Enhancements to our DNS Resolver

by Michael Tremer, February 12

Today, we have taken some important changes on our DNS Resolver into production. Having released support for DNS-over-TLS in 2018, we have now added TCP Fast Open and TLSv1.3.

Lightning Wire Labs is managing a DNS Resolver to provide an alternative to the large corporation who are trying to get the global DNS system under their control and use it for marketing purposes.

To not fall behind the technical development, we have now enabled some new features on our resolver to make it ready for the new DNS changes that are going to land with IPFire 2.25 - Core Update 141 very soon.

DNS-over-TLS

We are supporting DNS-over-TLS, for almost two years now, but with only few users. This is not surprising since IPFire did not DNS-over-TLS in the past, but this will now change.

We support TLSv1.3 and require at least TLSv1.2. ChaCha20-Poly1305, AES-GCM, Curve25519, and smaller ECSDA certificates are of course not missing either.

TCP Fast Open

For users who have an ISP that is filtering UDP queries or breaks DNSSEC in one way or the other, we are supporting TCP of course.

Since TCP requires a full 3-way handshake before any data can be sent, there is a small performance impact. To combat that, we now support TCP Fast Open which allows to send the DNS query with the first packet, even before the TCP connection is fully open.

This way, queries over TCP are just as fast as those over UDP.

How to use it?

The server is available at 2001:678:b28::54 and 81.3.27.54.

If you are using TLS, enter recursor01.dns.lightningwirelabs.com or recursor01.dns.ipfire.org as TLS hostname.