DoT and DoH

Encrypted DNS Services

This is a trial

As of September 2019, this is considered a 'trial' service, but is expected to continue and be an 'official' service for customers. Please see our DoH/DoT disclaimer.

This page was last updated October 11th.

As an Internet Service Provider we run DNS resolver servers that our customers use. New DNS protocols have being developed and are starting to be used which increase privacy and security by encrypting DNS queries. The two main protocols for encrypted DNS are DNS over HTTPS (DoH) and DNS over TLS (DoT). This page gives information about our encrypted DNS services.


DNS over TLS (DoT)

  • dns.aa.net.uk

Typically used at an operating system level, where/when supported. Your computer will use DoT for its DNS lookups. Not many operating systems have a DoT option yet. Android from version 9 has such a setting. DoT runs on port 853 and is described in RFC 7858.

DNS over HTTPS (DoH)

  • https://dns.aa.net.uk/dns-query

Typically configured in your web browser's settings, where/when supported. Your browser's DNS lookups will then use DoH rather than your operating system's usual DNS server settings. DoH runs on port 443 and is described in RFC 8484.

IP addresses are likely to change

Be aware that the IP addresses used for dns.aa.net.uk are likely to change, we'll update this page if this happens.

Privacy

We don't filter or log DNS queries, for more information please see our DoH/DoT disclaimer and our Privacy Notice.

Customer use

This service is intended to be used by our customers.

Further information

There are a number of large companies who run publicly available and free to use DoT and DoH servers. Our customers are free to use them if they wish. We offer our DoT and DoH servers as an alternative. Our DoT and DoH servers are physically located as close as possible to where our customer's internet connections terminate on our network - this means they should provide good response times.

For DoH we only support 'wire format', you can use GET or POST, and we support TLS versions 1.2 or 1.3.

The software we're using on our DoT and DoH frontends is PowerDNS's dnsdist. For resilience we have multiple front end servers which are located in two London data centres and they announce the 'anycast' IP addresses in to network using exabgp.

Yes, there are query-per-second rate limit - these are set to allow normal use of the service by our customers.

There is a higher limit for our customer's IP addresses, and a lower limit for non-customer IPs. The idea being that the service can be used by customers whilst not on an A&A internet connection (eg out and about on their mobile, or using there laptop away from their premises.

If the limits are reached then DNS resolution is blocked for a minute. Do contact us if you believe you're exceeding our limits. (Note, the limits were increased on 2020-08-28)

We have some pages on our knoweldgebase which will help with configuring DoH and DoT: https://support.aa.net.uk/DoH_and_DoT

Short answer: no.

At the moment configuring your device or software to use DoT or DoH is a manual task.

As of September 2019, there isn't an agreed upon method for browsers to discover the ISP's DoH servers, and there isn't a way for operating systems to discover the ISP's DoT servers. Currently Mozilla (in Firefox) and Google (in Chrome/Chromium) are proposing different ways for their browsers to automatically enable or disable the use of DoH, but these methods are still in a trial phase and work very differently!

Yes. Our DoH and DoT servers are primarily for use by customers whom we provide an Internet connection to. If you take your computer or mobile device away from your A&A connection - eg to a coffee shop or use your mobile data connection, then our DoH and DoT servers will still work. Unlike our normal (Do53) DNS servers, our DoH and DoT servers are open to the Internet.

We have a testing domain, if you go to http://encrypted-dns-tester.aa.net.uk you will be shown a page saying the your browser used our DoT or DoH servers. The page only works over http (sorry!). You'll get an error if you're not using DOH/DoT as no DNS records are served by default.

Generally, yes. Our DoH and DoT servers are proxies to our normal, Do53, servers. We do run multiple servers, so if DNS changes are made to a domain the answers our servers give may be slightly different due to timings of caches and TTLs etc.

CDNs (Content Delivery Networks) often use DNS to try to make sure that you reach their servers that are closest to you. There has been some discussion that using 3rd party DNS services may mean that you get directed to servers that are not closest to you which could reduce performance, slightly. This shouldn't be the case if you're an A&A customer using our DoH or DoT servers as DNS queries that the CDNs see will be DNS servers on the A&A network.

Compared to normal Do53, DoH will be a bit slower. In our simple tests, using DoH is a few milliseconds slower. We used bulldohzer do perform a side-by-side comparison:

Do53VsDoH.png

Our DoH servers are comparable to other DoH providers, at least from an A&A connection. The results below show dns.aa.net.uk is a little quicker than the others - which is expected as the servers are physically closer to your broadband.

DoH compare

These are the 'normal' Do53 unencrypted DNS servers that customers connected to our network would be using on their broadband routers. These are not available for use by general public, only A&A customers.

  • 217.169.20.20 and 217.169.20.21
  • 2001:8b0::2020 and 2001:8b0::2021

Contact Sales

email sales@aa.net.uk
phone 03333 400222
(Mon-Fri 9am-5pm)
sms 01344 400222

Contact Support

email support@aa.net.uk
phone 03333 400999
(Mon-Fri 8am-6pm,
Sat 10am-2pm)
sms 01344 400999