Skip to content

Project dnsprivacy-monitoring

The Tests

All the following are tested over TLS connections.
  • TLS Does the server answer DNS queries over TLS on port 853 with no SNI sent?
  • TLS 443 Does the server answer DNS queries over TLS on port 443 with no SNI sent?
  • Strict Name Does the server pass Strict authentication using the authentication domain name only?
  • Strict Name 443 Does the server pass Strict authentication using the authentication domain name only on 443 (some operators require an SNI on 443 to defend against attacks)?
  • Strict SPKI Does the server pass Strict authentication using SPKI pins only (if a SPKI pins are published)?
  • Cert 0 Are there 0 days or less to certificate expiry?
  • Cert 14 Are there 14 or fewer days to certificate expiry?
  • QNAME min Is the server configured to use QNAME minimisation [RFC7816]?
  • RTT 250 Is a simple query round trip time from the probe location (in the UK) < 250ms?
  • DNSSEC Is the server doing DNSSEC validation (i.e. returning SERVFAIL for bogus domains)?
  • Keepalive Does the server support the EDNS0 Keepalive option [RFC7828]?
  • Padding Does the server add an EDNS0 Padding option to the response if one is in the query [RFC7830]?
  • TLS 1.3 Does the server support TLS 1.3 ?
  • OOOR Does the server give Out Of Order Responses (Experimental, may give false negatives)?

Results

  • GREEN indicates success
  • RED indicates failed test (this might result from non DNS related issues such server being off line, blocking from the probe location, etc.) Note that the 'Strict mode' tests could fail for a number of reasons including incorrect credentials, self-signed certificates for name only authentication, incompatible TLS version or Cipher suites, etc. The console log of the test may give more information.
  • BLUE indicates test not run (e.g. due to lack of available transport or the lack of the SPKI pin)

Notes

Authentication information is taken from the DNS Privacy Project Test Servers page These tests use getdns_server_mon, a getdns based monitoring plugin.

Note that Quad9, Cloudflare and Google operate an anycast service so the results below are just for our local server (London).

Configuration MatrixTLSTLS 443Strict NameStrict Name 443Strict SPKICert 0Cert 14QNAME minRTT 250DNSSECKeepalivePaddingTLS 1.3OOOR
getdnsapi.netv4
v6
getdnsapi.net (port 443)v4
v6
dns.quad9.netv4
v6
1dot1dot1dot1.cloudflare-dns.comv4
v6
dns.googlev4
v6
dns-unfiltered.adguard.comv4
v6
unicast.censurfridns.dkv4
v6
dot1.appliedprivacy.netv4
v6
dnspub.restena.luv4
v6
dns.neutopia.orgv4
v6
dnsotls.lab.nic.clv4
v6
ibksturm.synology.mev4
v6
fdns1.dismail.dev4
v6
dot-de.blahdns.comv4
v6
dot-jp.blahdns.comv4
v6
ns0.fdn.frv4
v6