An End-to-End, Large-Scale Measurement of
DNS-over-Encryption: How Far Have We Come?

Chaoyi Lu, Baojun Liu, Zhou Li, Shuang Hao, Haixin Duan,
Mingming Zhang, Chunying Leng, Ying Liu, Zaifeng Zhang and Jianping Wu

This paper is accepted by IMC '19. You may download the paper.


Traditionally, DNS packets are transmitted in clear-text. However, adversaries are actively exploiting this design to compromise Internet users' security and privacy. To mitigate such threats, several protocols have been proposed to encrypt DNS queries between DNS clients and servers, which we jointly term as DNS-over-Encryption.
We aim to understand the current status of DNS-over-Encryption, by analyzing several large-scale datasets. We find that in general, the service quality of DNS-over-Encryption is satisfying, in terms of accessibility and latency. However, we also discover several issues regarding how the services are operated. As an example, we find 25% DNS-over-TLS service providers use invalid SSL certificates. Compared to traditional DNS, DNS-over-Encryption is currently used by far fewer users but we have witnessed a growing trend. As such, we believe the community should push its broader adoption and we also suggest the service providers carefully review their implementations.

Datasets and Source Code

We make the following datasets and source code publicly available.

A. Open DNS-over-TLS resolvers

We scan the IPv4 address space for hosts with TCP port 853 open, and then probe them with DoT queries. Also, we verify their SSL certificate paths using OpenSSL. The following lists show our scan results.
        open_dot_resovler_190201        open_dot_resovler_190401
        open_dot_resovler_190211        open_dot_resovler_190411
        open_dot_resovler_190221        open_dot_resovler_190421
        open_dot_resovler_190301        open_dot_resovler_190501
        open_dot_resovler_190311        open_dot_resovler_190701
        open_dot_resovler_190321        open_dot_resovler_200701

B. ProxyRack source code

We use ProxyRack to test the reachability and performance of three public DNS-over-Encryption services: Cloudflare, Google and Quad9.
Our source code can be found here.

C. Passive DNS

We use passive DNS datasets of Farsight Security and Qihoo 360 to measure DoH usage.