Path to Encrypted DNS with DDR: Adoption, Configuration Patterns, and Privacy Implications
Authors: vasilis ververis (Hasso Plattner Institute, University of Potsdam, Germany), Steffen Sassala (Hasso Plattner Institute, University of Potsdam, Germany), Felix Roth (Hasso Plattner Institute, University of Potsdam, Germany), Vaibhav Bajpai (Hasso Plattner Institute, University of Potsdam, Germany)
Volume: 2025
Issue: 4
Pages: 465–484
DOI: https://doi.org/10.56553/popets-2025-0140
Abstract: DNS is crucial for the Internet, but vulnerable due to plaintext traffic. Despite efforts to standardize Domain Name System (DNS) encryption, its adoption remains limited. Users often lack awareness of privacy risks and the knowledge to enable encryption. To address this, the IETF standardized a new protocol; Discovery of Designated Resolvers (DDR), enabling automatic discovery and upgrade from unencrypted to encrypted DNS traffic. In this study, we present an empirical investigation of the DDR protocol, focusing on its adoption, configuration, and the operational challenges associated with enabling automated transitions to encrypted DNS communication via DNS over Encryption (DoE) protocols. Our results reveal widespread misconfigurations, including incomplete and incorrect DDR configurations that prevent clients from successfully transitioning to encrypted resolvers. In over 99 % of observed cases, DDR-compliant clients may fail to upgrade to DoE due to these deployment issues, underscoring the limitations of DDR in the wild. Additionally, we note a severe resolver consolidation induced by current DDR deployments, as >97 % of DDR-enabled resolvers delegate to major DNS cloud providers, raising concerns about privacy and governance.
Keywords: DDR, Discovery of Designated Resolvers, DNS, DNS centralization, network measurement
Copyright in PoPETs articles are held by their authors. This article is published under a Creative Commons Attribution 4.0 license.
