Oblivious DNS over HTTPS (ODoH): A Practical Privacy Enhancement to DNS

Sudheesh Singanamalla; Suphanat Chunhapanya; Jonathan Hoyland; Marek Vavruša; Tanya Verma; Peter Wu; Marwan Fayed; Kurtis Heimerl; Nick Sullivan; Christopher Wood

Oblivious DNS over HTTPS (ODoH): A Practical Privacy Enhancement to DNS

Authors: Sudheesh Singanamalla (University of Washington, and Cloudflare Inc.), Suphanat Chunhapanya (Cloudflare Inc.), Jonathan Hoyland (Cloudflare Inc.), Marek Vavruša (Cloudflare Inc.), Tanya Verma (Cloudflare Inc.), Peter Wu (Cloudflare Inc.), Marwan Fayed (Cloudflare Inc.), Kurtis Heimerl (University of Washington), Nick Sullivan (Cloudflare Inc.), Christopher Wood (Cloudflare Inc.)

Volume: 2021
Issue: 4
Pages: 575–592
DOI: https://doi.org/10.2478/popets-2021-0085

Download PDF

Abstract: The Internet’s Domain Name System (DNS) responds to client hostname queries with corresponding IP addresses and records. Traditional DNS is unencrypted and leaks user information to on-lookers. Recent efforts to secure DNS using DNS over TLS (DoT) and DNS over HTTPS (DoH) have been gaining traction, ostensibly protecting DNS messages from third parties. However, the small number of available public largescale DoT and DoH resolvers has reinforced DNS privacy concerns, specifically that DNS operators could use query contents and client IP addresses to link activities with identities. Oblivious DNS over HTTPS (ODoH) safeguards against these problems. In this paper we implement and deploy interoperable instantiations of the protocol, construct a corresponding formal model and analysis, and evaluate the protocols’ performance with wide-scale measurements. Results suggest that ODoH is a practical privacy-enhancing replacement for DNS.

Keywords: DNS, privacy

Copyright in PoPETs articles are held by their authors. This article is published under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 license.