Networking & Protocols
Encrypted DNS: DoH, DoT, DoQ, and cache poisoning
Traditional DNS runs over UDP port 53 in plaintext. Every domain you visit is visible to your ISP, every coffee-shop router between you and the resolver, and any nation-state tap on the line. A company building a privacy-focused product cannot let its users’ DNS traffic expose their browsing habits. And separately, an attacker who can race the authoritative server can poison a cache and redirect users to a malicious IP — a risk that predates HTTPS and has been partially re-opened twice since it was first patched.
Why plaintext DNS is a problem
Traditional DNS sends every query in plaintext over UDP port 53. An eavesdropper on the network — your ISP, a shared Wi-Fi router, a government tap — can see every domain you query. The content of the page is protected by HTTPS, but the hostname lookup itself is fully visible. DNS is also unauthenticated in transport: a response can be forged as long as the attacker can guess or observe the transaction ID and source port.
DoH, DoT, and DoQ compared
| Protocol | Port | Transport | Censor resistance | Notes |
|---|---|---|---|---|
| DoH (RFC 8484) | 443 | TLS over TCP/QUIC | High — indistinguishable from HTTPS | Browser default; HTTP/2 HoL blocking on large bursts |
| DoT (RFC 7858) | 853 | TLS over TCP | Low — port 853 blockable in one firewall rule | Clean protocol; predictable to block |
| DoQ (RFC 9250) | 853 | QUIC (TLS 1.3) | Medium | Per-stream queries; connection migration; 0-RTT |
- Firefox DoH adoption (US)
- above 85%
- Active DoH resolvers globally
- 931+
- DoH latency (typical)
- 12–18 ms
- DoT latency (typical)
- 20–25 ms
- DoQ latency (APNIC 2026)
- 12–15 ms (40% lower than DoT)
- Top-100K sites with HTTPS records
- 4.2%
Why DoH beats DoT against censorship
DoT runs on port 853. A censor’s firewall can add one rule to drop all traffic to port 853 and every DoT client is silently broken. DoH runs on port 443 alongside ordinary HTTPS traffic — from the network’s perspective it is indistinguishable from any HTTPS connection. Blocking port 443 takes down all HTTPS, which is economically untenable. To block DoH specifically, a censor must enumerate and blacklist the resolver’s IP addresses — a whack-a-mole game the user can defeat by pointing to a different DoH endpoint.
The same property defeats enterprise DNS filtering. Corporate networks use DNS-based controls to block malicious or policy-violating domains. If browsers bypass the corporate resolver via DoH, the controls fail. Enterprises push a policy (via MDM or group policy) to disable browser DoH and force traffic through the on-premises resolver.
Trace a client connecting via DoH to https://dns.cloudflare.com/dns-query.
DoQ specifics (RFC 9250)
DNS over QUIC uses QUIC streams: each query is a separate stream with no head-of-line blocking (a problem that plagues DoH over HTTP/2 when one query stalls). QUIC connection migration allows the same DoQ session to survive a Wi-Fi → LTE handover without a re-handshake — important for mobile clients. 0-RTT resumption sends the DNS query inside the ClientHello when a cached session ticket exists, saving one RTT.
RFC 9250 warns that 0-RTT data is replayable — an attacker capturing a 0-RTT DoQ query could replay it to time-correlate a user. Mitigation: single-use resumption tokens, fresh QUIC connections after location changes. Production: Quad9, AdGuard, and NextDNS ship DoQ; Cloudflare, Quad9 place dnsdist or doqd in front of BIND/Unbound.
EDNS Client Subnet (ECS): geo-routing vs privacy
ECS (RFC 7871) lets a recursive resolver attach the client’s IP prefix (typically /24 IPv4 or /56 IPv6) to upstream queries. CDN authoritatives use the prefix to return the nearest edge IP. Without ECS the authoritative can only see the resolver’s IP — which may be hundreds of kilometres from the actual user.
The privacy cost is real: every authoritative server in the upstream path now learns roughly which neighbourhood is browsing the domain. Cloudflare 1.1.1.1 disables ECS by default for this reason. Google 8.8.8.8 enables it by default. Using a DoH resolver that then forwards ECS upstream negates most of the privacy benefit of encrypting the transport.
Cache poisoning: Kaminsky, SAD DNS, and defences
Kaminsky (2008). Original DNS used a 16-bit transaction ID plus a fixed source UDP port. An attacker triggering many queries for random subdomains of a target zone could race the legitimate authoritative response and inject a forged record — if the forged response arrived first with the right 16-bit ID (65536 attempts in the worst case, far fewer in practice). Patch: RFC 5452 mandates randomising the source UDP port (~65K ports × 65K IDs = ~4 billion combinations).
0x20 encoding. Mixes uppercase and lowercase in the QNAME; well-behaved authoritatives echo the exact capitalisation. An attacker who cannot observe the query does not know the capitalisation pattern, adding ~30 bits of effective entropy.
SAD DNS (2020). Revived the threat: Linux’s global ICMP rate-limit counter is observable from another machine. An off-path attacker can send spoofed ICMP error packets to infer the source port being used by the resolver for a given query — collapsing the 4-billion search space dramatically. Linux mitigated by randomising per-socket ICMP rate-limit state. Practical defence: DNSSEC + DoH/DoT — once the channel is authenticated and encrypted, the attack surface for classic spoofing disappears.
A privacy-focused mobile app chooses an encrypted DNS protocol. Network conditions vary; port blocking is possible.
Why does DoH defeat network-level domain censorship better than DoT?
Why this works
EDNS Cookies (RFC 7873). A lightweight per-pair authentication mechanism: client and server each maintain a 64-bit secret used to compute a cookie sent in every query and response. Cookies do not encrypt anything but make forging arbitrary off-path source IPs significantly harder — an attacker who cannot observe the exchange cannot compute a valid cookie. EDNS Cookies cut DNS amplification reflection attacks by orders of magnitude when enabled at the resolver tier. BIND and Knot Resolver enable them by default. Some firewall middleboxes strip the EDNS Cookie option and silently break the protection.
Anycast resolver routing
Public resolvers (1.1.1.1, 8.8.8.8, 9.9.9.9) announce one IP prefix from dozens or hundreds of PoPs worldwide via BGP anycast. BGP picks the shortest AS-path from each ISP to the nearest PoP. Cloudflare has 100+ PoPs, Google has ~40, Quad9 ~150. Pitfall: if your ISP peers with the operator only in a distant city, your traffic to “the nearest” PoP traverses that city — a typical 30 ms penalty. Diagnose with dig +short @1.1.1.1 whoami.cloudflare TXT CH to see which PoP answered.
- 01An engineer claims EDNS Client Subnet is mandatory for accurate CDN geo-routing. Where is the flaw in that claim?
- 02Describe the Kaminsky attack and the two defences that closed it.
- 03What is the difference between what DoH/DoT provide and what DNSSEC provides?
Plaintext DNS over UDP port 53 exposes every domain query to ISPs and network observers. DoH (port 443) hides queries inside HTTPS, making it indistinguishable from normal web traffic and resistant to port-blocking censorship. DoT (port 853) offers the same TLS encryption but on a dedicated port trivially blocked by firewalls. DoQ (QUIC on port 853) adds connection migration and 0-RTT for mobile environments. EDNS Client Subnet improves CDN geo-routing accuracy but broadcasts the client’s IP prefix to every upstream authoritative — Cloudflare disables it by default. Cache poisoning via Kaminsky’s 2008 attack and the 2020 SAD DNS side-channel are mitigated by source-port randomisation, 0x20 encoding, and DNSSEC; using an encrypted transport removes the off-path injection attack surface entirely. Anycast routing ensures public resolvers answer from the nearest PoP; diagnose PoP selection with dig +short @1.1.1.1 whoami.cloudflare TXT CH.