DNSFilter Knowledge Base

DNS-over-TLS

DNSFilter supports DNS-over-TLS, allowing for encryption and privacy of DNS traffic.

DNS-over-TLS in the User Agent

DNS-over-TLS is supported in our Windows Agent and LAN Proxy, but will be disabled by default until further performance improvements are implemented in the coming months.

DNS-over-TLS hostnames

The hostnames for DNSFilter are listed below:

  • dns1.dnsfilter.com
  • dns2.dnsfilter.com

Forwarder/Stub Support

A typical setup for DNS-over-TLS is to configure a LAN DNS Server to act as a forwarder, wrapping LAN queries into secure packets.

Below are several example software configurations:

Knot Resolver

Specific instructions for Knot Resolver will depend on the local configuration and operating system. Please see Knot Resolver's documentation regarding TLS forwarding for more. This blog post might also come in handy.

To implement TLS forwarding, in the policy modules section, we use policy.TLS_FORWARD:

The target of ca_file= may not be needed or may differ.

modules = { 'policy' }
policy.TLS_FORWARD({
{'103.247.36.36', hostname='dns1.dnsfilter.com', ca_file='/etc/knot-resolver/tlsca.crt'}
{'103.247.37.37', hostname='dns2.dnsfilter.com', ca_file='/etc/knot-resolver/tlsca.crt'} })
} #This signifies the end of the { 'policy' } section

Stubby + Unbound

A dual-Docker solution, where Unbound is used as a DNS-caching forwarder, and Stubby is used as a DNS-over-TLS transport server between Unbound and DNSFilter. This combines the caching powers of Unbound with the high-performing DNS-over-TLS implantation that Stubby provides.

Link to the GitHub Project.

Stubby (Standalone)

In the upstream_recursive_servers: section of stubby.yaml:

upstream_recursive_servers:
- address_data: 103.247.36.36
tls_auth_name: "dns1.dnsfilter.com"
- address_data: 103.247.37.37
tls_auth_name: "dns2.dnsfilter.com"

Unbound (Standalone)

The default DNS forwarder in the open-source firewalls IPFire and pfSense.

Performance

DNS-over-TLS performance in Unbound is relatively poor. About 8-10 queries per second is our suggested maximum, so only low-traffic networks are suggested. Consider using Knot Resolver or the Stubby + Unbound Docker solution.

In the unbound.conf file, ensure the following is set in the server: section. DNSFilter must be the only two forwarder addresses configured.

ssl-upstream: yes
name: "."
forward-addr: 103.247.36.36@853
forward-addr: 103.247.37.37@853

Implementation Details

Feature
Supported
Note

TLS Versions

1.2

TLS 1.3 will be supported when OpenSSL 1.1.1 is released

RFC-7828

Yes!

AKA: (edns-tcp-keepalive)

TCP_FastOpen

No

Awaiting Golang 1.11

TCP_FalseStart

No

Awaiting Golang 1.11