One to Rule them All? A First Look at DNS over QUIC

TL;DR

This study investigates DNS over QUIC (DoQ), revealing its increasing adoption, response time characteristics, and advantages over existing encrypted DNS protocols like DoT and DoH, despite ongoing standardization challenges.

Contribution

First empirical analysis of DoQ's adoption, performance, and response times, filling a research gap on this emerging encrypted DNS protocol.

Findings

DoQ adoption is steadily increasing with fluctuations.

Approximately 40% of responses have higher handshake times due to traffic amplification limits.

DoQ outperforms DoT and DoH in response times.

Abstract

The DNS is one of the most crucial parts of the Internet. Since the original DNS specifications defined UDP and TCP as the underlying transport protocols, DNS queries are inherently unencrypted, making them vulnerable to eavesdropping and on-path manipulations. Consequently, concerns about DNS privacy have gained attention in recent years, which resulted in the introduction of the encrypted protocols DNS over TLS (DoT) and DNS over HTTPS (DoH). Although these protocols address the key issues of adding privacy to the DNS, they are inherently restrained by their underlying transport protocols, which are at strife with, e.g., IP fragmentation or multi-RTT handshakes - challenges which are addressed by QUIC. As such, the recent addition of DNS over QUIC (DoQ) promises to improve upon the established DNS protocols. However, no studies focusing on DoQ, its adoption, or its response times exist to this date - a gap we close with our study. Our active measurements show a slowly but steadily increasing adoption of DoQ and reveal a high week-over-week fluctuation, which reflects the ongoing development process: As DoQ is still in standardization, implementations and services undergo rapid changes. Analyzing the response times of DoQ, we find that roughly 40% of measurements show considerably higher handshake times than expected, which traces back to the enforcement of the traffic amplification limit despite successful validation of the client's address. However, DoQ already outperforms DoT as well as DoH, which makes it the best choice for encrypted DNS to date.