Csep-561-Reading-7C

Oblivious DNS over HTTPS (ODoH): A Practical Privacy Enhancement to DNS

Traditional DNS is unencrypetd and leaks all information to any on-lookers. There are efforts like DNS over TLS (DoT) and DNS over HTTPS (DoH) that hide this information from third parties, however such resolvers haven't been widely deployed.

Oblivious DNS (ODNS) improves the status quo by modifying DNS to disassociate query contents from IP addresses, so that DNS resolvers can no longer link a client IP address with its activity. It does this by having stub resolvers encrypt client queries, and sending this encrypted query to an .odns top level domain; this forces the query to an authoritative ODNS server, which decrypts and resolves the query like a normal DNS server.

This paper describes an additional improvement to ODNS, called Oblivious DNS over HTTPS (ODoH), which decouples queries from IP addresses by

1. encrypting queries into HTTP messages at the stub resolver.
2. the encrypted queries are forwarded by an Oblivious HTTPS Proxy
3. to an Oblivious Target that decrypts queries and encrypts responses

Ultimately the paper claims that median page load time increases by 2% when using ODoH compared to other secure DNS protocols like DoH, however, it appears that this assumes ideal co-locations of oblivious targets and recursive resolvers.