Jump to content
Welcome to our new Citrix community!
  • NetScaler's DNS Over TLS for Enhanced Privacy and Protection

    Uttam Somani
    • Validation Status: Validated
      Summary: The article explains the DNS over TLS feature of NetScaler that transforms network security by encrypting DNS transactions, ensuring privacy and integrity in Proxy and ADNS mode.
      Has Video?: No

    Author : Uttam Somani, Bibek Ranjan Sahu

    In today’s digital world, where online privacy and security are paramount, the need for robust security tools and systems has become increasingly obvious. The domain name system or DNS, as it is called is one of the most critical parts of internet communication, that translates human-readable domain names into machine-readable IP addresses. The traditional DNS protocol operates over plain text, leaving it vulnerable to interception and potential manipulation by malicious entities. DNS over TLS (DoT) has emerged as one of the most important solutions to reinforce the security and privacy of DNS queries and responses. 


    DNS over TLS (DoT) is a network security protocol that enhances the privacy and integrity of Domain Name System (DNS) queries by encrypting the communication between DNS clients and servers. By aligning with the DNS PRIVate Exchange (DPRIVE) RFC 7858 standards and specifications, NetScaler ensures that its DoT implementation meets the industry-recognized privacy and security standards. The traditional DNS resolution process makes it susceptible to eavesdropping and potential data manipulation. DoT addresses these security concerns and more by adding a layer of encryption to the DNS communication. Here’s how:

    • Encryption of DNS Queries: 

    DoT encrypts the entire communication channel between clients and DNS resolvers for heightened privacy.

    • TLS Protocol:
      Utilizes Transport Layer Security (TLS) to secure connections, similar to HTTPS, preventing unauthorized access and man-in-the-middle attacks.
    • Improved Privacy:
      Shields DNS queries from network surveillance, enhancing user privacy, especially on untrusted networks 
    • Mitigation of DNS Spoofing:
      Encrypting DNS transactions in DNS over TLS helps mitigate DNS spoofing and tampering risks, ensuring authentic responses.

    NetScaler supports DoT by encrypting both authoritative DNS (ADNS) and DNS proxy modes. The new DoT service type decrypts encrypted DNS requests, validates packet formats, and ensures secure client responses. This advancement underscores NetScaler's commitment to fortifying DNS communication channels with encryption protocols.

    Configuration of DoT in proxy mode

    You can set up an LB Vserver and backend service of type DoT. NetScaler initiates TLS handshakes with the client and server to establish a secure TLS connection. Subsequently, clients transmit encrypted DNS queries to NetScaler, which decrypts them, applies any configured DNS or SSL policies on the virtual server, re-encrypts the request, and forwards it to the backend server. The server responds with an encrypted DNS reply, which Netscaler decrypts, applies configured policies if present, re-encrypts the response, and sends it back to the client. It is essential to bind the SSL server certificate to enable the LB virtual server of DOT type.

    • Flexible Security Configurations: Mixed Mode Support in NetScaler's Proxy Mode

    NetScaler introduces mixed mode support, allowing the configuration of (DoT + DNS_TCP) or (DNS_TCP + DoT) for both frontend and backend service types. This flexibility empowers users to secure the frontend listening channel while trusting the backend, or vice versa, adapting to specific security requirements.

    • DNS Secure Caching

    If a record is requested via a secure channel (either Vserver or service is of type DoT), NetScaler caches the record as a secure record, or else it is an insecure record. Now, if a request for that specific record comes through a secure channel, NetScaler will provide it instantly. However, if the request is in a secure channel, and NetScaler does not have the secure record in the memory (cache), it won't serve the record from the cache. Instead, NetScaler will directly contact the source (backend server), read the most recent data, and share the secure record while updating the cache as a secured record. If the Vserver or service isn’t of type DoT, it will continue to work with an unsecured cache.



    Configuring DoT in ADNS mode:

    NetScaler can configure the ADNS_DOT service type for ADNS service, where it works as a listening service that accepts encrypted DNS queries from clients. If a corresponding record for the domain is available in the Netscaler, it responds with encrypted information, otherwise, it sends an empty response. You have the flexibility to set up records directly on the NetScaler. To make this listening entity operational, binding an SSL certificate is crucial, ensuring secure communication in every interaction. This encrypted communication adds additional security to DNS transactions.

    For more information, please visit NetScaler docs


    Securing DNS queries is crucial for safeguarding online privacy and enhancing overall security. Implementing DNS over TLS (DoT) is a highly effective measure to encrypt these queries, thereby reducing the vulnerabilities associated with data interception and DNS attacks. NetScaler has already incorporated this technology to enhance online security, introducing additional security features aimed at fortifying protection for online users. These enhancements are designed to defend against emerging threats that could jeopardize the security and privacy of your business. Furthermore, we have introduced the Automated Signature Roll-over feature in DNSSEC. For more details on this topic, refer to this article.

    User Feedback

    Recommended Comments

    There are no comments to display.

    Create an account or sign in to comment

    You need to be a member in order to leave a comment

    Create an account

    Sign up for a new account in our community. It's easy!

    Register a new account

    Sign in

    Already have an account? Sign in here.

    Sign In Now

  • Create New...