You are here :
-
Public Consultations
-
Reference
-
Statistics
-
Publications
-
Blog
- Brexit and .fr
- Analysis of the .RE
- Brands answer the call to the 2nd ‘Cercle des .marque’ event
- About the attack on French ISPs’ DNS resolvers
- Using Afnic open data : example with the term COVID
- Hosting a domain name with compound characters
- Eligibility of a holder located in the United Kingdom post Brexit
- Can compound characters be used in a domain name?
- Functioning of Afnic during lockdown
- Which Top Level Domains have an IP address?
- Lala Andriamampianina, may you rest in peace
- Resolutions for 2020: Afnic goes elliptic
- 6 tips to prevent your website from being hacked
- In search of low-cost nTLDs
- Exploring the city through the .paris community
- .org - an alternative perspective
- Looking back on the success of the first meeting of the Cercle des .marque
- Key success factors for Internet extensions: an evaluation grid
- [Video] Conclusions on the Internet Governance Forum (IGF) France 2019
- A brief example of using Afnic Open Data
- Food for thought on the "new TLD" business models
- 30 years of success and danger: the Web, URLs and the future
- [Success stories] Strengthen your infrastructure to suit your ambitions
- February 1, 2019: is the DNS going to shake?
- [Success stories] They chose to have their own TLD
- [Success stories] .museum, how a historic Internet suffix was revived
- The main steps in effectively launching your .brand
- 6 secrets on how to improve the renewal of domain names
- [Video] Back to IGF 2018 in Paris
- A .BRAND to enhance customer experience
- Afnic commits to DNS security at the international level
- Replacement of the KSK of the root zone: Are you ready?
- How the SNCF implemented its new digital strategy with oui.sncf
- Franco-Dutch research project on automatic classification of domain name abuse
- The auditive memorization of domain names
- What are the possible actions against domain name abuses?
- Identity theft by domain name: what Afnic does
- Cybersquatting, Spam, Phishing… the different types of domain name abuses
- [Video] Review of the French Internet Governance Forum 2018
- Custom Internet extensions: the opportunities for brands
- How to avoid inadmissibility in the SYRELI procedure
- Which English terms are most used in .FR domain names?
- Domain name security, the example of cryptocurrencies
- What are the terms most used in .fr domain names?
- Personality test: Are you ready for GDPR?
- Do GeoTLDs like .alsace have an effect on local SEO?
- The 11 vital locations to display your domain name!
- What means of action for a Right-holder ineligible under the Naming Policy?
- Domain name litigation: the recognition of an AOC rights in the SYRELI procedure
- Why choose a domain name under a geoTLD?
- Afnic, a community first and foremost!
- The defense of personality rights in the SYRELI procedure
- When will the next round of the new gTLDs take place?
- A million good reasons for coming to the Afnic Forum...
- Yeti DNS-over-TLS public resolver
- 2016, the beginning of a new cycle for Afnic
- .fr has just passed the 3 million domain names milestone
- My experience inside the Afnic Legal Department
- Future of ICANN Privatization? Internationalization? Supervision?
- Excellence at Afnic - Our coming-out
- Speech at the transmittal of the IANA Stewardship Transition Plan
- Exclusive offer: 100% money back on your domain name*!
- 8 tips for choosing the right domain name
- IPv6 and DNSSEC are respectively 20 and 19 years old. Same fight and challenges?
- L.45-2 paragraph 1 of the CPCE: When a domain name disrupts the French law
- How to avoid getting your domain name stolen by email?
- Accountability and IANA transition: behind the scenes
- Stop selling domain names!
- abc.xyz : erratum.xyz
- A comprehensive approach to French regional branding
- abc.xyz : Meanwhile, back in France…
- abc.xyz: Why not alphabet.com? (The conspiracy theory version)
- abc.xyz : The controversial success of .xyz
- Corporate Communications, Constant Crisis
- abc.xyz : Why not alphabet.com ?
- alphabet.xyz : How Alphabet got its domain name
- abc.xyz : Don't worry, we're still getting used to the name too!
- IANA transition crosses a major milestone in Buenos Aires
- A day in the life of the Icann empowered community
- IANA transition : the machine is moving, but the deadline is approaching
- Corporate Social Responsibility and the DNA of ccTLDs
- China Changing in Leaps and Bounds
- Towards a less intrusive DNS
- ICANN: what does accountability stand for?
- ICANN Singapore. A debate at the other end of the world
- ICANN Reform, or opening Pandora's box
- Internet Governance Forum: What is to be done?
- Slam spam!
- Icann : freeze !
- Scams and identity theft, the experience of a SYRELI reporter
- French Regional Reform Does Not Mean the End of GeoTLDs
- Lessons Learnt from NETmundial
- Suggestions for a successful IANA transition
- Wind of change at Afnic!
- Back to the future of the Afnic Legal Service
- The US Backs ICANN for Internet Governance
- Should the registrars streamline their gTLD strategy?
- The IANA elephant in the room
- 2014 : change of course for the naming system
- Why do regions want a place online?
- What can Afnic do?
- Internet governance: let’s get to work!
-
FAQ
-
Glossary
-
Certificates
Yeti DNS-over-TLS public resolver
16 January 2017 - By Stéphane Bortzmeyer
There is a new DNS-over-TLS public DNS resolver, and it uses the Yeti root. You want explanations? You're right.
The service
There is a new DNS-over-TLS public DNS resolver, and it uses the Yeti root. You want explanations? You're right.
First, about DNS-over-TLS. The DNS (Domain Name System) protocol is a critical part of the Internet infrastructure. It is used for almost every transaction on the Internet. By default, it does not provide any privacy (see RFC 7626 for a complete discussion of DNS privacy considerations). Among its weaknesses is the fact that, today, DNS requests and responses are sent in the clear so any sniffer can learn that you are interested in www.aa.org or jane-smith-server.accounting.company.example. To address this specific problem, a standard for encryption of DNS requests and responses, using the well-known protocol TLS (Transport Layer Security), has been developed. The standard is in RFC 7858.
As of today, there are very few DNS resolvers that accept DNS-over-TLS. The typical ISP resolver, or the big public resolvers, don't use it. Sadly, this is also the case of resolvers pretending to provide a service for people who do not trust the other resolvers. (See an up-to-date list of existing public resolvers.)
And Yeti, what is it? It is an alternative DNS root which focus, not on creating "dummy" TLDs and selling them, but on technical experimentations about the DNS root service, experimentation which cannot be done on the "real" root, which is way too sensitive. Note there was no public Yeti resolver. To use the Yeti root, the only way was to configurer your resolver to forward to the Yeti root.
But, first, a warning: Yeti is a technical experimentation, not a political one. Be aware that DNS queries to the Yeti root name servers are stored, and studied by researchers. (This is the same with the "real" root, by the way, not to mention the unofficial uses such as MoreCowBell.)
Since there are few DNS-over-TLS resolvers, and in order to gather more information from experience, we have set up a public DNS-over-TLS resolver using the Yeti root. It answers on the standard DNS-over-TLS port, 853, at dns-resolver.yeti.eu.org. It is IPv6-only, which makes sense for Yeti, whose name servers use only IPv6.
Two warnings: it is an experimental service, managed only on a "best effort" basis, and since it sends requests to the Yeti root, the user's data is captured and analyzed. So, it is to test technically privacy-enhancing techniques, not to provide actual privacy. (We would be glad to see a real privacy-enabled public DNS resolver, with DNS-over-TLS and other features.)
Usage
Today, most DNS clients cannot speak DNS-over-TLS. If you want to use it and don't know DNS-over-TLS clients, you can find some listed at the DNS privacy portal.
A way to use this service as a forwarder for a local resolver. The Unbound server can do that with a setup like:
server:
...
auto-trust-anchor-file: "autokey/yeti-key.key"
ssl-upstream: yes
forward-zone:
name: "."
#forward-host: "dns-resolver.yeti.eu.org" # Or the IP address:
forward-addr: 2001:4b98:dc2:43:216:3eff:fea9:41a@853
forward-first: no
If you have the getdns utilities installed (for instance via the Debian package getdns-utils), you can test the resolver with the command getdns_query:
% getdns_query @2001:4b98:dc2:43:216:3eff:fea9:41a -s -l L www.eff.org AAAA
...
"just_address_answers":
[ { "address_data":,
"address_type":...
If you use the proxy Stubby, you can run it with:
% stubby @2001:4b98:dc2:43:216:3eff:fea9:41a -L
(Or similar arguments from Stubby configuration file.)
Good luck with this service and, if there is a problem, do not hesitate to ask details and/or help on the Yeti mailing lists.
Implementation
The public resolver itself is implemented with Unbound. Here is its configuration:
server:
use-syslog: yes
root-hints: "yeti-hints"
auto-trust-anchor-file: autokey/yeti-key.key
interface: 2001:4b98:dc2:43:216:3eff:fea9:41a@853
qname-minimisation: yes
harden-below-nxdomain: yes
harden-referral-path: yes
harden-glue: yes
ssl-service-key: "/etc/unbound/tls-server.key"
ssl-service-pem: "/etc/unbound/tls-server.pem"
ssl-port: 853
access-control: ::0/0 allow
log-queries: yes
As you see, the requests (query name and source IP address) are logged locally (see above the warning about privacy) but not transmitted. The query name is sent to the Yeti coordinators.
Is this domain
available ?
News
- February 12, 2021 Afnic sponsors the TV program Connecte Ta Boîte
- February 11, 2021 Improving young people's digital skills: Afnic and public service Pix take...
- January 27, 2021 The online presence of French VSEs/SMEs: 2019/2020 results of the Afnic “Réus...
- December 10, 2020 Three major projects on the roadmap of the Afnic International College
- November 23, 2020 Lucien Castex has been reappointed as a member of the Multistakeholder Advisory ...