High level architecture of the DNS resolver configuration:
The DNS resolver architecture is divided into two parts. The user DNS Frontend is dnsdist and provides. The frontend listens on port 443/tcp for DoH and port 853/tcp for DoT. The DNS Backend, responsible for resolving the user queries within the domain system, is unbound.
Unencrypted DNS queries over 53/udp/tcp are not supported.
---
title: Secure DNS Resolver Architecture
---
graph LR
dotClient(DoT Client) -->|TLS 853/tcp| frontend(Frontend)
dohClient(DoH Client) -->|HTTPS 443/tcp| frontend
subgraph server [Secure DNS Resolver]
direction LR
frontend -->|53/udp/tcp| backend
subgraph frontend[Frontend]
direction TB
dnsdist --- dnsdistCash[(Cache)]
end
subgraph backend[Backend]
direction TB
unbound(Unbound) --- unboundCash[(Cache)]
end
end
backend -->|53/udp/tcp| dnsSystem[(Global DNS)]
The frontend accepts client connections, validates DNS queries and forward them to the backend for name resolution, if the cache does not already provide an answer.
- Handles TLS encryption and Let's Encrypt certificates
- Enforce rate limits to increase availability for all users
The backend is only reachable by the dnsdist frontend. If the answer to a query is not already cached it is resolved by querying the global domain name system (DNS).
- Prefetching cache to reduced latency
- DNSSEC validation
- 0x20-encoded random bits in query names to harden against spoofing attacks (see
use-caps-for-id) - Query minimisation (qname-minimisation)