Quantum-Resistant Domain Name System: A Comprehensive System-Level Study

TL;DR

This paper evaluates the security and performance of post-quantum cryptographic mechanisms in DNS protocols, proposing a unified framework and analyzing practical implications for quantum-resistant Internet infrastructure.

Contribution

It introduces Post-Quantum Cryptographic DNS, integrating lattice- and hash-based primitives into DNS and TLS, with comprehensive performance and security analysis.

Findings

Lattice-based primitives like MLKEM and Falcon are practical for DNS.

Hash-based schemes like SPHINCS+ increase message size and overhead.

Security analysis highlights downgrade and fragmentation vulnerabilities.

Abstract

The Domain Name System (DNS) plays a foundational role in Internet infrastructure, yet its core protocols remain vulnerable to compromise by quantum adversaries. As cryptographically relevant quantum computers become a realistic threat, ensuring DNS confidentiality, authenticity, and integrity in the post-quantum era is imperative. In this paper, we present a comprehensive system-level study of post-quantum DNS security across three widely deployed mechanisms: DNSSEC, DNS-over-TLS (DoT), and DNS-over-HTTPS (DoH). We propose Post-Quantum Cryptographic (PQC)-DNS, a unified framework for benchmarking DNS security under legacy, post-quantum, and hybrid cryptographic configurations. Our implementation leverages the Open Quantum Safe (OQS) libraries and integrates lattice- and hash-based primitives into BIND9 and TLS 1.3 stacks. We formalize performance and threat models and analyze the impact of post-quantum key encapsulation and digital signatures on end-to-end DNS resolution. Experimental results on a containerized testbed reveal that lattice-based primitives such as Module-Lattice-Based Key-Encapsulation Mechanism (MLKEM) and Falcon offer practical latency and resource profiles, while hash-based schemes like SPHINCS+ significantly increase message sizes and processing overhead. We also examine security implications including downgrade risks, fragmentation vulnerabilities, and susceptibility to denial-of-service amplification. Our findings inform practical guidance for deploying quantum-resilient DNS and contribute to the broader effort of securing core Internet protocols for the post-quantum future.