Skip to content

steffsas/towards-encrypted-dns-with-ddr

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

4 Commits
LICENSE
LICENSE
Β 
Β 
README.md
README.md
Β 
Β 
Thesis.pdf
Thesis.pdf
Β 
Β 

Repository files navigation

Towards Encrypted DNS with DDR: Standards, Adoption and Security Implications

This repository contains the materials and insights from my Master's thesis, titled "Towards Encrypted DNS with DDR: Standards, Adoption and Security Implications", submitted in December 2024 at the University of Potsdam.

πŸ“š Abstract

The Domain Name System (DNS) has long been a cornerstone of the Internet, yet it traditionally transmits queries in plaintext, exposing users to privacy and security risks. While encrypted DNS protocols (DoT, DoH, DoQ) exist, adoption remains limited due to configuration complexity and lack of awareness.

To address this, the IETF introduced the Discovery of Designated Resolvers (DDR) protocol, which enables clients to automatically discover and upgrade to encrypted DNS resolvers. This thesis presents the first large-scale empirical study of DDR deployment, analyzing over 4 million IPv4 and 287K IPv6 DNS servers over four months.

πŸ§ͺ Methodology

We developed a custom measurement platform called DoE-Hunter (written in Go, containerized, and open-source) to conduct semi-weekly scans targeting:

  • DDR adoption trends
  • Configuration patterns and errors
  • Protocol support (DoH, DoT, DoQ, ODoH)
  • DNS centralization indicators

πŸ” Key Findings

  • DDR Adoption: 7.59% of IPv4 and 2.65% of IPv6 resolvers advertise DDR configurations, with DoH/2 being the dominant protocol.
  • Low DoQ Support: Despite its advantages, <7% of DDR-enabled resolvers support DoQ.
  • Verification Failures: 99% of DDR-compliant clients fail verified discovery due to widespread misconfigurations.
  • Resolver Centralization: Over 97% of DDR-enabled resolvers delegate to major cloud DNS providers (e.g., Google, Cloudflare), raising privacy and governance concerns.
  • Traffic Shadowing: Detected replay behaviors of DNS queries across recursive resolvers.
  • TLS Analysis: TLS 1.3 dominates among DoE resolvers; mutual TLS is not required, as per spec.

🧩 Contributions

  • First in-depth analysis of DDR in the wild.
  • Largest known dataset of DoQ resolvers by Authentication Domain Name (ADN).
  • Contributions to Go’s DNS library for SVCB and ODoH support.
  • First measurements of recursive-to-authoritative encrypted DNS (RFC 9539).

πŸ“„ Citation

If you use this work, please cite the thesis as:

Steffen Sassalla. Towards Encrypted DNS with DDR: Standards, Adoption and Security Implications. Master’s Thesis, Hasso Plattner Institute, 2024.

πŸ“¬ Contact

For questions or collaboration, feel free to reach out: [[email protected]]

Keywords: Encrypted DNS, DDR, DoH, DoT, DoQ, DNS centralization, Internet privacy, Go, DNS measurement

About

Master's Thesis: Towards Encrypted DNS with DDR: Standards, Adoption and Security

Resources

Readme

License

MIT license
Activity

Stars

2 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published