Speaker
Description
DNS resolvers increasingly support various encryption protocols, ensuring their communication with end clients remains confidential to external observers. The recursive-to-authoritative link has long been overlooked though, despite multiple reports on traffic analysis and response injection by state censors. The experimental RFC 9539 addresses this confidentiality gap with a unilateral and opportunistic mechanism---recursive resolvers probe nameservers for DNS-over-TLS or DNS-over-QUIC support and, if successful, communicate over the encrypted channel. In this talk, we measure the deployment of ADoT/ADoQ in the wild, covering both recursive resolvers and authoritative nameservers. We identify fewer than 1% (2.9M) of registered domains supporting authoritative DoT or DoQ, with one provider accounting for the vast majority of these deployments. This data-driven study informs DNS operators that increasingly consider the deployment of authoritative DoT/DoQ but lack concrete numbers on the current state of deployment.
| Talk duration | 10 Minutes (+5 for Q&A) |
|---|---|
| Other conferences? | Paper under review at ACM IMC 2026 |
