New web browsing security tool arrives: DNS over TLS

Tenta DNS, an open-source DNS over TLS resolver, will help preserve users' privacy after the fall of net neutrality.

Net neutrality is on its death bed. With it gone, ISPs will be able to strip-data-mine your every move on the web. There are answers. One is Tenta's new secure Domain Name System (DNS) resolver, Tenta DNS. This receives and sends the directions to the websites you visit using the secure Transport Layer Security (TLS) protocol.

DNS is the internet's master phone book. When you type in a website address or click on a link, it turns human-readable domain names into machine-usable IP addresses. If you use your ISP's DNS server, which is the default, the ISP can watch your every move. Even if you use an ordinary third-party DNS server, such as Google Public DNS servers, or, and one of Cisco's OpenDNS servers, or, your DNS requests are still made in the clear and your ISP can see where you're going.

To conceal what you're doing on the web, you must encrypt your DNS requests. To lock these down, developers created the Internet Engineering Task Force (IETF) RFC 7858, Specification for DNS over Transport Layer Security. What Tenta has done is to take this internet standard and turn it into real software.

As the company explained in a blog post, "Tenta DNS is a modern, secure DNS alternative that supports both ICANN and OpenNIC roots, DNS over TLS, and DNSSEC (DNS Security Extensions). By initiating a TLS protocol when DNS data is sent from your browser, Tenta DNS closes yet another crack through which your ISP can spy on you."

The ICANN DNS is one of the world's 13 world DNS root servers. OpenNIC is a set of DNS servers maintained by volunteers to offer users DNS services free of censorship and ISP meddling. OpenNIC is best known for supporting alternative top-level domain names such as Bitcoin's .bit domains.

Most websites and DNS servers support DNSSEC. DNSSEC is used to encrypt domain name data integrity, so that when your browser asks for a DNS address it gets one from a valid DNS server. It doesn't, however, encrypt the data it sends you. That's where DNS over TLS comes in.

To use DNS over TLS to protect your web browsing, however, your browser must support the IETF 7858 protocol. For now, the only one that does to my knowledge is the Tenta Private VPN Browser Beta for Android.

This browser relies in turn on Tenta DNS, which is an open-source project written in Golang that you can contribute to on GitHub. To use the services, for now, you must must set up your browser to use Tenta's DNS nameservers. These are: ICANN's or and OpenNIC's or

Other DNS servers are expected to support DNS over TLS soon. As Patrick Nohe, the SSL Store content manager, pointed out, "Adoption depends entirely on the DNS industry. If a server is equipped with SSL/TLS, DNS over TLS is within its capabilities -- it's just a matter of supporting it."

Programmers, such as those working on the DNS Privacy Project, are also building DNS over TLS implementations.

There is already another protocol, DNSCrypt, which provides some of DNS over TLS protections. It's supported by Cisco on its OpenDNS servers. While far more widely deployed at this time, DNSCrypt isn't based on an IETF standard. Historically, IETF protocols become the default rules for low-level internet activities.

With this move Tenta is taking DNS over TLS from theory into practice. With ever-growing dangers to internet privacy, I, for one, hope that they prove to be trailblazers for improved internet privacy.

Related Stories: