Encrypted DNS Still Exposes Privacy Risks to Eavesdroppers

Post Views: 13

Encrypted DNS protocols are widely implemented across the internet, but metadata such as plaintext headers can still expose critical information about traffic patterns.

The Study’s Focus

Encrypted DNS protocols are widely implemented across the internet, with DNS over TLS, HTTPS, and QUIC designed to obscure query contents from network observers. While these methods encrypt the payload within packets, metadata such as plaintext headers remain accessible. A recent study explores how these headers can expose critical information about encrypted DNS traffic, particularly in IoT environments, and proposes solutions to mitigate the risk.

Framework and Innovations

The research focuses on scenarios where an attacker intercepts wireless communications between IoT devices and their gateways. By isolating DNS packets from general data traffic, adversaries can perform actions such as device identification, traffic analysis, or targeted blocking. The study highlights that even with encryption, certain header fields—like TCP sequence numbers, UDP ports, and IP addresses—can reveal patterns that indicate DNS activity.

Key Innovations

A team of researchers developed a framework to analyze these vulnerabilities, building on DNS over CoAP, a protocol standardized as RFC 9953 in March 2026. This approach embeds DNS queries within application-layer traffic, similar to how HTTPS handles DNS over HTTPS (DoH). Two key innovations aim to enhance privacy: block-wise transfer, which segments data into uniform sizes to mask packet lengths, and Static Context Header Compression (SCHC), which replaces header fields with opaque identifiers.

Evaluation and Findings

The study evaluated 296 deployment scenarios derived from 58,768 request and response pairs sourced from the HTTP Archive. A Random Forest classifier was trained to identify DNS traffic based on header characteristics. Results showed that source and destination metadata—such as IP addresses, ports, and plaintext hostnames—were the most significant indicators of DNS flows.

A secondary vulnerability involved monotonic counters, which track the sequence of DNS queries and responses. These counters, present in TCP sequence numbers, DTLS sequence numbers, CoAP message IDs, and tokens, created predictable patterns that could be exploited. A specific issue was identified in the TinyDTLS library, where the record epoch and sequence number were embedded in the cipher nonce. This practice inadvertently exposed sequential data, reinforcing the risk of traffic analysis.

Recommendations and Conclusion

The researchers noted that even with their proposed defenses, classification accuracy remained between 77% and 86%, significantly higher than random guessing (50%). To address these challenges, the team introduced peer-based SCHC rules and limited CoAP block sizes to 64 bytes. This approach reduced accuracy but increased the computational effort required for analysis, making attacks less feasible.

The study emphasized that while such methods raise the cost for attackers, they do not eliminate the risk entirely. Additional recommendations include obfuscating sequence numbers and addresses, leveraging protocols like QUIC, OSCORE, and Oblivious DNS when header elision is impractical. The researchers also advised adjusting packet transmission timings to disrupt predictable patterns, though this is less viable in constrained IoT environments.

The findings apply beyond IoT networks, as header elision and length equalization can benefit any system where both ends of a communication path are under control. The research team has made their dataset, code, and results publicly available via a DOI to support further investigation. The study underscores the ongoing challenge of balancing encryption with metadata protection, particularly in environments where device constraints limit privacy-enhancing measures. As encrypted DNS adoption grows, addressing these vulnerabilities will remain critical for safeguarding user privacy and network integrity.