Every time you open a website, our servers quietly check that the answer is genuine and hasn't been tampered with on the way to you — a security feature called DNSSEC. Those checks rely on a lot of cryptography, and we've just made them noticeably faster.
We rebuilt Unbound — the resolver at the heart of our DNS stack — and switched its cryptography engine to Google's BoringSSL, the same hardened library that already powers our website front-end (and Google Chrome). In plain terms: the security signatures on your lookups are verified more quickly, response times stay lower when the server is busy, and there's more room to spare during traffic spikes.
Both our web front-end and our resolver now run on the same modern, freshly-compiled crypto library, tuned specifically for our AMD EPYC hardware. The upgrade went live with zero downtime, and we verified the full chain on our own servers before switching over. Nothing changes on your end — DNS just feels a little snappier, and stays exactly as private and secure as before.
We rebuilt the engine that looks up and security-checks your DNS requests, switching its cryptography to Google's high-speed BoringSSL for snappier encrypted lookups.
Highlights
- Resolver rebuilt on Google's BoringSSL cryptography engine
- Quicker DNSSEC signature verification, especially under heavy load
- One modern crypto library shared across the web front-end and the resolver
- Compiled from source with AMD EPYC (Zen 2) optimizations
- Rolled out live with zero downtime — same privacy, same security