Chose your color

Frequently visited

Frequently asked questions

  • I am looking for a domain name registrant. Where can I look it up?

    The Whois is an easy-to-use tool for checking the availability of a .nl domain name. If the domain name is already taken, you can see who has registered it.

    On the page looking up a domain name you will find more information about what a domain name is, how the Whois works and how the privacy of personal data is protected. Alternatively, you can go straight to look for a domain name via the Whois.

  • I would like to transfer my domain name to another registrar. What is the procedure?

    To get your domain name transferred, you need the token (unique ID number) for your domain name. Your existing registrar has the token and is obliged to give it to you within five days, if you ask for it. The procedure for changing your registrar is described on the page transferring your domain name.

  • The details registered about me/my company are incorrect or out of date. How can I get them updated?

    To update the contact details associated with your domain name, you need to contact your registrar. Read more about updating contact details.

  • Why is my domain name in quarantine?

    When a domain name is cancelled, we aren't told the reason, so we can't tell you. You'll need to ask your registrar. The advantage of quarantine is that, if a name's cancelled by mistake, you can always get it back.

    One common reason is that the contract between you and your registrar says you've got to renew the registration every year. If you haven't set up automatic renewal and you don't renew manually, the registration will expire.

  • Ik heb een klacht over mijn provider/registrar. Kan ik daarvoor bij SIDN terecht?

    Wanneer je een klacht hebt over of een geschil met je registrar dan zijn er verschillende mogelijkheden om tot een oplossing te komen. Hierover lees je meer op pagina klacht over registrar. SIDN heeft geen formele klachtenprocedure voor het behandelen van een klacht over jouw registrar.

  • What conditions do I have to meet as a registrar?

    Would you like to be able to register domain names for customers or for your own organisation by dealing directly with SIDN? If so, you can become a .nl registrar. Read more about the conditions and how to apply for registrar status on the page becoming a registrar.

More frequently asked questions

DNS Privacy: DNS innovations to protect your privacy

And the controversy surrounding DNS over HTTPS

Hands operating a keyboard above which virtual security icons are visible

The original blog is in Dutch, this is the English translation.

DNS privacy is a hot topic in the internet community. Various privacy-enhancing innovations have emerged in recent years. One striking recent development, DNS over HTTPS (DoH), is proving controversial, however. This article explains why.

In recent years, a lot of time and effort has been devoted to increasing the security of the DNS protocol. For example, DNSSEC makes it almost impossible to falsify DNS responses. More than half of the 5.8 million-plus .nl domain names now have DNSSEC protection. However, DNSSEC doesn't prevent the interception of internet traffic. And monitoring an internet user's DNS traffic can reveal a lot about that user's internet behaviour, even if the rest of the traffic is encrypted. In other words, DNS traffic interception has major privacy implications.

The renewed focus on privacy has led to a series of DNS innovations referred to collectively as 'DNS privacy'. The purpose of the innovations is essentially to prevent DNS traffic being read by third parties. Various techniques have been devised for achieving that aim, which are described in a separate background article.

DNS privacy is therefore mainly about protecting DNS traffic. Usually, that comes down to encrypting the communication – using TLS, for example. However, it's now also possible to send DNS traffic over an HTTPS connection on a standardised basis.

Controversy surrounding DNS over HTTPS (DoH)

Known as DNS over HTTPS (DoH), the technology is certainly a departure from the norm, and has raised some eyebrows. The reasons are explained below.

DoH was devised with certain scenarios in mind. One being a state agency prying into the user's activities and possibly injecting false DNS information. Another scenario might be an ISP gathering users' DNS data for sale to a third party.

DoH is intended to prevent that kind of thing. Basically, it entails DNS traffic being sent together with encrypted HTTPS traffic to a trusted (external) resolver (the 'trusted recursive resolver' or TRR). In other words, no separate protocol or port number is involved. Consequently, DNS traffic can't be distinguished from normal HTTPS traffic, and interception (filtering) becomes much harder.

The problem is that DNS traffic filtering doesn't always happen under scenarios such as those outlined above. There are also legitimate reasons for filtering. For example, some DNS filters prevent users from unintentionally landing on malicious websites. The operators of some networks have gone to a lot of trouble to build such DNS firewalls for the protection of users. When DoH is enabled, firewalls can easily be bypassed, without the user necessarily being aware of it. Many network operators view that possibility with dismay, because of the implications for network security.

The value of DNS

Various recent developments, including developments in the field of DoH, reflect the importance of DNS. First, the protocol is of course essential for the smooth and reliable working of the internet. Second, as outlined above, it forms the basis for many security measures.

Third, it lends itself to effective user profiling. And user profiles have commercial value. Although it isn't general practice in the Netherlands, ISPs in some countries habitually monitor their users' surfing by logging DNS traffic. The information generated is then sold to advertisers.

DNS resolving (as a service) is therefore a lucrative potential means of generating income, or, at least, a way of gathering very useful information. That is probably why Google, Cloudflare, Quad9 and others are so keen to offer such services.

Browser-based DNS service

DNS performance also influences the user experience. An under-performing DNS translates into slow-loading web pages. That fact isn't lost on web browser developers. In their constant efforts to optimise the user experience, developers have therefore turned their attention to the DNS.

The people behind Chrome, Firefox and even Android want to offer users the best possible security, privacy and all-round experience. Getting to grips with DNS, they have incorporated encrypted 'privacy-enabled' DNS into their products. In most cases, that implies1 opting for DNS over HTTPS. After all, HTTPS is home ground for them; they know its capabilities inside out. The enthusiasm of the browser developers has consequently been the driving force behind the rapid development and adoption of the DoH protocol.

Google has set up its own large-scale public DNS service, which its products will doubtless utilise. Meanwhile Mozilla has chosen Cloudflare to provide trusted recursive resolver (TRR) support. For the moment, the feature is a hidden experimental option, disabled by default. However, general activation is being seriously considered.

Of course, Cloudflare has an interest in their public DNS resolver service being linked to a popular browser such as Firefox. Cloudflare also promotes its service with various other mobile apps for Android and iOS.

If the likes of Google and Mozilla do in fact take control of the DNS traffic within their products and route it to their own services or preferred service providers, bypassing the traditional channels, that will have significant implications, including further centralisation of the internet.

Mixed response

The developments outlined above have elicited a mixed response. They are opposed both by security experts and by privacy experts. Some commentators have expressed dismay at the link-up between Mozilla and Cloudflare, since they have little faith in the avowed good intentions, particularly those of the commercial player Cloudflare. The argument is that using Cloudflare’s trusted recursive resolver merely shifts the privacy problem at best, rather than resolving it.

Others have pointed to operational risks, such as scalability and network security. Many network operators don't want their users accessing a third-party DNS resolver, whether intentionally or otherwise.

Meanwhile, lawyers have questioned whether such arrangements are consistent with the GDPR or net neutrality rules.

The criticasters want to see more user choice at the very least. Otherwise, they fear that users will fall prey to commercial organisations that monetise their insight into users' internet behaviour when they are supposedly protecting them. They also point out that DoH actually facilitates user 'fingerprinting', because additional information is made available. In their desire for privacy, users may therefore be jumping out of the frying pan and into the fire.

Consider the consequences if Firefox does roll out DNS over HTTPS as the unsolicited default setting in collaboration with Cloudflare 1.1.1.1. Cloudflare is, after all, a commercial organisation, beholden to its shareholders and governed by US law. Over time, how secure will DNS data be with them? And what regulatory framework will safeguard it? In the Netherlands, ISPs are bound by the GDPR. Can the same or similar be said of those elsewhere?

Loss of control

As indicated above, much DNS traffic filtering is done for legitimate network protection purposes. Use of DNS firewalls can prevent users landing on malicious websites, or sites that don't conform to the network's security policy. They also allow for intervention in the event of an IoT device being recruited into a botnet and receiving instructions or leaking data via the DNS. That approach is the basis of our own SPIN project, for example. The uncontrolled wild growth of DNS over HTTPS would undermine and frustrate such security initiatives.

The prospect of a browser or other application independently communicating with an external resolver service instead of using a central, uniform method is equally worrying from an operational viewpoint. It would complicate the picture and make fault localisation more difficult. While such problems are not exclusive to DoH, they do arise with DoH in practice.

Developments warrant close monitoring

Clearly, DNS over HTTPS is a controversial technology. Although it is simple, effective and low-threshold, its use and the rapid developments associated with it give rise to a variety of misgivings.

Firm conclusions are premature, since it remains unclear which way the industry is heading. What we can say with confidence is that DoH will change the landscape profoundly. It is therefore important to continue monitoring developments closely, flagging up potential issues and seeking to influence events where appropriate. That is certainly the policy we at SIDN Labs will be backing in the period ahead.

Additional technical background information

1 Yandex has opted for DNScrypt.

Article by:

Marco Davids

Marco Davids

Research engineer

Thymen Wabeke

Research engineer

Cristian Hesselman

Cristian Hesselman

Director SIDN Labs