Security Policy
Effective Date: 20th January 2025
Last Updated: 1st May 2025
At UK DNS Privacy Project, we take the security of our services and users seriously. This Security Policy outlines the measures we take to ensure the safety and integrity of our DNS services.
Infrastructure Security
Data Centers: Our servers are hosted in secure, UK-based data centres with robust physical and network security controls.
Redundancy: We employ geo-redundant infrastructure to minimize downtime and ensure consistent availability.
Access Control: Access to our servers is restricted to authorized personnel only, with strict authentication mechanisms in place.
Encryption
DNS-over-TLS (DoT): All DNS queries using DoT are encrypted to protect them from eavesdropping and tampering.
DNS-over-HTTPS (DoH): DNS queries over DoH are secured using HTTPS protocols to ensure end-to-end encryption.
TLS Protocols: We use up-to-date TLS configurations and industry-recommended cipher suites to secure communications.
Personally Identifiable Information: We encrypt all personally identifiable information, including names, email addresses and IP addresses. Where we are unable to encrypt data for performance reasons then we use SHA1 hashes with a seed of the required data.
No Logging
As stated in our Privacy Policy, we do not log or store DNS queries or user data. This minimizes the risk of data breaches and unauthorized access to sensitive information.
System Monitoring
We continuously monitor our systems for unusual activity, potential threats, and unauthorized access attempts.
Automated alerts are in place to respond quickly to potential security incidents.
Incident Response
In the event of a security incident, we have a robust incident response plan to:
- Identify and contain the issue promptly.
- Mitigate potential risks and vulnerabilities.
- Notify users if their use of the service is impacted.
User Responsibility
While we strive to provide a secure service, users are encouraged to:
Use secure configurations when setting up DNS-over-TLS or DNS-over-HTTPS.
Keep their devices and networks updated with the latest security patches.
Vulnerability Disclosure Program
We take security seriously and appreciate the efforts of the security community. If you discover a security vulnerability, please report it to us using the following methods:
- Email: security@dnsprivacy.org.uk
- Security Policy: For more details, please refer to our Security Policy
What to Include in Your Report
When submitting a vulnerability report, please include:
- A clear description of the issue
- Steps to reproduce the vulnerability
- Potential impact assessment
- Any suggestions for mitigation
Our Commitment
We commit to:
- Acknowledge receipt of your report within 2 business days
- Provide updates on the progress of addressing the vulnerability
- Not take legal action against researchers who follow responsible disclosure practices
- Recognize your contribution on our Security Acknowledgments page (with your permission)
For further details on our security practices, you can refer to the RFC 9116 security.txt specification which we implement.
Continuous Improvement
We regularly review and update our security measures to adapt to emerging threats and maintain the highest standards of protection.
Contact Us
For any questions or concerns about this Security Policy, or to report a vulnerability, please reach out to:
Email: security@dnsprivacy.org.uk