As of September 2019, this is considered a 'trial' service, but is expected to continue and be an 'official' service for customers. Please see our DoH/DoT disclaimer.
This page was last updated October 11th.
As an Internet Service Provider we run DNS resolver servers that our customers use. New DNS protocols have being developed and are starting to be used which increase privacy and security by encrypting DNS queries. The two main protocols for encrypted DNS are DNS over HTTPS (DoH) and DNS over TLS (DoT). This page gives information about our encrypted DNS services.
Typically used at an operating system level, where/when supported. Your computer will use DoT for its DNS lookups. Not many operating systems have a DoT option yet. Android from version 9 has such a setting. DoT runs on port 853 and is described in RFC 7858.
Typically configured in your web browser's settings, where/when supported. Your browser's DNS lookups will then use DoH rather than your operating system's usual DNS server settings. DoH runs on port 443 and is described in RFC 8484.
Be aware that the IP addresses used for dns.aa.net.uk are likely to change, we'll update this page if this happens.
We don't filter or log DNS queries, for more information please see our DoH/DoT disclaimer and our Privacy Notice.
This service is intended to be used by our customers.
Why use our DoT and DoH DNS servers?
There are a number of large companies who run publicly available and free to use DoT and DoH servers. Our customers are free to use them if they wish. We offer our DoT and DoH servers as an alternative. Our DoT and DoH servers are physically located as close as possible to where our customer's internet connections terminate on our network - this means they should provide good response times.
Any more technical details?
For DoH we only support 'wire format', you can use GET or POST, and we support TLS versions 1.2 or 1.3.
The software we're using on our DoT and DoH frontends is PowerDNS's dnsdist. For resilience we have multiple front end servers which are located in two London data centres and they announce the 'anycast' IP addresses in to network using exabgp.
Any limits?
Yes, there are query-per-second rate limit - these are set to allow normal use of the service by our customers.
There is a higher limit for our customer's IP addresses, and a lower limit for non-customer IPs. The idea being that the service can be used by customers whilst not on an A&A internet connection (eg out and about on their mobile, or using there laptop away from their premises.
If the limits are reached then DNS resolution is blocked for a minute. Do contact us if you believe you're exceeding our limits. (Note, the limits were increased on 2020-08-28)
Configuring your devices and browsers
We have some pages on our knoweldgebase which will help with configuring DoH and DoT: https://support.aa.net.uk/DoH_and_DoT
Will my device use encrypted DNS by default?
Short answer: no.
At the moment configuring your device or software to use DoT or DoH is a manual task.
As of September 2019, there isn't an agreed upon method for browsers to discover the ISP's DoH servers, and there isn't a way for operating systems to discover the ISP's DoT servers. Currently Mozilla (in Firefox) and Google (in Chrome/Chromium) are proposing different ways for their browsers to automatically enable or disable the use of DoH, but these methods are still in a trial phase and work very differently!
Will DoT and DoH work when I'm off the A&A network?
Yes. Our DoH and DoT servers are primarily for use by customers whom we provide an Internet connection to. If you take your computer or mobile device away from your A&A connection - eg to a coffee shop or use your mobile data connection, then our DoH and DoT servers will still work. Unlike our normal (Do53) DNS servers, our DoH and DoT servers are open to the Internet.
How can I test that it's working?
We have a testing domain, if you go to http://encrypted-dns-tester.aa.net.uk you will be shown a page saying the your browser used our DoT or DoH servers. The page only works over http (sorry!). You'll get an error if you're not using DOH/DoT as no DNS records are served by default.
Are the DNS answers the same between the A&A servers?
Generally, yes. Our DoH and DoT servers are proxies to our normal, Do53, servers. We do run multiple servers, so if DNS changes are made to a domain the answers our servers give may be slightly different due to timings of caches and TTLs etc.
Will using DoT/DoH affect which CDNs I reach?
CDNs (Content Delivery Networks) often use DNS to try to make sure that you reach their servers that are closest to you. There has been some discussion that using 3rd party DNS services may mean that you get directed to servers that are not closest to you which could reduce performance, slightly. This shouldn't be the case if you're an A&A customer using our DoH or DoT servers as DNS queries that the CDNs see will be DNS servers on the A&A network.
How much slower is DoH?
Compared to normal Do53, DoH will be a bit slower. In our simple tests, using DoH is a few milliseconds slower. We used bulldohzer do perform a side-by-side comparison:
Are A&A DoH servers as fast as others?
Our DoH servers are comparable to other DoH providers, at least from an A&A connection. The results below show dns.aa.net.uk is a little quicker than the others - which is expected as the servers are physically closer to your broadband.
Plain DNS servers
These are the 'normal' Do53 unencrypted DNS servers that customers connected to our network would be using on their broadband routers. These are not available for use by general public, only A&A customers.
