Organisations operating in jurisdictions with data sovereignty requirements
Authoritative NS Solutions
Encrypted Authoritative Name Server
End-to-end encryption for authoritative DNS communications. Protects zone transfer data and query responses from interception, ensuring the confidentiality and integrity of your DNS infrastructure against surveillance and man-in-the-middle attacks.
Key Capabilities
What this solution delivers
Encrypted Zone Transfers
Zone data is transferred between primary and secondary servers using TLS-encrypted channels (XFR-over-TLS, RFC 9103). This prevents interception of zone contents during replication, protecting sensitive record data from network-level surveillance.
DNS-over-TLS for Queries
Authoritative query responses are served over TLS-encrypted connections (port 853), preventing eavesdropping on the query-response exchange between resolvers and your authoritative servers.
DNS-over-HTTPS Support
For environments where DoT is blocked or filtered, DNS-over-HTTPS (port 443) provides an alternative encrypted transport that is indistinguishable from standard HTTPS web traffic.
Privacy-Preserving Architecture
Encrypted DNS prevents network operators, ISPs and malicious actors from observing which domains are being queried or what records are being served, supporting data sovereignty and privacy compliance.
DNSSEC Compatibility
Encrypted transport works alongside DNSSEC, not as a replacement. DNSSEC authenticates the data; encryption protects the transport. Together they provide both integrity and confidentiality for your DNS infrastructure.
Performance Optimised
TLS session resumption, connection pooling and EDNS optimisation ensure that encryption does not introduce meaningful latency. Most queries add less than 1ms overhead compared to unencrypted DNS.
Technical Details
How it works
XFR-over-TLS (RFC 9103)
Zone transfers between primary and secondary authoritative servers are encrypted using TLS as specified in RFC 9103 (DNS Zone Transfer over TLS). This prevents zone data, which may contain sensitive internal records, from being intercepted during replication. The implementation supports both AXFR and IXFR over TLS.
Certificate Management
TLS certificates for encrypted DNS services are provisioned and renewed automatically using ACME (Automated Certificate Management Environment). Certificate pinning and DANE (DNS-Based Authentication of Named Entities, RFC 6698) provide additional verification that clients are connecting to the genuine authoritative server.
Compliance Context
The NIST SP 800-81r3 (March 2026) guidance recommends encrypted DNS as a standard security measure. For organisations subject to NIS2 or operating in regulated sectors, encrypted authoritative DNS addresses the requirement to protect the confidentiality and integrity of network communications.
Transport Layer Security
All encrypted connections use TLS 1.3 with forward secrecy. Older TLS versions are disabled by default. Cipher suite selection follows NIST and BSI recommendations, prioritising ECDHE key exchange and AES-256-GCM encryption.
Integration with Secure ANS
Encrypted ANS is deployed as an enhancement to Secure ANS. All the hardening, DNSSEC, anycast and monitoring capabilities of Secure ANS remain in place. Encryption adds confidentiality to the existing integrity and availability protections.
Monitoring and Logging
Encrypted DNS connections are logged for security analysis (source IP, connection duration, TLS version, cipher suite) without logging the content of encrypted queries. This supports incident response requirements while respecting privacy.
Use Cases
Who benefits from this solution
Government and defence agencies requiring encrypted DNS infrastructure
Registry operators protecting zone transfer data between distributed servers
Financial services firms subject to regulatory encryption requirements
Any organisation seeking to prevent passive surveillance of DNS traffic
Enterprises with internal zones containing sensitive hostnames or service records
Frequently Asked Questions
Common questions about this solution
DNSSEC and encrypted DNS solve different problems. DNSSEC verifies that a response has not been tampered with (integrity and authenticity). Encryption prevents a third party from seeing what was queried or responded (confidentiality). Without encryption, an observer on the network can see every domain being looked up, even if DNSSEC ensures the answers are genuine. For full protection, both are needed.
The initial TLS handshake adds a small overhead (typically 10-30ms for the first connection). Subsequent queries on the same connection benefit from TLS session resumption and add less than 1ms. For most use cases, the latency impact is negligible compared to the security benefit.
For authoritative DNS, DoT (port 853) is generally preferred because it uses a dedicated port that is easy to identify and manage in network policy. DoH (port 443) is more commonly used for recursive resolver traffic where blending with HTTPS is advantageous. Sokomi supports both and will recommend the appropriate protocol based on your network architecture.
XFR-over-TLS (RFC 9103) encrypts zone transfer traffic between primary and secondary authoritative servers. Zone files can contain sensitive information such as internal hostnames, service locations and mail server configurations. Without encryption, this data is transferred in plain text and can be intercepted by anyone with access to the network path between servers.
Encrypt your authoritative DNS infrastructure
Talk to our team about deploying encrypted authoritative DNS to protect the confidentiality of your zone data and query traffic.