Encryption without centralization: Distributing DNS queries across recursive resolvers

Abstract

Emerging protocols such as DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) improve the privacy of DNS queries and responses. While this trend towards encryption is positive, deployment of these protocols has in some cases resulted in further centralization of the DNS, which introduces new challenges. In particular, centralization has consequences for performance, privacy, and availability; a potentially greater concern is that it has become more difficult to control the choice of DNS recursive resolver, particularly for IoT devices. Ultimately, the best strategy for selecting among one or more recursive resolvers may ultimately depend on circumstance, user, and even device. Accordingly, the DNS architecture must permit flexibility in allowing users, devices, and applications to specify these strategies. Towards this goal of increased de-centralization and improved flexibility, this paper presents the design and implementation of a refactored DNS resolver architecture that allows for de-centralized name resolution, preserving the benefits of encrypted DNS while satisfying other desirable properties, including performance and privacy.