A Worldwide View on the Reachability of Encrypted DNS Services
Keywords: Encrypted DNS, Reachability
TL;DR: By collecting data from our 15-month-long scan, we build the most comprehensive dataset of encrypted DNS domains. We then measure the reachability of encrypted DNS services over IPv4 and IPv6 from 102 countries.
Abstract: To protect user DNS privacy, DNS over TLS (DoT), DNS over HTTPS (DoH), DNS over QUIC (DoQ), and DNS over HTTP/3 (DoH3) are proposed to encrypt DNS traffic. Collectively, we term them DNS over Encryption (DoE). Existing studies have preliminarily measured the reachability of DoE services. However, they either focus on a few DoT/DoH domains or a few vantage points (VPs).
In this paper, we present the first comprehensive worldwide view of DoE service reachability. By collecting data from our 15-month-long scan, we elaborately built a list of 1302 operational DoE domains as measurement targets, 448 of which support IPv6. Then we performed 10M DoE over IPv4 (DoEv4) and 570K DoE over IPv6 (DoEv6) queries from 5K VPs over a two-month period, encompassing 102 countries. Our results reveal that the accessibility of DoE services is poor in some regions. Specifically, 592K DoEv4 queries and 28K DoEv6 queries were blocked during our measurements. Internet not free countries more often block DoEv4 queries by interfering with TCP connections and QUIC version negotiation. Compared to DoEv4, the reachability of DoEv6 services is better. In particular, some DoE blocking policies target only specific IP addresses or DoE protocols, providing clients with the opportunity to access blocked DoE domains. Our study highlights the need for the community to pay attention and improve the reachability of DoE services.
Track: Responsible Web
Submission Guidelines Scope: Yes
Submission Guidelines Blind: Yes
Submission Guidelines Format: Yes
Submission Guidelines Limit: Yes
Submission Guidelines Authorship: Yes
Student Author: Yes
Submission Number: 1307
Loading