KINDNS Best Practices for our Resolvers

What is KINDNS Link to this heading

KINDNS is an ICANN initiative to promote security best practices for operators of authoritative nameservers and recursive resolvers. On this page, we work through the recommendations and elaborate how we implemented them on our side.

Best Practices for Public Resolvers Link to this heading

Our services operate as open and public resolvers, since we operate them to give anyone access to it. In return, we would like you to spread the word. If you want to know more, please read through our mission statement.

Practice 1 Link to this heading

We operate DNSSEC on all our public recursive resolvers. This helps to validate domain names from the root servers down to the authoritative nameservers.

Practice 2 Link to this heading

We implemented QNAME minimization on all our public resolvers. This ensures that our public resolver only forwards the bare minimum of information to the root servers, authoritative nameservers of TLDs and SLDs.

Practice 3 Link to this heading

All our public resolvers operate DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH). DoT is available via the default port TCP/853. DoH operates on TCP/443. Both transport mechanisms are fully end-to-end encrypted and prevent any man-in-the-middle attack or eavesdropping.

Practice 4 Link to this heading

We do not interchange authoritative nameservers and recursive resolvers. We plan to operate our own network of authoritative nameservers, but those will run on different machines than our public recursive resolvers.

Practice 5 Link to this heading

To safeguard that our service is not abused and does not become a burden to the Internet through reflection of DNS packets, we have to keep short-lived logs about clients querying our services. Once the data loses it’s relevance (in the DNS space that is after a few hours), the IP addresses are anonymized and the original data is deleted.

We operate passive DNS data collection in which we store high-level BGP information about clients querying our services. This means, we cannot reference any data back to an individual. Yet, we ensure that we archive the valuable parts of the insights.

As always, we are not interested in Personally Identifiable Information (PII) and since we are operating from within the European Union, it puts this entire project at risk if we would store PII.

Practice 6 Link to this heading

We operate a global network of recursive resolvers. To provide the best service, diversification is key. Each of our hosts operates in a different prefix, a different location and/or a different ASN. We try to achieve diversity while still keeping our operational costs low. If you want to sponsor a server, feel free to reach out to us and we can discuss details.

All of our services operate Unbound and BIND 9. Unbound is the default, but with the click of a button, we can activate BIND 9 on all our services.

Practice 7 Link to this heading

We have automated monitoring for all of our services in place. All of our hosts constantly cross-resolves all domain names on all of our public resolvers.

Last but not least, we are dedicated to operational security and continously look into ways to improve our monitoring, our resiliency and our level of automation. What distinguishes us from other providers is our transparency about it.

Resources Link to this heading