Encrypted Domain Name Service (DNS) ensures confidentiality, integrity and authentication for a critical internet protocol. There are no technical obstacles to implementation; recent standardization efforts have addressed operational gaps in connecting clients with encrypted resolvers. And there are notable success stories, yet overall usage remains low, less than 20% by our estimates. By comparison, Hypertext Transfer Protocol Secure (HTTPS) is the default protocol for 86% of web sites (W3Techs, 2024). End users have direct interaction with browsers and more familiarity with HTTP(S) than DNS which operates “under the hood”. They expect encrypted protocols to be used, even if a technical comparison of both use cases is nuanced.
Growing tracking concerns have led to privacy focused approaches like oblivious DNS. It builds on encrypted DNS to prevent anyone, including network providers, from associating user identities with queries and answers. These services have been driven by device and operating system (OS) providers, such as Apple, who are using privacy to differentiate their ecosystems. Google has proposed a similar service; others may follow (Google, 2024).
These over-the-top services completely bypass the network provider’s DNS. That poses challenges for operators who rely on their DNS as a control plane, for troubleshooting, compliance, and as a foundation for value-added services such as security.
Oblivious DNS services are new, and adoption is still low. Now’s the time for ISPs to evaluate DNS strategies to minimize the impact and disruption these services may cause to their business and operations.
This paper will provide a technical overview of oblivious DNS and give perspective on its adoption and direction. It will explain the recent standards for connecting clients with encrypted resolvers and what they mean to network providers. Finally, it will present best practices and recommendations, based on deployment experience, for implementing DNS encryption to maximize subscribers’ confidence in network-based services. Service providers have an opportunity to innovate and demonstrate their commitment to subscriber security and privacy while preserving DNS visibility to meet regulatory requirements or enable subscriber facing services.