Maarten, Thank you for your suggestions, edits, and discussion. I've updated the final draft to give us a final, final draft. 😉 I've included the last (?) version at the bottom of this e-mail, and responded to your suggestions inline below. On 19/03/2024 10.24, Maarten Aertsen wrote:
* Those running public DNS resolver services, and
Should we remove "public" here?
Hm, good point!
- Data Security: Since you are in control of the physical servers, there is no risk of data leakage that can occur due to vulnerabilities in multi-tenant virtualization platforms, including CPU cache-based side-channel vulnerabilities. It could be argued that attacks targeting such issues are rare, and their impact on a DNS resolver service is low, but potential breaches may have significant privacy impact. It is advised to evaluate this against your organisation's risk model, or to discuss this with your information security compliance experts.
The ", or [..]" This feels a bit wordy; we don't suggest who to talk to for all the other recommendations either.
Makes sense. Discussing with experts is basically an option for everything. 😄
#### Server capacity
If using a model that is easy to scale (cloud based, or Kubernetes based, or similar), then getting server capacity correct is largely a
Given the earlier text about Kubernetes being 'similar' to cloud, "or Kubernetes based, " can probably be removed.
I'm inclined to leave this in. I'd rather be explicit than implicit.
Since DNS is mostly UDP-based, it is often easy to generate large amounts of spoofed traffic to and from DNS servers. DNS traffic is small compared to application traffic (videos and other content), but still significant. Authoritative server operators often build their networks and servers to handle 10 times their normal load. Recursive server operators may need to do the same, although the service only
I would split this sentence, to read:
server operators may need to do the same. When the service only
Fair.
accepts traffic from IP addresses that cannot be spoofed (for example users within a network that operated by the same company) then this
remove "then"
Done.
### Resilience
#### System Diversity
In addition to the software considerations above, operators should
Either change to "software **licensing** considerations", or start the sentence with Operators. After all, the previous part of the text is not about software considerations, so current wording may be a bit confusing to linear readers.
Makes sense. I've started with Operators, no need to remind people of the other considerations here.
consider whether to use different server implementations to provide
s/server/software/ ?
Makes sense.
In addition to the DNS-specific security considerations, normal security best practices for any Internet service should be followed, including updating software updated regularly, patching software as soon as possible for any known security vulnerabilities, following CERT announcements and so on.
Perhaps CERT/CSIRT. Not super important.
You led me down a short trip to the Wikipedia: https://en.wikipedia.org/wiki/Computer_emergency_response_team In spite of CMU's trademark on the term CERT (?!?!), I see way more CERT in the national lists than CSIRT, so I'll stick with it. In a random note, the RIPE Database has an IRT object type rather than a CERT or CSIRT object type, through some artifact of history. 😆
#### Certification
It may be useful or required for an organization to follow specific
s/follow/obtain/ ?
In this case "follow" instead of "obtain" was deliberate. It might not be necessary to actually go through the cost of getting certification in order to get the benefits. But, since this section concludes mentioning that business customers will look for them, "obtain" probably makes more sense.
certifications, such as ISO or ITIL. These can be government-defined
Not sure if (unspecified) "ISO or ITIL" are the most relevant examples. I would either remove or replace by say "ISO-IEC 27017, 27018 or SOC 2 Type 2", which all relate to services provided by an organisation, to be relied on by users of that service.
Replaced with "ISO or SOC 2 Type 2".
QUESTION: Do we need to publish certificate in other ways that via the DDR mechanisms?
Should this remain in?
Good point, removed!
### TTL-based Record Pre-Fetch
**TTL record pre-fetch should be enabled when available.**
I would remove "when available", seeing that the last sentence of the next paragraph already covers this.
I'm leaving it in, since we use that exact phraseology elsewhere.
### DNS Error Reporting
**DNS error reporting may be enabled.**
For: All DNS resolver operators.
DNS error reporting is a way for resolver operators to let authoritative operators know about problems in authoritative servers or zones. It provides little direct value for the resolver operators, but over time should improve the overall quality of the DNS ecosystem. It is neither widely deployed nor standardized, but hopefully will be both soon. Resolver operators are encouraged to enable DNS error
To me, 'may be' does not sound like much encouragement. Should this be 'should be' instead? The paragraph already explains that availability is limited for the moment.
I'm not sure we have enough operational experience to know if this is actually a good idea. It may end up being spammy, or unintentionally result in privacy leaks, or any other kinds of unpleasant side-effects. I don't expect it, but I also don't feel comfortable recommending it strongly.
## Privacy, Filtering, Transparency
Reviewing this next part was a bit painful, because I was involved in writing it and yet I see quite a few places where I feel we should improve. After re-reading RFC8932 for the second time, I noticed quite some overlap where RFC8932 is more exhaustive, specific and practicable. By creating overlap, I think we may be watering down our own advise. Below I go over all the items one by one, reference specific sections to advocate for removal of any such overlap.
Okay, thanks for the detailed re-reading.
### Privacy & anonymity
Operators are advised to apply
DNS resolver operators
Yes.
[RFC8932](https://www.rfc-editor.org/rfc/rfc8932.html)
"Recommendations for DNS Privacy Service Operators" as follows:
1. its operational and policy guidance related to DNS encrypted transports and data handling, by applying all "Threat mitigations" (thereby by meeting its level of "minimally compliant") and additionally by applying the "Optimizations" on EDNS Client Subnet listed in section 5.3.1.
2. its framework on a Recursive operator Privacy Statement, by publishing a privacy statement on their website that is compliant with Section 6.
I suggest we strengthen this sentence a bit, then remove duplicates in the next section:
s/that is compliant with/covers all topics in/
Makes sense.
#### Logging considerations
1. Public privacy policy: DNS resolvers are recommended to publish their privacy policies transparently on their website. It can be a brief privacy commitment as well or be more elaborate on how the privacy policy was made. (See for example [Cloudflare's statement](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver) or [Quad9's privacy page](https://www.quad9.net/service/privacy/).)
Such policies should explicitly mention the sampling rate of DNS queries/responses that are kept, and whether these are anonymized.
This is fully covered by the reference to RFC8932, Section 6. I suggest we remove this text.
Okay, that makes some sense. I kept the examples from Cloudflare and Quad9, but moved them at the end of the previous section.
2. Third party access to personal data: it seems that the only critical personal data that DNS resolvers collect are IP addresses and the queries that are resolved. The other meta data collected can be used to have an understanding of for example which user accessed which website which can reveal information about a person’s health, lifestyle and other personal preferences (we call this profiling). For example, resolving the website for alcoholics anonymous may tell you something about the health of a person behind an IP address. IP addresses are personally identifiable information. Follow the applicable privacy laws or privacy principles when receiving third party requests to access.
Resolvers should only comply with such requests when balancing legitimate third party interest with other fundamental rights.
This goes beyond RFC8932, Section 5.3.3 and Section 6.1.1 item 2 and may therefore be worth keeping.
I suggest re-ordering this paragraph a bit to start with the advice. The following is an attempt to reorder:
Resolver operators may receive third party requests for information they have logged that relates to users, including IP addresses, queries and meta data. Resolvers should only comply with such requests when balancing legitimate third party interest with the user's fundamental rights, including rights to privacy. Usage information can be personal data, PII or similarly regulated under the privacy laws applicable to the users, operator or third party, revealing a person's health, lifestyle or other personal preferences (profiling). For example, logging information that documents a user resolving a website for alcoholics anonymous may relate to the health of a person behind an IP address.
Makes sense, I've included this text.
3. Access to data for researchers: how it is done, who has access and who can request access, how the resolver makes a decision to give access (validated and credible researchers, what they can access and other issues)
Covered in RFC8932, Section 5.3.3. Suggest removal.
Removed.
4. Data minimization: do not collect personal information not needed for critical operations. Only retain or use what is being asked (the query). If collecting data to make the service more private and secure, explain the rationale for each piece of data (data collection purpose)
Covered in RFC8932 section 5.2.1 and section 5.2.2. Suggest removal.
Removed.
5. Encryption: If data is encrypted, explain how it has been encrypted (DoH, DoT, or so on).
Covered in RFC8932, Section 6.1.2, item 2. Suggest removal.
Removed.
6. Data security and retention: when to delete the data and how it is stored
Data retention is covered in RFC8932 section 5.2.1 and section 5.2.2. Section 5.2.1, last bullit under mitigations sets a security goal relating to data access, though the word security is not used (it is the scope of the entire document).
Suggest removal. Alternatively, abstract to a level higher than RFC8932 by stating something like the following (with limited operational value):
2. Data security: DNS Resolver operators should take appropriate technical and organisational measures to protect logging information that relates to users.
I've included this higher-level recommendation.
**Legal requests and blocking and filtering laws:** DNS resolvers
operators
Updated.
should not filter content and block access to web-services. When the local law requires blocking, and the law applies to the resolver, the resolver should transparently disclose a list of blocked websites and services, when possible (disclosing such a list may not be allowed by law or regulation). Similarly, the resolver should disclose the source of such block lists, when possible.
If it is not possible to disclose the source of blocklists, operators should try to be as transparent as possible about how they receive those blocklists, based on what criteria, and how they mitigate errors and false positives. Disclosing which organizations operators interact with, how they liase, and so on, can help users understand the impact on the service provided.
If possible, resolvers should provide information about blocked responses via the Extended DNS Error with the Blocked, Censored, Filtered, or Prohibited code - whichever applies best - along with a text why the response was blocked, censored, filtered, or prohibited.
[RFC 8914](https://www.rfc-editor.org/rfc/rfc8914.html#section-4.16) provides information about the meanings of the different codes.
I like these paragraphs, but they are also covered by RFC8932, section 6.1.1 item 6 (result filtering), which we already advise to apply. As an example of where that section is stronger, it does not feature 'when possible' escape hatches.
I'm not sure what to do here. At a minimum, I believe we should make a reference to that content and substantiate why we feel it is worth repeating here (while not the other topics of RFC8932).
Interesting. The "when possible" language was added in recognition that there may be legal or other barriers preventing such transparency. Also, RFC 8932 6.1.1 just talks about documentation... our text here actually recommends not filtering, which RFC 8932 does not do. RFC 8932 also doesn't reference RFC 8914, which makes sense since they came out very near to each other. So... I understand the concern about re-specifying things, but I'm actually happy to let this text stand.
**Community governance of blocklists:** blocklists, if mandatory, have to be audited and assessed by third parties and there should be a right to appeal for those blocked. The Internet community can vet the blocklists from time to time to avoid blocking access to websites that are mistakenly blocked. During crisis - when mistakes can have drastic effects on accessing a critical service - preferably filtering and blocking should not be used.
This is not covered by 8932, so relevant to keep.
👍
### Transparency
Suggest leading with the advice:
Public DNS resolver operators should publish transparency reports to build user trust in their adherence to policies and practices. This goes beyond our advise to apply RFC8932, section 6.2.
Makes sense. Updated.
DNS resolvers usually provide transparency reports once a year. The
Suggest to replace with:
A common frequency is once a year. The
Done.
#### Voluntary certificates and standards
Some DNS resolvers opt for obtaining certificates in security and privacy. Some also undertake audits on their privacy practices. See for example:https://www.cloudflare.com/trust-hub/compliance-resources/
Suggest removing this; certification is already covered under ### Resilience above. Should the group feel that this is the most appropriate place, I suggest moving that section to replace the one here.
Good point. I added a bit of text mentioning audits or reports, and include the link as an example there.
#### Human rights considerations
DNS resolvers can opt for declaring their understanding of their responsibilities regarding human rights from the Universal Declaration of Human Rights. Specifically, Quad9 mentions rights to freedoms
s/Specifically/As an example of a public DNS resolver operator/
Make sense, updated. -- Shane # DNS Resolver Recommendations About the DNS Resolver Best Common Practice Task Force https://www.ripe.net/participate/ripe/tf/dns-resolver-best-common-practice-t... ## Terminology * Open Resolver: A DNS resolver that accepts queries from any client. Often the result of misconfiguration. * Public Resolver: A resolver intentionally configured to be an open resolver. ## Introduction ### What Is This Document? Who Is It For? This document presents recommendations and best current practices for operating DNS resolvers, both public and non-public ones. It covers technical aspects of operations and provides best practice recommendations for data management, with a particular focus on user privacy, security, and resilience. The document serves as guidance for the wider Internet community, offering input to: * Those running DNS resolver services, and * Those who want to make informed choices between such services. Its purpose is to provide clear guidance and promote effective practices in DNS resolver operation. The intended audience is not the entire DNS community. Advice here is probably not useful for operators of authoritative servers, domain registrars, and so on. It is also not meant to be an introductory or educational document. There are many documents which cover the basics of DNS and the roles of organizations in it; a good overview is: Addressing the challenges of modern DNS - a comprehensive tutorial by van der Toorn et al. https://ris.utwente.nl/ws/files/282427879/1_s2.0_S1574013722000132_main.pdf The document does not consider how to measure adherence to these recommendations. So it is not intended to be used for certification, although certification created based on the principles here is possible. ### How Is This Document Organized? This document has a number of sections, and specific recommendations in each section. The intent is for each recommendations to have clear guidance at the top, and then background and discussion related to the recommendation afterwards. Each recommendation indicates whether it is mostly for operators of public resolvers or for operators of any resolver. ### About Recomendation Text This is not a standards document, and does not propose any way to measure compliance or interoperability. It does use words like "should" or "may be" throughout. These are meant to be interpreted in the usual English sense, and not as IETF-style RFC 2119 jargon. ## System and Network Hardening ### Infrastructure considerations Running any Internet service requires attention to the infrastructure used to operate it. This section discusses various approaches that can be used to run a DNS resolver. Everything applies to both public and non-public DNS resolvers. #### Bare metal or public cloud All DNS resolver software can run either on dedicated servers (rented or colocated), or in virtualized clouds, or in a combination of those. Every approach has pros and cons. Most of these are not specific to running DNS resolvers, however, some of them are. **Running DNS resolver instances as OS level daemons on bare metal hosts:** Pros: - Performance: Bare metal servers have direct access to the underlying hardware, and can offer superior performance/cost balance by avoiding the overhead associated with virtualization. Moreover, you have full control over the server's configurations, down to the hardware level, which can be beneficial for performance and cost optimization once you get the understanding of your typical work load during peak hours. - Data Security: Since you are in control of the physical servers, there is no risk of data leakage that can occur due to vulnerabilities in multi-tenant virtualization platforms, including CPU cache-based side-channel vulnerabilities. It could be argued that attacks targeting such issues are rare, and their impact on a DNS resolver service is low, but potential breaches may have significant privacy impact. It is advised to evaluate this against your organisation's risk model. - Predictability: Because there is no virtualization layer and no "noisy neighbours" on the host, the performance of your servers is more predictable. Cons: - Cost of failure: If you pick hardware configuration that is not optimal for the workload of your DNS resolver, you may need to upgrade and replace hardware components afterwards. Ways to reduce this risk include renting servers instead of buying them, carrying load testing with data similar to production workloads, and providing limited beta access to the service before it fully enters the production phase. - Scalability: Scaling up with physical servers means acquiring or renting, installing, and configuring new hardware, which will take more time than provisioning new virtual servers in a cloud environment. Moreover, most cloud environments will provide you with cluster autoscaling features, which could barely be achieved in bare metal. - Maintenance: You will be responsible for all server maintenance tasks, including hardware issues, which can require significant effort and specific expertise. - Redundancy: Setting up high availability and disaster recovery strategies can be more complex and time consuming compared to the cloud, where these features are often provided as value added products. See the Redundancy section for more details. **Running DNS resolver instances in containers in a public cloud:** Pros: - Scalability: Clouds excel at scaling applications. You can scale up and down rapidly based on load, which is important for a DNS resolver that needs to handle variable query loads. In case of regional or geographically distributed resolvers, in every region where the resolver would be deployed, daily periodicity is likely to be observed, for example peak hour is likely to occur around 19:00 local time, and off-peak hours may begin at around 01:00-03:00. In a situation like that, using cluster autoscaling features and tools, you can run less instances in the night and more instances throughout the day, which may help to optimize your cloud hosting costs. - Fault Tolerance and High Availability: Most clouds have built-in strategies, features, and products for handling node failures, which can increase your service's availability. - Deployment and Management: Cloud providers offer built-in methods to deploy and manage applications, which can simplify operations and reduce the likelihood of human errors if your infrastructure management department is already familiar with these tools. - Cost: While this largely depends on your specific usage, cloud services can sometimes be more cost-effective than managing your own physical servers, especially when you consider the total cost of ownership, including power, cooling, and maintenance. Cons: - Performance: The virtualization layer of public clouds can impact performance. While this certainly could be mitigated through scaling the number of virtual hosts, the cost would also increase accordingly. - Complexity: Advanced cloud technologies are complex systems which come with a steep learning curve. Without prior experience, properly configuring and managing a cloud-based compute cluster can be challenging. - Cost Variability: While the cloud can be cheaper, it can also be more expensive if not properly managed. Costs can rise unexpectedly based on traffic. Make sure to always set some limits on how much may be spent on hosting in the cloud control panel, and to set up notifications to be sent to you when these thresholds are about to be triggered. - Multi-tenancy Risks: In a public cloud environment, the "noisy neighbour" problem could potentially affect your service's performance. Additionally, even though cloud providers take steps to isolate tenant environments, vulnerabilities could potentially expose sensitive data (see the previous section for a detailed explanation). **Additional considerations** - In today's environments, Kubernetes and Terraform are sometimes used as a substitute for cloud APIs when it comes to production services' management. When running a DNS resolver in a Kubernetes cluster on top of a public cloud environment, all the pros and cons of the public cloud apply; basically, Kubernetes becomes your public cloud provider. If you have significant prior experience running services in Kubernetes in production, you may successfully replicate your experience with the DNS resolver software. Otherwise, we would advise against Kubernetes in this case. - The only reason we may find to run a DNS resolver in a Kubernetes cluster on top of self-hosted dedicated servers is when you have significant hands-on experience with Kubernetes and it is natural for you to manage applications this way. Otherwise, running DNS resolver daemons in containers brings little, if any, benefit. Autoscaling features are not available to you in this case, and neither horizontal nor vertical pod autoscaling is of any use, because DNS resolver software typically scales in-host by itself just fine. - When designing a cluster of resolvers for autoscaling, keep in mind that newly spawned resolver machines would need to populate resolver cache first before they are fully useful. Your DNS resolver software may provide cache replication mechanisms. Otherwise, it is safe to overprovision clusters somewhat under heavy load, and discarding excessive instances once all the caches are populated and the average load of a compute instance decreases. In addition, it may be worthwhile to consider sharing cache data between instances. - It is always advised to prefer environments your infrastructure management team is familiar with. ### Software considerations #### Open Source **Recommendation**: Choose any well-maintained DNS software you are comfortable using. Regardless of which software you choose, ensure you have somewhere to go for support. In the case of open source software, consider providing financial support to ensure continued development. Some open source maintainers take donations, while others offer support contracts. There are both open source and proprietary implementations of DNS resolver software. Mixing these is also possible, for example, by using proprietary extensions with open source software or deploying open source software modified in-house. General observations: - Software licensing is orthogonal to software security. Neither is proprietary software less secure on principle nor are contributions by "unknown" developers more of a risk in open source. Benefits of open source: - Open source allows for inspection, independent auditing, and troubleshooting. - Open source can avoid vendor lock-in. - Open source can aid internet standards development. Widely-deployed open source implementations allow proponents of standards drafts to contribute proof of concept implementations without permission or cooperation of vendors. Drawbacks of open source - Both open source and proprietary software require skilled maintenance, which has costs. Proprietary licensed software or appliances typically come with license fees to cover these. In contrast, open source licenses decouple usage by operators from monetary compensation to developers. It is up to operators to consider the financial sustainability of continued maintenance of the open source DNS software they depend upon. Please also consider deploying different software implementations to ensure diversity, as discussed in the diversity section below. ### Networking considerations #### IPv4 and IPv6 **If available, both IPv4 and IPv6 must be deployed.** Large parts of the authoritative DNS are only accessible via IPv4, so the resolver must be able to originate IPv4 queries. Authoritative DNS that is only accessible via IPv6 is very rare. Depending on the connectivity of clients, a resolver may be IPv4-only, IPv6-only, or support IPv4 and IPv6. #### Addressing **Using multiple IP addresses for the service address should be considered.** Using 2 or more IPv4 addresses and 2 or more IPv6 addresses from different RIR will allow resilience in failure at an RIR, either governance, security, or technical. Note that support for multiple addresses for recursive resolvers varies and some clients perform poorly if any address does not respond normally. There is no need to pick an IPv4 address with all octets the same, like 2.2.2.2 or 11.11.11.11. **Publishing a list of back-end addresses used for resolving should be considered.** Publishing a list of back-end addresses used for resolving can be useful for other network & DNS operators (for example, geo-IP location, making sure data is getting to correct places, and so on). #### High Availability This can be considered in terms of local and global scope. ##### Local scope Inside a single location/region, such as an office, campus, or small ISP network, the main availability concern is that a resolver is always reachable. Client systems can be configured with multiple resolver addresses, but the failover behaviour of stub resolvers to a second address can be painful. Ideally the primary address is highly available and such fallback rarely required. How much effort is put into ensuring this is true should probably scale in line with the number of users, or sensitivity of the clients using that resolver to delayed resolution. There are several ways to promote high availability of an individual resolver address, such as dedicated load balancing equipment, or network techniques like VRRP, or IP anycast. These generally have in common a pool of recursive servers and the means to direct queries to them when a health check has determined them to be capable of answering those queries. Dedicated free or commercially produced, hardware or software load balancing solutions are available. These typically own the resolver IP address and forward queries to the currently available instances of a pool of recursive servers. VRRP enables a technique to make the resolver IP address available on multiple servers, often used to provide automatic failover between two. A pool of recursive servers using this technique must reside in the same broadcast domain. IP anycast in the local scope typically involves a pool of recursive servers advertising a route to a shared resolver IP address into a routing protocol. This can be configured in failover or load-sharing configurations. A load sharing configuration typically requires network equipment able to balance traffic to a destination over equal cost paths (ECMP). A pool of recursive servers using this technique can be distributed in different parts of the network. ##### Global scope The same concerns as for local service availability are present in the global scope, with the added issue that DNS resolution over long distances may be slow. Practically speaking, only multiple resolver addresses, or IP anycast are useful strategies here. The motivations for finding better failover solutions than multiple resolver addresses have been covered above. IP anycast in the global scope means routing the same IP prefix to more than one location. This can provide effective solutions for failover and, when optimally configured for routing client queries to the topologically least distant recursive server location. IP anycast in the global scope requires the use of globally routable prefixes. If a separate prefix is to be used for anycasting, usually this means a /24 in IPv4 and a /48 in IPv6, as those are the smallest sizes that will be widely propagated in BGP. A common practice is to use a covering prefix (/23 in IPv4 or /47 in IPv6) for fallback, and a more-specific prefix (/24 or /48) for the traffic. The more-specific prefix can then be withdrawn to send traffic to a backup site; this will happen automatically if the site is disconnected from routing. [RFC7094](https://www.rfc-editor.org/rfc/rfc7094.html) discusses anycast architecture in detail, including references to various other RFC which discuss anycast in general and to DNS in particular. [RFC4786](https://datatracker.ietf.org/doc/html/rfc4786) discuses operation of anycast services. ##### Generally Operators of a globally scoped recursive service are encouraged to also adopt the local scope recommendations in each of the locations where the service is provisioned. Though the above deals with the shortcomings of reliance on stub resolver failover between a list of addresses those recommendations shouldn’t be seen as an exclusive alternative. Multiple resolver addresses, where each is provisioned using differing failover strategies, can provide a resolver of last resort and further improved resilience. #### Ingress Filtering **Ingress Filtering to follow BCP 38 should be deployed.** DNS normally uses UDP traffic, which makes it a common vector of both [reflection](https://en.wikipedia.org/wiki/Reflection_attack) and [amplification](https://www.cisa.gov/news-events/alerts/2014/01/17/udp-based-amplification-a...) attacks. To minimize the amount of spoofed traffic that a resolver responds to, the network should be configured as recommended in [BCP 38](https://www.rfc-editor.org/rfc/rfc2827.html). #### RPKI Sign Advertised Routes **Route Advertisements should be signed using RPKI** Using RPKI to sign any route advertisements - either toward authoritative servers or toward DNS clients - is straightforward to do and will reduce the impact of BGP misconfigurations and some BGP hijacking attempts. RPKI validation is also possible, although the effort is greater. It is possible that the hosting provider or the transit provider for your service validates BGP; asking and making this part of your selection criteria is reasonable. #### (D)DoS measures Denial-of-Service (DoS) attacks, both distributed (DDoS) and not are a threat to any Internet service. Network operators for a service providing any DNS service must be prepared for large amounts of attack traffic. In addition to attacks on the service itself, a resolver may be used both as an attack reflector and as an attack amplifier. Active monitoring of network and service usage, careful logging, and a security team that is able to respond to problem reports is necessary. Mitigation techniques will include filtering or rate-limiting traffic, both on the authoritative and client side of the resolver. ### Capacity planning #### Server capacity If using a model that is easy to scale (cloud based, or Kubernetes based, or similar), then getting server capacity correct is largely a question of budgeting. If using a less-flexible model (bare metal for example), then under-estimating will mean problems delivering service. Hardware performance varies widely, as does operating system and resolver performance. Some lab testing will be necessary to estimate the number of systems needed. #### Network capacity Since DNS is mostly UDP-based, it is often easy to generate large amounts of spoofed traffic to and from DNS servers. DNS traffic is small compared to application traffic (videos and other content), but still significant. Authoritative server operators often build their networks and servers to handle 10 times their normal load. Recursive server operators may need to do the same. When the service only accepts traffic from IP addresses that cannot be spoofed (for example users within a network that operated by the same company) this can be reduced, for example to 3 times normal load. To estimate expected load, the best approach is to examine historical usage for the actual expected users of the system. ### Resilience #### System Diversity Operators should consider whether to use different software implementations to provide service. This allows continued operation if a critical vulnerability is found in one implementation, by shifting traffic to other implementations. Placing resolvers and control systems in different physical locations will allow continued operation in the event of a disaster or other problem that impacts a single location. In addition, ensuring diverse connectivity to other networks will prevent single points of failure on the network side. Ensuring network diversity may take some care, as it is not always obvious what fate is shared between any given path; this may be physical, virtual, or organizational, and my sometimes be hidden. #### Security In addition to the DNS-specific security considerations, normal security best practices for any Internet service should be followed, including updating software updated regularly, patching software as soon as possible for any known security vulnerabilities, following CERT announcements and so on. #### Certification It may be useful or required for an organization to obtain specific certifications, such as ISO or SOC 2 Type 2. These can be government-defined or industry-defined. For end users there is typically not much direct value, but business customers will often look for services that are operated by organizations meeting such standards. Audits or other reports about this may be published, see for example: https://www.cloudflare.com/trust-hub/compliance-resources/ ## DNS configuration knobs The DNS is an old protocol that has a lot of settings that can be tweaked. This section reviews these and provides recommendations on which should be used for a resolver. ### DNSSEC validation **DNSSEC validation should be enabled.** For: All DNS resolver operators. DNSSEC validation is the best way to ensure that the answers from the owner of domain name being queried are returned. The root KSK must be updated when it changes. While [RFC5011](https://www.rfc-editor.org/rfc/rfc5011.html) defines an automated way to do this, a resolver operator will probably either manage this trust anchor directly or have it updated via OS updates. [RFC9364](https://www.rfc-editor.org/rfc/rfc9364.html) provides a lot of useful information, and links to further documents about DNSSEC. However, operators usually do not need to know the details, and can simply ensure that DNSSEC validation is enabled in their software. Resolver software that does not support DNSSEC validation should be avoided. ### DNS Transport Protocols **UDP and TCP must be supported.** For: All DNS resolver operators. UDP is what most clients use, and TCP is necessary for DNS answers that are too large for a single UDP packet. [RFC7766](https://www.rfc-editor.org/rfc/rfc7766.html) explains why TCP is necessary in more detail. ### Packet Fragmentation Avoidance **Servers should be configured to avoid fragmentation.** For: ALL DNS resolver operators. Packet fragmentation can cause issues with DNS over UDP, especially over IPv6. These issues can be minimized by choosing implementations that set IP options to avoid this, and by taking care with EDNS0 message sizes. Recommendations are available in [draft-ietf-dnsop-avoid-fragmentation](https://datatracker.ietf.org/doc/draft-ietf-dnsop-avoid-fragmentation/). ### Encrypted DNS **At least one of DNS-over-TLS (DoT), DNS-over-HTTPS (DoH), and DNS-over-QUIC (DoQ) should be supported.** For: All DNS resolver operators. DoT, DoH, and DoQ are different technologies that all provide an encrypted channel between the resolver and the authoritative server. DoT is the oldest, and provides encrypted DNS using TLS. DoH uses HTTP over TLS as a way to transmit queries and answers, and is widely supported by web browsers. DoQ is the newest, and provides advanced features such as separate streams for each query, avoiding the "head of line" blocking problem common with all protocols layered on top of TCP (such as DoT and DoH). - DoT - [RFC7858](https://www.rfc-editor.org/rfc/rfc7858.html) - DoH - [RFC8484](https://www.rfc-editor.org/rfc/rfc8484.html) - DoQ - [RFC9250](https://www.rfc-editor.org/rfc/rfc9250.html) **Discovery of DNS Designated Resolvers** There are new mechanisms that allow DNS clients to use DNS records to discover encrypted DNS configurations. Resolvers should publish DNS records to assist clients finding encrypted resolvers. - Discovery of Designated Resolvers - [RFC9462](https://www.rfc-editor.org/rfc/rfc9462.html) ### QNAME Minimization **QNAME minimization should be enabled.** For: All DNS resolver operators. Using QNAME minimization, a resolver does not send the full name that it is trying to resolver to authoritative servers higher in the DNS hierarchy. So, for example, when querying "atlas.ripe.net" the servers for ".net" would only be asked for "ripe.net". This improves privacy for the end user querying the name. [RFC7816](https://www.rfc-editor.org/rfc/rfc7816.html) covers QNAME minimization. ### Aggressive NSEC caching **Aggressive NSEC caching may be enabled.** For: Public resolver operators. "Aggressive NSEC caching", meaning negative caching based on NSEC and NSEC3 values, can reduce traffic greatly. It is important to protect against random subdomain attacks. This style of caching takes advantage of the way that NSEC and NSEC3 records cover a range of names in a zone. A resolver can know that a query falls within such a range without sending any further queries, by remembering the NSEC or NSEC3 redords that is has seen as answers to earlier queries. Aggressive NSEC caching is almost always a good idea. However enabling this is less important for DNS resolver operators who have a close relationship with users, since they can stop attacks by blocking users or otherwise directly dealing with the source of abusive queries. [RFC8189](https://www.rfc-editor.org/rfc/rfc8189.html) describes negative caching in detail. ### ANY Queries **ANY queries responses should be limited.*** For: All resolver operators. Public or large-scale resolvers should be exceptionally careful with queries of type ANY, which return all all records at a given name. If a resolver replies with all of the records cached for a given type, the response can be much larger than for a single record type. Strict limits should be enforced on volumes of such queries to prevent amplification abuse, or truncation should be applied to prevent spoofed redirections. [RFC8482](https://www.rfc-editor.org/rfc/rfc8482.html) describes several approaches to limiting ANY responses. ### Local Root **Local root should be used.** For: Public resolver operators. Running a local root has several benefits, but it is an additional component to maintain. For public resolver operators this is definitely worth the cost, but other resolver operators may choose to simply send all queries to the well-distributed root name servers. [RFC8806](https://www.rfc-editor.org/rfc/rfc8806.html) describes local root, including several example configurations. In the future it will be possible to use ZONEMD to validate the copy of the root zone obtained before using it. This is currently available for the root zone. [RFC8976](https://www.rfc-editor.org/rfc/rfc8976.html) describes ZONEMD. ### DNS Cookies **Interoperable DNS Cookies may be supported.** For: Public resolver operators. DNS cookies provide some improved security over plain UDP, and are designed to be more lightweight than TCP. If more than one server is responding for a given IP address, then the Server Secret must be shared by all servers, and the answer must be constructed in a consistent manner by all server implementations. Since client-side support for DNS cookies is not very widespread, and since managing server-side secrets involves some work, the costs may outweigh the benefits for some non-public resolver operators. [RFC7873](https://www.rfc-editor.org/rfc/rfc7873.html) describes DNS cookies, and [RFC9018](https://www.rfc-editor.org/rfc/rfc9018.html) standardizes shared DNS cookies. ### TTL Recommendations **TTL limits may be adjusted.** For: All DNS resolver operators. Software typically defaults to a maximum stored TTL of 1 or 2 days. A lower TTL will mean removing rarely-used records that have long TTL, and should not have much operational impact from a CPU or network point of view. It is possible to set a minimum TTL in many implementations. This is a violation of the DNS protocol, although may be useful to reduce load from records with very low TTL (less than 5 seconds). Note that software may set different maximum and minimum TTL independent of the results that the resolver returns. That may have a significant impact on queries as well, but resolver operators cannot influence that. ### TTL-based Record Pre-Fetch **TTL record pre-fetch should be enabled when available.** For: All DNS resolver operators. Some resolvers have the ability to look up a record before it has expired from cache, in order to refresh the value and extend the TTL. This way there is never a time when the records are missing from the cache. This is not currently standardized, but a form of this was proposed in the IETF as [DNS Hammer](https://datatracker.ietf.org/doc/html/draft-wkumari-dnsop-hammer-03). We recommend turning this feature on if available. ### EDNS Client Subnet (ECS) **ECS may be enabled.** For: All DNS resolver operators. EDNS Client Subnet (ECS) allows the resolver to include information about the IP address of the client querying it when sending messages to authoritative servers. This may allow authoritative servers to provide different answers which are more appropriate for the client. However, ECS will increase the amount of cache space required by resolvers, may reduce DNS performance, and may have privacy implications. A resolver operator that has clients that are limited to a specific region may see no benefit. A resolver operator that has a widely distributed anycast network may not have much benefit from ECS, since the locations that initiate the query will be close to the client. But a resolver operator that answers client queries only from a few locations, and expects clients to come from a wide area, may provide better service for end-users by supporting ECS. EDNS client subnet is described in [RFC7871](https://www.rfc-editor.org/rfc/rfc7871.html), an informational RFC. ### Extended DNS Errors **Extended DNS errors should be enabled.** For: All DNS resolver operators. DNS traditionally provides very broad error reporting, SERVFAIL being the most common. This makes diagnosing and fixing problems difficult. Extended DNS errors provide extra information about failures, for example expired DNSSEC signatures. They also allow resolver operators to report administrative reasons for DNS failures, such as blocks due to legal requirements. [RFC8914](https://www.rfc-editor.org/rfc/rfc8914.html) defines extended DNS errors. ### Negative Trust Anchors **Negative trust anchors may be deployed.** For: All DNS resolver operators. Negative trust anchors (NTA) allow a resolver operator to handle a case where an authoritative server has a DNSSEC problem and becomes inaccessible. They basically disable DNSSEC checking for a domain. When this is warranted is difficult to know with certainty, and will usually requires some manual checking. Since DNSSEC validation is now widespread, DNSSEC failures on the authoritative side will impact many resolvers. Because of these reasons this document does not recommend NTA, but also does not recommend that a deployment avoid NTA if it makes sense for that environment. Negative trust anchors are documented in [RFC7646](https://www.rfc-editor.org/rfc/rfc7646.html). ### DNS Error Reporting **DNS error reporting may be enabled.** For: All DNS resolver operators. DNS error reporting is a way for resolver operators to let authoritative operators know about problems in authoritative servers or zones. It provides little direct value for the resolver operators, but over time should improve the overall quality of the DNS ecosystem. It is neither widely deployed nor standardized, but hopefully will be both soon. Resolver operators are encouraged to enable DNS error reporting when it is available. DNS error reporting is proposed in [draft-ietf-dnsop-dns-error-reporting](https://datatracker.ietf.org/doc/draft-ietf-dnsop-dns-error-reporting). ### Trust Anchor Reporting **Trust anchor reporting should be enabled.** For: All DNS resolver operators. Trust anchor reporting is a way for resolver operators to convey their DNSSEC trust anchor configuration to the operator of the zone that it is for. For most resolvers this is only the root zone. This information is intended to be used during a root KSK rollover to ensure that it is safe to proceed. In the future ICANN is planning an algorithm roll for the root KSK, and this information could be helpful. Resolver operators are encouraged to enable trust anchor reporting. [RFC8145](https://www.rfc-editor.org/rfc/rfc8145.html) covers trust anchor reporting, in both possibilities available. ### Name Server Identification **Servers should be configured to identify themselves.** For: All DNS resolver operators. Large resolver operations, especially publicly available resolvers, should support an in-band method of discovery that is obvious to permit users to discover what node has answered their query. This improves troubleshooting significantly, and may be useful for research and testing purposes. NSID (Name Server Identifier) is ideal for this, though also “CH TXT id.server” support is also reasonable. Geographic hints should be provided in this data, though specific host data is optional for arrays of servers in clusters. IATA codes have traditionally been used for naming points-of-presence, though this is at the discretion of the operator. [RFC5001](https://www.rfc-editor.org/rfc/rfc5001.html) describes NSID. [RFC4892](https://www.rfc-editor.org/rfc/rfc4892.html) describes name server identification in general, and documents the pre-NSID approaches. ## Privacy, Filtering, Transparency ### Privacy & anonymity DNS Resolver operators are advised to apply [RFC8932](https://www.rfc-editor.org/rfc/rfc8932.html) "Recommendations for DNS Privacy Service Operators" as follows: 1. its operational and policy guidance related to DNS encrypted transports and data handling, by applying all "Threat mitigations" (thereby by meeting its level of "minimally compliant") and additionally by applying the "Optimizations" on EDNS Client Subnet listed in section 5.3.1. 2. its framework on a Recursive operator Privacy Statement, by publishing a privacy statement on their website covers all topics in Section 6. (See for example [Cloudflare's statement](https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver) or [Quad9's privacy page](https://www.quad9.net/service/privacy/).) #### Logging considerations In addition to the logging recommendations from RFC8932, operators should consider the following: 1. Third party access to personal data: Resolver operators may receive third party requests for information they have logged that relates to users, including IP addresses, queries and meta data. Resolvers should only comply with such requests when balancing legitimate third party interest with the user's fundamental rights, including rights to privacy. Usage information can be personal data, Personally Identifable Infomation (PII) or similarly regulated under the privacy laws applicable to the users, operator or third party, revealing a person's health, lifestyle or other personal preferences (profiling). For example, logging information that documents a user resolving a website for alcoholics anonymous may relate to the health of a person behind an IP address. 2. Data security: DNS Resolver operators should take appropriate technical and organisational measures to protect logging information that relates to users. #### Advertisement Policy If there is any advertising from the service, the policy should be published as well as how it can potentially affect the users' privacy. ### Filtering and blocking #### Block Lists Resolvers can be directed to block or modify answers in various ways. Blocklists may be provided by governments, communities, or other parties (for example security firms). Response Policy Zone (RPZ) allows a way to both document specific modifications that resolvers will make to DNS answers, and send the rules to resolvers. This allows updates to occur very quickly. If RPZ or some other high-speed blocking technology is used, the parties supplying these sources must be highly trusted, as changes to blocklists will usually immediately impact user queries. RPZ is not standardized, but there is an IETF draft, [draft-vixie-dnsop-dns-rpz](https://datatracker.ietf.org/doc/draft-vixie-dnsop-dns-rpz/00/). #### Legal blocking **Legal requests and blocking and filtering laws:** DNS resolver operators should not filter content and block access to web-services. When the local law requires blocking, and the law applies to the resolver, the resolver should transparently disclose a list of blocked websites and services, when possible (disclosing such a list may not be allowed by law or regulation). Similarly, the resolver should disclose the source of such block lists, when possible. If it is not possible to disclose the source of blocklists, operators should try to be as transparent as possible about how they receive those blocklists, based on what criteria, and how they mitigate errors and false positives. Disclosing which organizations operators interact with, how they liase, and so on, can help users understand the impact on the service provided. If possible, resolvers should provide information about blocked responses via the Extended DNS Error with the Blocked, Censored, Filtered, or Prohibited code - whichever applies best - along with a text why the response was blocked, censored, filtered, or prohibited. [RFC 8914](https://www.rfc-editor.org/rfc/rfc8914.html#section-4.16) provides information about the meanings of the different codes. **Community governance of blocklists:** blocklists, if mandatory, have to be audited and assessed by third parties and there should be a right to appeal for those blocked. The Internet community can vet the blocklists from time to time to avoid blocking access to websites that are mistakenly blocked. During crisis - when mistakes can have drastic effects on accessing a critical service - preferably filtering and blocking should not be used. #### Opt-in/Opt-out Mechanisms End users may choose to use a DNS resolver that filters specific kinds of traffic. For example, they may wish to avoid potential malware web sites. Or resolver operators may be required to default to filtering but allowed for to provide an unfiltered DNS resolver service. Depending on the specific requirements, a resolver service may publish different IP addresses and what type of filtering applies to each address. It is also possible to perform client authentication and authorization, using IP-based authentication, TSIG keys, or client-side TLS certificates. ### Transparency Public DNS resolver operators should publish transparency reports to build user trust in their adherence to policies and practices. This goes beyond our advise to apply RFC8932, section 6.2. A common frequency is once a year. The reports inform the public about disclosure of user information and removal of content required by law enforcement and other government agencies. Transparency reports should (to the extent that the law allows) indicate which government agencies and law enforcement agencies request access on what basis. It should also be clear from the transparency reports what kind of data has been requested and if content removal and content blocking have been requested. Categories of data include: Content Data, Basic Subscriber Data, Other Non-Content Data and Content Blocking. #### Negative Trust Anchor reporting Negative Trust Anchors (NTA) are discussed in the previous section on DNS configurations. If NTAs are present in the resolver, they should be published with as much detail as possible about them. This includes reasons for insertion, dates of activation and expected removal dates, or a published review date or cycle for when NTAs should be actively examined for deletion if such fine-grained information cannot be shared. NTAs are equivalent to a security fault, and may even be more significant than a block event as they remove expected trust behavior with limited signal of that trust downgrade ("limited" because few if any clients care about those response bits changing.). #### Human rights considerations DNS resolvers can opt for declaring their understanding of their responsibilities regarding human rights from the Universal Declaration of Human Rights. As an example of a public DNS resolver operator, Quad9 mentions rights to freedoms without distinction made on the basis of country, no interference with privacy, the right to freedom of opinion and expression, the right to peaceful assembly, and the right to freely participate in the cultural life of the community. See [Quad9's Human Rights Considerations](https://www.quad9.net/privacy/human-rights-considerations/) for the full statement. It also invokes other human rights related solutions other than [UDHR](https://www.un.org/en/universal-declaration-human-rights/) such as Articles 8 and 9 of Resolution 42/15 of the United Nations Human Rights Council on the right to privacy in the digital age of 26 September 2019 more directly define the responsibilities of the private sector toward the furtherance of human rights in modern terms. They also follow the Guidelines for Human Rights Protocol and Architecture Consideration of the Human Rights Protocol Considerations Research Group at Internet Research Task Force. The latest version of the IRTF [Guidelines for HRPC](https://tools.ietf.org/html/draft-irtf-hrpc-guidelines) may be considered for all network operators. ## Appendix A: Why Did RIPE Write This Document? There is increasing concern that large open DNS resolvers will become centralised points of DNS operations on the Internet. In order to address this, the European Commission issued the [DNS4EU](https://hadea.ec.europa.eu/calls-proposals/equipping-backbone-networks-high-...) proposal. However, such an initiative could lead to centralised guidance or regulation which might interfere with the decentralised way the Internet infrastructure works - including the DNS. See for reference the [RIPE NCC Open House discussion](https://labs.ripe.net/author/chrisb/dns4eu-ripe-ncc-open-house-discussion/) on this topic. Rather than attempting to respond to the EC proposal or organize specific DNS resolver deployments, the RIPE community has decided that it is best able to provide advice and guidance. The RIPE Community is well positioned to provide a set of Best Current Practices that operators of Open DNS Resolvers will be encouraged to subscribe to.