Speaker
Description
DNS encryption is on the rise. Proposed standards such as DNS-over-TLS (DoT), DNS-over-HTTPS (DoH), and DNS-over-QUIC (DoQ) are increasingly deployed between clients and recursive resolvers. In contrast, the recursive-to-authoritative link has long been overlooked, despite documented cases of traffic analysis and response injection.
Experimental RFC 9539 proposes a mechanism for resolvers to probe authoritative nameservers over DoT or DoQ (referred to as ADoT/ADoQ, or collectively ADoX) without prior coordination. Recent community efforts have focused on driving the adoption of this approach.
In this talk, we examine the deployment of ADoX in the wild, across both authoritative nameservers and recursive resolvers. We identify 3M registered domains supporting authoritative DoT or DoQ, with one provider accounting for the vast majority of these deployments.
| Talk duration | 10 Minutes (+5 for Q&A) |
|---|---|
| Other conferences? | Paper under review at ACM IMC 2026 |
