Recursive Resolver Privacy Statement per RFC 8932 (BCP 232).
This document describes how dns.kernel-error.de handles DNS queries and associated data. The structure follows the outline recommended by RFC 8932.
IP addresses are treated as personal data. No DNS query logging is performed — neither queried domain names nor client IP addresses are stored. Query logging is disabled in the BIND configuration and only temporarily enabled for diagnostics (a few minutes at most).
The nginx reverse proxy for DoH (/dns-query) has access logging completely disabled. Neither HTTP headers nor client IPs are recorded.
The landing page (/, /en, /privacy, /privacy-en) has access logging disabled. No visits, IP addresses, or HTTP headers are recorded.
BIND maintains internal caches (DNS cache, connection tracking) that reside exclusively in memory and are discarded on restart. This data is not exported or persisted to disk.
| Data Type | Storage | Duration |
|---|---|---|
| DNS queries (DoT/DoH) | Not stored | — |
| Client IP addresses | Not stored | — |
| Landing page visits | Not stored | — |
| DNS cache | RAM only | Until TTL expiry or restart |
During exceptional disruptions or attacks, query logging may be temporarily enabled (rndc querylog on). This is done manually, lasts a few minutes at most, and logs are deleted afterwards. There is no automated permanent data collection.
Rate-limiting events (IPs generating >300 queries/second) are logged. This serves exclusively to protect the service from abuse.
None. Authoritative responses are delivered to clients unaltered. No filtering, redirection, or manipulation of DNS responses takes place — neither for commercial, legal, nor malware-prevention reasons. DNSSEC validation may cause domains with broken signatures to return SERVFAIL — this is correct validation behavior, not filtering.
| Property | Detail |
|---|---|
| Transport protocols | DoT (port 853), DoH (port 443 via HTTPS) |
| Authentication | X.509 certificate for dns.kernel-error.de (ECC/ECDSA, DigiCert) |
| DANE/TLSA | TLSA records published for _853._tcp.dns and _443._tcp.dns |
| SVCB/HTTPS RRs | Service discovery via _dns.dns.kernel-error.de (RFC 9461) |
| TLS versions | TLS 1.2, TLS 1.3 |
| PQC key exchange | X25519MLKEM768 (preferred), fallback X25519, secp256r1, secp384r1 |
| Preferred cipher | CHACHA20-POLY1305 (TLS 1.3), ECDHE-ECDSA-CHACHA20-POLY1305 (TLS 1.2) |
| HTTP protocols | HTTP/2, HTTP/3 (QUIC) |
| DoH format | RFC 8484 wire format (no JSON) |
| DNSSEC validation | Yes, for all responses |
| EDNS(0) padding | Accepted from clients. Server-side response padding is not available in BIND 9.20. |
| Session tickets | Disabled (no session tracking) |
| HTTP cookies | Not required, not set |
| Property | Detail |
|---|---|
| QNAME minimization | Yes, relaxed (RFC 9156) |
| EDNS Client Subnet (ECS) | Not enabled — your IP is not forwarded |
| Aggressive DNSSEC cache | Yes (RFC 8198) |
| NXDOMAIN synthesis | Yes (RFC 8020) |
| Upstream encryption | No (queries to authoritative servers are unencrypted — this is standard, as authoritative servers rarely offer DoT/DoH) |
For questions about this statement or the service: security.txt or via kernel-error.de.