1. According to its initial IETF standard, DNS packets are transmitted over UDP protocol in clear-text. Therefore, communication integrity and confidentiality are absent.
  2. One of the mainstream approaches to mitigating such threat is to encrypt DNS communications. To this end, various techniques are proposed, including DNS-over-TLS (DoT), DNS-over-HTTPS (DoH), DNS-over-QUIC and DNSCrypt. In this paper, we jointly term them as DNS-over-Encryption (DoE).
  3. However, despite the “top-down” effort made by the industry, little has been done to understand the operational status of DNS-over-Encryption from the “bottom-up” view, or from the view of Internet users.
  4. The research questions we seek to answer include: 1) How many providers are offering DNS-over-Encryption services? Are their implementations secure? 2) What does their performance look like for users distributed globally? Is there any issue preventing access or causing errors? 3) What does the real-world usage of DNS-over-Encryption look like?
  5. Findings
    1. We discover over 150 DoT and 17 DoH providers that offer DNSover-Encryption services to client users with over 1.5K addresses. Interestingly, a lot of them do not show up in public resolver lists. However, 25% DoT providers, including large ones (Perfect Privacy), use invalid SSL certificates which could break the server authentication process. Particularly, TLS inspection devices are found to act as DoT proxies. In addition, we find that Quad9 DoH has a misconfiguration which causes DNS lookup errors. We have reported the issue to the provider.
    2. Compared to traditional DNS, the reachability to DNS-over-Encryption servers turns to be better, with only less than 1% global clients experiencing service disruption. But still, there are DNS-over-Encryption services disrupted by censorship (e.g., Google DoH blocked in China) and TLS interception, which diminishes the benefits brought by encrypting DNS queries.
    3. The extra overhead incurred by DNS-over-Encryption is tolerable to global users. On average, compared to traditional DNS, transmitting encrypted DNS queries brings several milliseconds of extra query latency.
    4. The traffic volume and active users of encrypted DNS are still at a small scale compared to traditional DNS. However, the usage of DNS-over-Encryption services has been growing in recent months. For example, Cloudflare DoT witnesses a 56% traffic increase from Jul 2018 to Dec 2018. The extra overhead incurred by DNS-over- ncryption is tolerable to global users. On average, compared to traditional DNS, transmitting encrypted DNS queries brings several milliseconds of extra query latency.