Does DNSFilter support DNSSEC?

Bailey Taylor Community Manager DNSFilter Staff

• September 09, 2024 12:39
• Edited

DNSFilter fully supports DNSSEC by pointing your equipment to these DNS addresses:

• 103.247.36.9
• 103.247.37.9

These DNSSEC-enabled resolvers are part of DNSFilter’s Anycast network, which means they are globally distributed for better performance and reliability. However, DNSSEC support is currently limited to network-level and DNS Relay deployments and is not yet available through roaming clients. These resolvers can be used in place of the standard DNSFilter resolvers without additional configuration, providing an easy way to enhance security across the network.

However, we only recommend utilization for organizations that recognize two crucial points:

• Low internet adoption – Most internet domains (including well-known email providers) do not support DNSSEC, which means turning the feature on could cause failures in resolving a large portion of internet domains. This will be perceived by the end user as a failure with their ISP or with our service
• DNSSEC outages – Even domains which do support DNSSEC have been known to have failures that last several days or weeks

print

• 

  Eric Nix

  • September 09, 2024 07:54

  

  I'm confused about the low internet adoption comment.  I thought if DNSSEC resolvers were used, and if DNSSEC wasn't available, it would resolve anyway?  I've been using the DNSSEC resolvers and have not ran into any issues.

  0
• 

  Bailey Taylor Community Manager DNSFilter Staff

  • September 09, 2024 17:14
  • Edited

  

  Eric Nix That's correct! In normal everyday DNSSEC if the domain does not have DNSSEC records a DNSSEC-aware resolver should treat the domain as unsigned and resolve the DNS query as normal without performing the DNSSEC validation. However, there is potential for our DNSSEC resolvers to require DNSSEC validation, which is where it would return a SERVFAIL response.

  With every environment being unique in their network configuration methods, it can introduce slight performance overhead which is why we want to ensure customers are aware prior to selecting this option.

  0
• 

  Eric Nix

  • July 13, 2025 06:21

  

  @... Does DNSFilter validate DNSSEC from their end?  In other words, if you use non-DNSSEC resolvers (36.36/37.37 instead of 36.9/37.9), is DNSSEC validated by DNSFilter on their end before resolving to the end user?  I'm asking because I'm wondering if pointing to the .9 resolvers is redundant.  Although it is very very small, it seems that DNSSEC resolvers are slightly slower than the normal resolvers likely because of overhead/DNSSEC validation.

  0
• 

  Minetta Gould Community Team DNSFilter Staff

  • July 14, 2025 21:22

  Great question, Eric Nix ! DNSSEC validation only occurs when using our DNSSEC-enabled resolvers (103.247.36.9 and 103.247.37.9). The standard resolvers (103.247.36.36 / .37.37) do not perform DNSSEC validation on our end before returning results to the end user.

  So you're absolutely right—if DNSSEC validation isn't a strict requirement for your environment, using the standard resolvers may provide slightly better performance due to the lack of validation overhead. On the other hand, if DNS integrity is critical, sticking with the .9 resolvers is the way to go. Appreciate your thoughtful input here!

  0

Please sign in to leave a comment.