By Neil Cook, VP Security Products at Open-Xchange
It is very likely that you heard and read a lot about the importance of DNS encryption in the last few months. Open-Xchange emphasizes the importance of DNS over HTTPS (DoH) and DNS over TLS (DoT), as well as the importance of keeping DNS available at your Internet Service Provider (ISP. ISPs' DNS services play a key part in maintaining a federated and safe internet. However, the trend of encrypting DNS using HTTPS is fueling a rise of ‘over the top’ cloud DNS providers.
DNS encryption was sorely lacking for many years, until recently when browser vendors decided to implement it, which we welcome wholeheartedly. However, at least one browser vendor is proactively moving their users’ DNS traffic to OTT cloud DNS providers with the stated aim of increasing security and privacy. In part, this can be seen as a response to existing DNS operators being slow to implement encrypted DNS services.
In order to keep DNS traffic local, it is vital that ISPs and Mobile Operators start offering encrypted DNS services to keep their subscribers’ DNS traffic and all the advantages that come with it – both to end-users (in terms of latency and access to local content caches) and the network itself (better control over CDN caching, control over the end-to-end latency experience for subscribers). We recognized the need and demand of internet connectivity providers for encrypted DNS services and support those with our DNS solution: DNSdist.
DNSdist is a unique DNS proxy and load balancer that brings out the best possible performance in any DNS deployment. It optimizes DNS traffic in front of the OX PowerDNS Recursor or legacy DNS installations. While protecting against DDoS and abusive traffic, as well as caching frequently requested domains, DNSdist now also provides DNS encryption. In November 2019 we launched the latest version, DNSdist 1.4.0. DNSdist 1.4.0 adds DNS over HTTPS (DoH) and DNS over TLS (DoT) features to a provider’s DNS installation. This makes it much less likely that the DNS of those subscribers will move to other providers, and enables DNS to stay with the ISP if both the subscribers and the client operating system vendors want it that way.
While many large operators have identified the issue, and we are jointly working on individual solutions with them, today we are happy to announce that, BT is the first major UK ISP to launch a DoH trial, working with Open-Xchange.
Including DNS over HTTPS using DNSdist allows BT to offer additional privacy on top of the existing security and parental control services provided to subscribers. BT recently announced the trial phase at the ISPA’s DoH Policy Conference, which they also sponsored in conjunction with Open-Xchange.
Stay tuned for more information on DNSdist and DNS encryption. Please reach out to your Open-Xchange account manager or contact us if you wish to enter a DNS encryption trial too, or would like to receive more information.