5

Use encrypted DNS with IP address

Hi,

Recently, when I checked the digital certificate on Firefox, I found that some public encrypted DNS servers can use the IP address directly, without going through the hostname.

I suggest the idea of adding the NextDNS server IP address in the digital certificate.

This will connect directly to the NextDNS server without resolving the dns.nextdns.io domain name. For example:

tls://45.90.28.0
quic://45.90.28.0
https://45.90.28.0/

 

Like Google DNS, OpenDNS, Quad9

 

tls://8.8.8.8
tls://9.9.9.11
tls://208.67.222.222
https://8.8.8.8/dns-query
https://9.9.9.11/dns-query
https://208.67.222.222/dns-query

 

Domain name in NextDNS digital certificate

 

 Google DNS, OpenDNS and Quad9 digital certificates also have IP addresses

 

Hopefully, this idea gets noticed. Thanks!

 

Reference:

https://datatracker.ietf.org/doc/html/rfc5280

https://support.globalsign.com/ssl/general-ssl/securing-public-ip-address-ssl-certificates

https://cabforum.org/working-groups/server/guidance-ip-addresses-certificates/

5 replies

null
    • NextDNs
    • 4 mths ago
    • Reported - view

    This would miss the profile id. In order to embed the profile id with IPv6 or even allow link IP with IPv4, it would require an extremely large number of certificates. CA allowing IP certificates are not common and generally require extra steps. The number of certificates to manage and the CA limitations are making this idea mostly impossible and overly expensive for limited benefits.

      • BigDargon
      • 4 mths ago
      • Reported - view

       Thanks for your feedback!

      • BigDargon
      • 4 mths ago
      • Reported - view

      I think we just need the IP address with the public NextDNS server (no ID used). To add to resolvers that have bootstrap, but still want to encrypt always query the dns.nextdns.io domain via bootstrap (e.g. Adguard Home).

      • NextDNs
      • 4 mths ago
      • Reported - view

       again, that would only work if we didn’t need a profile associated. I works for all the services you mentioned because they aren’t customizable.

      • NDH
      • 1 mth ago
      • Reported - view

       But for https:// the profile ID goes in the path, so it would at least work for some protocols.

Content aside

  • 5 Likes
  • 1 mth agoLast active
  • 5Replies
  • 369Views
  • 3 Following