself, but it needs the numbers of the other computers you want to interact with to connect. You probably use domain names every day, whether you type in the address of a website, listen to a podcast or send an email.

It is called a domain name system for a reason, because it comprises more than just a naming convention. Getting a domain name involves talking to a lot of different computers. Your computer or phone basically doesn't know much about the world. One thing it does know, is how to ask that question to other, specialised computers. These computers actually also probably don't know themselves, unless they have recently answered the same question for another user. Names can change really fast for good reasons, so you would need to refresh this data a lot - otherwise users could end up on the wrong computer. The computers you sent your question to, thus pass the question on to other computers - and so forth. After just a few steps, some of the computers that were consulted get parts of the answer we were looking for. And at some point in time, the domain name system will have the entire answer. The magic happens so fast, most people are not even aware how complex this is. For them it "just works". One disadvantage: many other computers have learned something about us, about who we interact with and about our interests - in an neatly labeled way. Someone is connecting to or The more unique your question, the deeper the digging inside the DNS - and the more it stands out.

Domain names are at present an critical component for users, and so also a critical point of failure and a choke point. Without functioning DNS, most people will have a hard time finding basically anything on the network of networks. There have been cases where for instance a Spanish company got their domain name taken away, even though what they did inside Europe for European citizens was legitimate here. But not in the USA. And since the organisations that handle the .org, .com and .net domain names are based in the USA, these could be forced to remove these names from the DNS.

When DNS was designed, neither security nor resilience was that much of a concern for most users. The internet in its early days was not yet 'open to the public'. This of course has changed dramatically. The massive use of the internet and thereby our dependency on DNS has highlighted very important privacy and security issues with the design of DNS. At present, it is is not always capable of preventing misleading users nor can it prevent some leakage of what users do, who they talk to and where they go.

To make sure users can freely and privately search the web, over the years there have been numerous privacy protective additions made to DNS. Progress has definitely been made, but to actually keep users safe such technologies must be readily available to DNS providers, operators and generally everyone on the internet. This project will develop and contribute to open and trustworthy tools that can encrypt your DNS request as it leaves your computer, goes halfway around the world and comes back with the website you were looking for.

Run by (part of Open Xchange)

Logo NLnet: abstract logo of four people seen from above Logo NGI Zero: letterlogo shaped like a tag

This project was funded through the NGI0 PET Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825310.