Login:
Password:
Registrars who want to carry out operations on domain names or to view their invoices have to connect to the new Afnic ccTLDs management web interface

Yeti DNS-over-TLS public resolver

16 January 2017 - By Stéphane Bortzmeyer

There is a new DNS-over-TLS public DNS resolver, and it uses the Yeti root. You want explanations? You're right.

The service

There is a new DNS-over-TLS public DNS resolver, and it uses the Yeti root. You want explanations? You're right.

First, about DNS-over-TLS. The DNS (Domain Name System) protocol is a critical part of the Internet infrastructure. It is used for almost every transaction on the Internet. By default, it does not provide any privacy (see RFC 7626 for a complete discussion of DNS privacy considerations). Among its weaknesses is the fact that, today, DNS requests and responses are sent in the clear so any sniffer can learn that you are interested in www.aa.org or jane-smith-server.accounting.company.example. To address this specific problem, a standard for encryption of DNS requests and responses, using the well-known protocol TLS (Transport Layer Security), has been developed. The standard is in RFC 7858.

As of today, there are very few DNS resolvers that accept DNS-over-TLS. The typical ISP resolver, or the big public resolvers, don't use it. Sadly, this is also the case of resolvers pretending to provide a service for people who do not trust the other resolvers. (See an up-to-date list of existing public resolvers.)

And Yeti, what is it? It is an alternative DNS root which focus, not on creating "dummy" TLDs and selling them, but on technical experimentations about the DNS root service, experimentation which cannot be done on the "real" root, which is way too sensitive. Note there was no public Yeti resolver. To use the Yeti root, the only way was to configurer your resolver to forward to the Yeti root.

But, first, a warning: Yeti is a technical experimentation, not a political one. Be aware that DNS queries to the Yeti root name servers are stored, and studied by researchers. (This is the same with the "real" root, by the way, not to mention the unofficial uses such as MoreCowBell.)

Since there are few DNS-over-TLS resolvers, and in order to gather more information from experience, we have set up a public DNS-over-TLS resolver using the Yeti root. It answers on the standard DNS-over-TLS port, 853, at dns-resolver.yeti.eu.org. It is IPv6-only, which makes sense for Yeti, whose name servers use only IPv6.

Two warnings: it is an experimental service, managed only on a "best effort" basis, and since it sends requests to the Yeti root, the user's data is captured and analyzed. So, it is to test technically privacy-enhancing techniques, not to provide actual privacy. (We would be glad to see a real privacy-enabled public DNS resolver, with DNS-over-TLS and other features.)

Usage

Today, most DNS clients cannot speak DNS-over-TLS. If you want to use it and don't know DNS-over-TLS clients, you can find some listed at the DNS privacy portal.

A way to use this service as a forwarder for a local resolver. The Unbound server can do that with a setup like:

server: 
 ... 
 auto-trust-anchor-file: "autokey/yeti-key.key" 
 ssl-upstream: yes 

forward-zone: 
 name: "." 
 #forward-host: "dns-resolver.yeti.eu.org" # Or the IP address: 
 forward-addr: 2001:4b98:dc2:43:216:3eff:fea9:41a@853 
 forward-first: no

If you have the getdns utilities installed (for instance via the Debian package getdns-utils), you can test the resolver with the command getdns_query:

% getdns_query @2001:4b98:dc2:43:216:3eff:fea9:41a -s -l L www.eff.org AAAA 
... 
"just_address_answers": 
 [ { "address_data": , 
 "address_type": ...

If you use the proxy Stubby, you can run it with:

% stubby @2001:4b98:dc2:43:216:3eff:fea9:41a -L

(Or similar arguments from Stubby configuration file.)

Good luck with this service and, if there is a problem, do not hesitate to ask details and/or help on the Yeti mailing lists.

Implementation

The public resolver itself is implemented with Unbound. Here is its configuration:

server: 
 use-syslog: yes 
 root-hints: "yeti-hints" 
 auto-trust-anchor-file: autokey/yeti-key.key 
 interface: 2001:4b98:dc2:43:216:3eff:fea9:41a@853 
 qname-minimisation: yes 
 harden-below-nxdomain: yes 
 harden-referral-path: yes 
 harden-glue: yes 
 ssl-service-key: "/etc/unbound/tls-server.key" 
 ssl-service-pem: "/etc/unbound/tls-server.pem" 
 ssl-port: 853 
 access-control: ::0/0 allow 
 log-queries: yes

As you see, the requests (query name and source IP address) are logged locally (see above the warning about privacy) but not transmitted. The query name is sent to the Yeti coordinators.

Lire cette ressource en français Top of the page

Stéphane Bortzmeyer

Ingénieur R&D

Twitter

Is this domain
available ?

News

January 14, 2020 Afnic raises awareness among SMEs of their online presence at the Salon des Entr...
December 9, 2019 The Afnic Foundation for Digital Solidarity will support 59 projects to improve ...
November 25, 2019 Decoding brand-specific domain names: Why brand TLDs are so highly coveted
November 12, 2019 .museum, an indication of reliability and the domain of choice to boost your int...
November 5, 2019 Afnic raises awareness among SMEs of their online presence at the Salon des Entr...

See all news

Tweets de @AFNIC

The .fr TLD Sector-based .fr domains Become a Registrar	The .re TLD Become a Registrar and help develop the .re ccTLD	Other French TLDs (top level domains)	FRWATCH
Services Whois Data Access Qualified Service (SQUAW) .FR Lock .FR Performance DNSSEC Whois IDN convertor Daily list of registered domain names	Afnic Consulting Marketing strategy and Sales Competitive Intelligence DNSSEC expertise New TLD opportunity assessment IPv6 expertise DNS Expertise Secure your domain name portfolio New TLD preparation ICANN Compliance, institutional and regulatory monitoring	New gTLDs : Registry solutions Abuse Report	FRWATCH

Presentation AFNIC assignments & strategic priorities 2017-2019 Excellence AFNIC key dates Orgaization Directors Committee Members	Organisation Consultative Committees International cooperation Become a member of Afnic Articles of Association Rules of Procedure Afnic's Board International College	News General news Operations news	How to come to Afnic
Recruitment Jobs & Training Our values Job Offers	Press Room Media Library Press kits	Calendar
Contact

Public Consultations EXPERTS WIPO ADR / Public Consultation Opening of domain names with 1 or 2 characters / Public Consultation	Reference Processing of Registrant personal data Charters Registry policies Technical guidebooks Registry policies deployment Legal framework	Statistics Quality of service performance Detailed data on domain names	Videos Subscriptions and social networks Afnic Newsletter
Publications Viewpoints Scientific Council The .fr is turning 25 Studies Annual reports Reports of meetings of governing and consultative bodies Practical Guides French Domain Name Industry Report Issue Papers Legal brochures	Blog In search of low-cost nTLDs Exploring the city through the .paris community .org - an alternative perspective Looking back on the success of the first meeting of the Cercle des .marque Key success factors for Internet extensions: an evaluation grid [Video] Conclusions on the Internet Governance Forum (IGF) France 2019 A brief example of using Afnic Open Data Food for thought on the "new TLD" business models 30 years of success and danger: the Web, URLs and the future [Success stories] Strengthen your infrastructure to suit your ambitions February 1, 2019: is the DNS going to shake? [Success stories] They chose to have their own TLD [Success stories] .museum, how a historic Internet suffix was revived The main steps in effectively launching your .brand 6 secrets on how to improve the renewal of domain names [Video] Back to IGF 2018 in Paris A .BRAND to enhance customer experience Afnic commits to DNS security at the international level Replacement of the KSK of the root zone: Are you ready? How the SNCF implemented its new digital strategy with oui.sncf Franco-Dutch research project on automatic classification of domain name abuse The auditive memorization of domain names What are the possible actions against domain name abuses? Identity theft by domain name: what Afnic does Cybersquatting, Spam, Phishing… the different types of domain name abuses [Video] Review of the French Internet Governance Forum 2018 Custom Internet extensions: the opportunities for brands How to avoid inadmissibility in the SYRELI procedure Which English terms are most used in .FR domain names? Domain name security, the example of cryptocurrencies What are the terms most used in .fr domain names? Personality test: Are you ready for GDPR? Do GeoTLDs like .alsace have an effect on local SEO? The 11 vital locations to display your domain name! What means of action for a Right-holder ineligible under the Naming Policy? Domain name litigation: the recognition of an AOC rights in the SYRELI procedure Why choose a domain name under a geoTLD? Afnic, a community first and foremost! The defense of personality rights in the SYRELI procedure When will the next round of the new gTLDs take place? A million good reasons for coming to the Afnic Forum... Yeti DNS-over-TLS public resolver 2016, the beginning of a new cycle for Afnic .fr has just passed the 3 million domain names milestone My experience inside the Afnic Legal Department Future of ICANN Privatization? Internationalization? Supervision? Excellence at Afnic - Our coming-out Speech at the transmittal of the IANA Stewardship Transition Plan Exclusive offer: 100% money back on your domain name*! 8 tips for choosing the right domain name IPv6 and DNSSEC are respectively 20 and 19 years old. Same fight and challenges? L.45-2 paragraph 1 of the CPCE: When a domain name disrupts the French law How to avoid getting your domain name stolen by email? Accountability and IANA transition: behind the scenes Stop selling domain names! abc.xyz : erratum.xyz A comprehensive approach to French regional branding abc.xyz : Meanwhile, back in France… abc.xyz: Why not alphabet.com? (The conspiracy theory version) abc.xyz : The controversial success of .xyz Corporate Communications, Constant Crisis abc.xyz : Why not alphabet.com ? alphabet.xyz : How Alphabet got its domain name abc.xyz : Don't worry, we're still getting used to the name too! IANA transition crosses a major milestone in Buenos Aires A day in the life of the Icann empowered community IANA transition : the machine is moving, but the deadline is approaching Corporate Social Responsibility and the DNA of ccTLDs China Changing in Leaps and Bounds Towards a less intrusive DNS ICANN: what does accountability stand for? ICANN Singapore. A debate at the other end of the world ICANN Reform, or opening Pandora's box Internet Governance Forum: What is to be done? Slam spam! Icann : freeze ! Scams and identity theft, the experience of a SYRELI reporter French Regional Reform Does Not Mean the End of GeoTLDs Lessons Learnt from NETmundial Suggestions for a successful IANA transition Wind of change at Afnic! Back to the future of the Afnic Legal Service The US Backs ICANN for Internet Governance Should the registrars streamline their gTLD strategy? The IANA elephant in the room 2014 : change of course for the naming system Why do regions want a place online? What can Afnic do? Internet governance: let’s get to work!	FAQ General FAQ Registrar FAQ
Glossary	Certificates