Approach on encrypting DNS message over UDP

Document Type Expired Internet-Draft (individual)
Authors Peng Zuo , Hongtao Li  , Ning Kong  , XiaoDong Lee  , Guangqing Deng  , Jiankang Yao  , Nan Wang 
Last updated 2016-01-03 (latest revision 2015-07-02)
Stream (None)
Intended RFC status (None)
Expired & archived
pdf htmlized (tools) htmlized bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state Expired
Telechat date
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft can be found at


This document offers an approach to encrypt DNS queries and responses between the stub resolver and the recursive server over UDP to protect user privacy. The public key of the recursive server is distributed to the stub resolver through the Certificate Authority infrastructure, and the public key of the stub resolver is sent to the recursive server together with the DNS query where the public key is inserted to the additional section of the DNS query. Then the recursive server encrypts the DNS responses sent to the stub resolver with the public key of that stub resolver, and similarly the DNS query sent to the recursive server is encrypted by the stub resolver with the public key of that recursive server and thus the user privacy is protected.


Peng Zuo (
Hongtao Li (
Ning Kong (
XiaoDong Lee (
Guangqing Deng (
Jiankang Yao (
Nan Wang (

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)