This document defines a specific protocol, DNS over XMPP (DoX), for sending DNS &rfc1035; queries and getting DNS responses over &xmppcore; (and therefore TLS &rfc8446; security for integrity and confidentiality.

The integration with XMPP provides a transport suitable for both existing DNS clients and native XMPP applications seeking access to the DNS.

This protocol is almost identical in scope to DNS Queries over HTTPS (DoH) &rfc8484;

This specification addresses the following requirements:

1. Sending a DNS query.
2. Responding with a DNS response.

The DoX protocol is extremely simple:

1. The requesting entity (requestor) sends an IQ-get containing a <dns/> element qualified by the 'urn:xmpp:dox:0' namespace, which contains the DNS query.
2. The resolving entity (resolver) returns either an IQ-result containing a <dns/> element qualified by the 'urn:xmpp:dox:0' namespace, which contains the DNS response (if it supports the namespace) or an IQ-error (if it does not).
3. In both the query and response, the content of the <dns/> element is the DNS on-the-wire format as defined in &rfc1035;. The body MUST be encoded with base64 &rfc4648;. Padding characters for base64 MUST NOT be included.

Sending a DNS query is done by sending an &IQ; get over the stream from the requestor to the resolver.

If the resolver supports the dns namespace, it MUST return an IQ-result, which contains the DNS response:

If the resolver does not support the dns namespace, it MUST return a &unavailable; error:

The other error conditions defined in RFC 6120 could also be returned if appropriate.

If an entity supports the DoX protocol, it MUST report that fact by including a service discovery feature of "urn:xmpp:dox:0" in response to a &xep0030; information request:

In order for an application to determine whether an entity supports this protocol, where possible it SHOULD use the dynamic, presence-based profile of service discovery defined in &xep0115;. However, if an application has not received entity capabilities information from an entity, it SHOULD use explicit service discovery instead.

Support could also be pre-arranged between parties by putting a resolver at a known JID, in which case the requestor can just start sending queries to the resolver

Some XMPP clients do not respond to IQ stanzas containing unsupported payloads. Although this is in violation of &xmppcore;, this behavior can result in disconnection of clients that are in fact actively connected to the server.

Running DNS over XMPP relies on the security of the underlying XMPP transport, therefore all queries and responses MUST use TLS or equivalent connection security. This mitigates classic amplification attacks for UDP- based DNS.

Session-level encryption has well-known weaknesses with respect to traffic analysis, which might be particularly acute when dealing with DNS queries. DoX resolvers can also add DNS padding &rfc7830; if the DoX requestor requests it in the DNS query. An experimental effort to offer guidance on choosing the padding length can be found in &rfc8467;.

The TLS connection provides transport security for the interaction between the DoX resolver and requestor, but it does not provide the response integrity of DNS data provided by DNSSEC. DNSSEC and DoX are independent and fully compatible protocols, each solving different problems. The use of one does not diminish the need nor the usefulness of the other. It is the choice of a requestor to either perform full DNSSEC validation of answers or to trust the DoX resolver to do DNSSEC validation and inspect the AD (Authentic Data) bit in the returned message to determine whether an answer was authentic or not.

In the absence of DNSSEC information, a DoX resolver can give a requestor invalid data in response to a DNS query. A DoX capable requestor MUST discard any responses not specifically requested, this prohibition does not guarantee protection against invalid data, but it does reduce the risk.

If a server receives a dns request directed to a full JID &LOCALFULL; associated with a registered account but there is no connected resource matching the 'to' address, RFC 6120 requires it to reply with a &unavailable; error and set the 'from' address of the IQ-error to the full JID provided in the 'to' address of the dns request. If a connected resource receives a dns request but it does not want to reveal its network availability to the sender for any reason (e.g., because the sender is not authorized to know the connected resource's availability), then it too MUST reply with a &unavailable; error. This consistency between the server response and the resolver response helps to prevent presence leaks.

No interaction with &IANA; is necessary as a result of this document.