PublicDNS service provider increases bytes and will support protocols such as DoH/DoT/DoQ

Article directory

    • BytesPublic DNS
    • DNS basic concepts
      • DNS
      • Recursive parsing
      • Authoritative DNS server
      • Local DNS server
    • Advantages of Public DNS
      • high performance
      • reliable
      • Safety
    • What is DoH protocol
      • Turn on DNS over HTTPS in Chrome
    • What is DoT protocol
      • TLS transmission process
    • What is DoQ protocol
    • Check if your device can access the public resolution PublicDNS
      • Windows
      • macOS/Linux

As the Internet has grown, so has the complexity of web pages. When a client accesses a web page, it usually needs to send dozens of DNS query requests to fully load all the resources of a web page. In this case, the speed and accuracy of DNS resolution can affect the loading speed of web pages.

Public Resolution PublicDNS provides users with the addresses of DNS servers. Users can set the DNS server address of the device to this address. Public resolution PublicDNS can improve the user’s Internet access speed, and can also help users avoid DNS spoofing, DNS hijacking and other problems.

BytePublic DNS

Volcano Engine Public DNS (PublicDNS) has actually been open for public testing on February 24, 2023.
Volcano Engine Public DNS (PublicDNS) provides fast, stable and secure recursive DNS services for all Internet users.

Basic concepts of DNS

DNS

The full name of DNS is Domain Name System. It acts like the Yellow Pages and is responsible for translating domain names into IP addresses. Users use the domain name in the client application to access the website, but the application itself uses the IP address to access the website server. A typical application is a browser. DNS converts the domain name entered by the user into an IP address to be used by the browser. The Internet DNS system is composed of DNS servers all over the world, which builds a huge Internet domain name system and is responsible for domain name resolution.

Recursive analysis

Also called recursive query, it is a query mode of DNS server. When a client initiates a domain name resolution request, if there is no cached resolution record on the DNS server, the DNS server, as the client, initiates a domain name resolution request to other DNS servers and returns the result to the client. During the recursive query process, the client only sends a parsing request once. Local DNS uses recursive query to respond to the client’s domain name resolution request. It refers to the process that the client requests other DNS servers for domain name resolution through the proxy, and the proxy returns the obtained IP to the client.

Authoritative DNS server

The authoritative DNS server is responsible for domain name resolution of sub-sites. The domain name service provider hosting your domain name provides an authoritative DNS server responsible for the domain name resolution of your subdomain name.

Local DNS Server

The Local DNS server is responsible for iteratively querying domain name resolution requests and caching the resolution results at the same time. Most Local DNS servers are maintained by operators. The domain name resolution request of the browser is sent to the Local DNS server.

Advantages of Public DNS

Public resolution The recursive resolution nodes of PublicDNS cover all provinces and major operators in China, with a total of hundreds of lines.

High performance

Public resolution PublicDNS uses BGP Anycast technology to provide multiple access points throughout the country. Public resolution PublicDNS can forward user requests to the nearest access point and quickly obtain resolution results.

Public Resolution PublicDNS caches DNS resolution records. When the public resolution PublicDNS finds the user’s resolution request in the cache, it does not need to send a resolution request to the authoritative DNS and can directly return the resolution result to the user.

Reliable

Public resolution PublicDNS uses methods such as traffic cleaning and IP blacklisting to avoid DDoS attacks.

Public Resolution PublicDNS uses BGP Anycast technology to provide multiple access points across the country. If a network failure occurs on one access point, PublicDNS quickly switches to other access points.

Security

Public resolution PublicDNS’s DNS servers have comprehensive security measures. These measures can avoid problems like DNS spoofing and DNS hijacking. Public resolution PublicDNS does not hijack and redirect user requests.

What is DoH protocol

DoH (DNS over HTTPS) uses the secure HTTPS protocol to run DNS. The main purpose is to enhance user security and privacy.
By using an encrypted HTTPS connection, third parties can no longer influence or monitor the parsing process. Therefore, fraudsters will not be able to view the requested URL and change it. If DNS based on HTTPS is used, the Transmission Control Protocol (TCP) in DoH will respond faster when data is lost during transmission.
DoH queries and responses are somewhat disguised within other HTTPS traffic because they all come in and out of the same port.

The DoH default port is 443, which is the default port for HTTPS (DNS over TLS has its own port 853)

DNS over HTTPS is a domain name protocol based on HTTPS tunnels, and HTTPS is “HTTP over TLS”. So DoH is equivalent to a [Double Tunnel] protocol.
DoH finally relies on TLS to achieve [confidentiality] and [integrity]. The benefits of doing this are:

Even if someone monitors your Internet traffic, it is impossible to judge which TLS traffic is used for domain name query and which TLS is used for web page transmission. In other words, the traffic of the DoH protocol cannot be [separately identified].

Enable DNS over HTTPS in Chrome

To start browsing DNS over https in Google Chrome, use the following steps:

  • First, start the Chrome browser.
  • Go to the top right corner and click on the Customize (three dots) button. Select Settings.
  • On the subsequent screen, click Privacy & Security.
  • Next, click to expand Security and enable the “Use Secure DNS” toggle switch.
  • You can select the custom option and fill in your current provider. Alternatively, use the drop-down menu to select an available option, such as Google Public DNS, Alibaba Cloud DNS, Byte publicDNS, etc.
  • Once finished, Chrome will automatically encrypt and transmit any DNS queries.
    DoH

What is DoT protocol

DNS over TLS (DoT for short) is a domain name resolution security extension protocol. It uses the TLS protocol to encrypt and transmit DNS messages between users and recursive resolution servers, preventing intermediary users from eavesdropping and domain name query privacy leakage.

TLS transmission process

as follows:

  1. TCP three-way handshake
  2. SSL ClientHello and ServerHello and the corresponding key exchange KeyExchange
  3. Client and Server notify each other of ChangeCipherSpec to enter the encryption mode, at which point they can enter the data transmission state
  4. Application data transfer process
  5. Application data transfer completed, TCP waved twice

Aside from the part of TCP connection and data packet transmission, the part of TLS handshake will use 2 RTT.
DNS-over-TLS is similar to HTTPS, using TCP 853 as the transmission port to complete the TLS handshake, and then perform normal DNS request/reply. Therefore, during the entire process of DNS-over-TLS, at least 4 RTTs will be used, which will also cause the DNS query delay to be amplified by 4 times.

What is the DoQ protocol

DNS over Dedicated QUIC Connections DNS over Dedicated QUIC Connections
The encryption provided by QUIC has similar properties to that provided by TLS, and the QUIC transport eliminates the head-of-line blocking problem inherent to TCP and provides more efficient packet loss recovery than UDP.

DNS over QUIC (DoQ) has privacy properties similar to DNS over TLS (DoT) specified in RFC7858, and latency characteristics similar to classic DNS over UDP.

DNS servers that support DoQ must listen and accept QUIC connections on the private UDP port TBD unless both parties agree to use another port. By default, a DNS client wishing to use DoQ with a specific server must establish a QUIC connection to UDP port TBD on the server, unless both parties agree to use another port.
DoQ connections must not use UDP port 53. The recommendation against using port 53 for DoQ is to avoid confusing DoQ and using DNS over UDP [RFC1035]. In recursive scenarios, it may be operationally beneficial to use port 443 as a mutually agreed-upon alternative port because port 443 is less likely to be blocked than other ports.

Check if your device can access public DNS

Windows

Run the tracert command on the command line. You need to replace IP with the IPv4 address of the public resolving PublicDNS.

tracert -d PublicDNSIP

If the final results do not show the PublicDNS IPv4 address, there may be a problem with your network connection that prevents you from connecting to the PublicDNS.

If the final result shows the IPv4 address of the publicly resolved PublicDNS, there may be a problem with the publicly resolved PublicDNS.

macOS/Linux

Run the traceroute command on the command line. You need to replace IP with the IPv4 address of the public resolving PublicDNS.

/usr/sbin/traceroute -n PublicDNSIP

If the final result does not show the IPv4 address of the public resolution PublicDNS, there may be a problem with your network connection, unable to connect to the public resolution PublicDNS.

If the final result shows the IPv4 address of the publicly resolved PublicDNS, there may be a problem with the publicly resolved PublicDNS.

Par@ish’s Blog