The Tests

All the following are tested over TLS connections.

• TLS Does the server answer DNS queries over TLS on port 853 with no SNI sent?
• TLS 443 Does the server answer DNS queries over TLS on port 443 with no SNI sent?
• Strict Name Does the server pass Strict authentication using the authentication domain name only?
• Strict Name 443 Does the server pass Strict authentication using the authentication domain name only on 443 (some operators require an SNI on 443 to defend against attacks)?
• Strict SPKI Does the server pass Strict authentication using SPKI pins only (if a SPKI pins are published)?
• Cert 0 Are there 0 days or less to certificate expiry?
• Cert 14 Are there 14 or fewer days to certificate expiry?
• QNAME min Is the server configured to use QNAME minimisation [RFC7816]?
• RTT 250 Is a simple query round trip time from the probe location (in the UK) < 250ms?
• DNSSEC Is the server doing DNSSEC validation (i.e. returning SERVFAIL for bogus domains)?
• Keepalive Does the server support the EDNS0 Keepalive option [RFC7828]?
• Padding Does the server add an EDNS0 Padding option to the response if one is in the query [RFC7830]?
• TLS 1.3 Does the server support TLS 1.3 ?
• OOOR Does the server give Out Of Order Responses (Experimental, may give false negatives)?

Results

• GREEN indicates success
• RED indicates failed test (this might result from non DNS related issues such server being off line, blocking from the probe location, etc.) Note that the 'Strict mode' tests could fail for a number of reasons including incorrect credentials, self-signed certificates for name only authentication, incompatible TLS version or Cipher suites, etc. The console log of the test may give more information.
• BLUE indicates test not run (e.g. due to lack of available transport or the lack of the SPKI pin)

Notes

Authentication information is taken from the DNS Privacy Project Test Servers page These tests use getdns_server_mon, a getdns based monitoring plugin.