Gcore DNS now supports a new DNS record type: HTTPS. The HTTPS record is a specialized form of the Service Binding (SVCB) DNS record. These record types have been established by the Internet Engineering Task Force (IETF) to enhance the flexibility of secure internet connections, making them more reliable and faster. HTTPS records achieve this by reducing the number of round trips required to establish a connection, and also by supporting future protocol upgrades.
The HTTPS DNS record provides more detailed information than other record types (like A or AAAA) about the services available for a specific domain. This record type plays a crucial role in establishing secure network connections like HTTPS by providing essential details. For example, HTTPS DNS can communicate information about supported protocols and ports, and can even specify alternate servers to which clients can connect.
The availability of extended information in the HTTPS record allows a client to fetch the necessary parameters to connect to a service securely via a single DNS query, rather than having to perform multiple queries or connections. This streamlined process significantly enhances efficiency and security in network connections.
Traditional methods of establishing secure connections, like HTTPS, often necessitate multiple round trips between the client and the server. Consider the following example: when you type www.example.com into the browser, the following processes occur:
1. A lookup is performed for A or AAAA records for www.example.com
These three steps can add significant latency due to the multiple round trips required to establish the optimal connection type with the web server. Moreover, these steps also pose a security risk, as they create an opportunity to inject malicious ads or captive portals during the upgrade from HTTP to HTTPS.
An HTTPS record can be set up for the domain example.com as shown below:
example.com. 1800 IN HTTPS 1 . alpn=h3,h3-29,h2 ipv4hint=184.108.40.206,220.127.116.11 ipv6hint=2001:db8:3333:4444:5555:6666:7777:8888,2001:db8:3333:4444:CCCC:DDDD:EEEE:FFFF
Here's what each element represents:
When a browser requests the HTTPS record from the DNS server, it receives all necessary information in the response that is required to establish a secure connection to https://www.example.com. This includes:
Combining all relevant parameters into a single lookup response reduces the number of round trips required to optimally connect to a web server. When used together with ECN configuration this eliminates the need for multiple rounds of TLS negotiation while still supporting cutting-edge multi-CDN scenarios.
1. Navigate to the DNS section. Click on the zone of the domain where you wish to add the HTTPS record.
2. Click Add record.
The remaining attribute configurations are displayed in the screenshot below:
3. Type. Select “HTTPS”.
4. Name (Optional). Leave this field empty if you're creating an HTTPS record type for the zone apex. If you want to work with, say, www.example.com, add "www"
5. TTL (Optional). Leave empty or fill with a sensible value. For testing, 300 seconds is acceptable, but for production, consider a higher value like 1800 or more. This ensures that the records do not expire too frequently and that recursive name servers can cache them effectively.
6. Priority. Set the priority for the records. Common values are 1, 2, 3, or 10, 20, 30. It’s used if multiple HTTPS records are available for the same name.
7. Content. Type a valid domain name or leave it as the "." sign.
8. Click the "+" sign on the right to enable additional attributes.
9. Set the next attributes of the HTTPS record. The alpn attribute is often used by browsers to recognize protocols supported by your web server.
10. Select the options such as https/1.1, http/2, http/3, or others. You can choose several values from the list.
11. Set the ipv4hint or ipv6hint. These attributes are helpful because browsers do not need to perform additional DNS lookups for your web servers' IP addresses.
12. Type the value.
13. Click Add.
After configuration, the record should look something like this:
You can verify the responses with kdig (a version of “dig” from Knot DNS). If you're using “dig,” please ensure you have the latest version, as older versions do not support HTTPS record types. You can also check if the created record has been added correctly using the Gcore DNS Lookup tool.
kdig https example.com @ns1.gcorelabs.net ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 34710 ;; Flags: qr aa rd; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 0 ;; QUESTION SECTION: ;;example.com. IN HTTPS ;; ANSWER SECTION: example.com. 1800 IN HTTPS 1 . alpn=h3,h2,http/1.1 ipv4hint=18.104.22.168,22.214.171.124 ipv6hint=2001:db8:3333:4444:5555:6666:7777:8888,2001:db8:3333:4444:cccc:dddd:eeee:ffff
That’s it! You’ve configured your HTTPS record.
Was this article helpful?
Learn more about our DNS hosting