English

Oblivious DNS over HTTPS (ODoH): A Practical Privacy Enhancement to DNS

Cryptography and Security 2020-11-23 v1 Networking and Internet Architecture

Abstract

The Domain Name System (DNS) is the foundation of a human-usable Internet, responding to client queries for host-names with corresponding IP addresses and records. Traditional DNS is also unencrypted, and leaks user information to network operators. Recent efforts to secure DNS using DNS over TLS (DoT) and DNS over HTTPS (DoH) have been gaining traction, ostensibly protecting traffic and hiding content from on-lookers. However, one of the criticisms of DoT and DoH is brought to bear by the small number of large-scale deployments (e.g., Comcast, Google, Cloudflare): DNS resolvers can associate query contents with client identities in the form of IP addresses. Oblivious DNS over HTTPS(ODoH) safeguards against this problem. In this paper we ask what it would take to make ODoH practical? We describe ODoH, a practical DNS protocol aimed at resolving this issue by both protecting the client's content and identity. We implement and deploy the protocol, and perform measurements to show that ODoH has comparable performance to protocols like DoH and DoT which are gaining widespread adoption, while improving client privacy, making ODoH a practical privacy enhancing replacement for the usage of DNS.

Keywords

Cite

@article{arxiv.2011.10121,
  title  = {Oblivious DNS over HTTPS (ODoH): A Practical Privacy Enhancement to DNS},
  author = {Sudheesh Singanamalla and Suphanat Chunhapanya and Marek Vavruša and Tanya Verma and Peter Wu and Marwan Fayed and Kurtis Heimerl and Nick Sullivan and Christopher Wood},
  journal= {arXiv preprint arXiv:2011.10121},
  year   = {2020}
}

Comments

16 pages, 7 figures, Under submission and Presented at IETF 109 MAPRG

R2 v1 2026-06-23T20:23:01.286Z