Does DNSFilter support DNSSEC?
DNSFilter fully supports DNSSEC by pointing your equipment to these DNS addresses:
- 103.247.36.9
- 103.247.37.9
These DNSSEC-enabled resolvers are part of DNSFilter’s Anycast network, which means they are globally distributed for better performance and reliability. However, DNSSEC support is currently limited to network-level deployments and is not yet available through roaming clients. These resolvers can be used in place of the standard DNSFilter resolvers without additional configuration, providing an easy way to enhance security across the network.
However, we only recommend utilization for organizations that recognize two crucial points:
- Low internet adoption – Most internet domains (including well-known email providers) do not support DNSSEC, which means turning the feature on could cause failures in resolving a large portion of internet domains. This will be perceived by the end user as a failure with their ISP or with our service
- DNSSEC outages – Even domains which do support DNSSEC have been known to have failures that last several days or weeks
-
I'm confused about the low internet adoption comment. I thought if DNSSEC resolvers were used, and if DNSSEC wasn't available, it would resolve anyway? I've been using the DNSSEC resolvers and have not ran into any issues.
0 -
Eric Nix That's correct! In normal everyday DNSSEC if the domain does not have DNSSEC records a DNSSEC-aware resolver should treat the domain as unsigned and resolve the DNS query as normal without performing the DNSSEC validation. However, there is potential for our DNSSEC resolvers to require DNSSEC validation, which is where it would return a SERVFAIL response.
With every environment being unique in their network configuration methods, it can introduce slight performance overhead which is why we want to ensure customers are aware prior to selecting this option.
0
Please sign in to leave a comment.
Comments
2 comments