How do DoH, DNSSEC, and QNAME Minimization Improve Privacy?

/ data privacy, DNS

The DNS system is the ever reliant phone book of the Internet. It plays a large part in what makes the today's Internet so easy to use and browse as so many of us do.

But were you aware that the standard implementation of DNS is, by nature, highly insecure? Did you know that this insecurity poses a credible threat to most people's online privacy?

More importantly, are you aware of how DoH, DNSSEC and Qname Minimization help to minimize the "natural" insecurity of the DNS system? Additionally, DoH, DNSSEC, and QNAME minimization play a large role in maintaining decent privacy over your DNS requests.

Let us explain.

Understanding DNS lack of security

When the Internet was born, no one really foresaw what the Internet growing to be exactly as it is today. Therefore, there simply wasn't a huge emphasis placed on neither security nor privacy at the time.

In other words, the technologies that made the Internet back then possible weren't designed for security or privacy either. However, you may be surprised to learn that some of the underlying processes and infrastructure of the Internet's overall workings have fundamentally remained untouched.

Surprisingly, one of these underlying technologies that have largely remained the same is the DNS or otherwise commonly known as the "phone book of the Internet."

You can read up on the workings of DNS and get DNS provider recommendations on avoidthehack's dedicated DNS Provider page.

Now, this isn't to say that today's DNS is a carbon copy of what existed in the 90s. Naturally, advancements have been made over time - but these advancements are more like "updates" or "patches" versus completely new systems or technologies.

But to put it very simply - DNS has a disturbing lack of overall security.

In fact, the vulnerabilities found in "standard" DNS implementations can be considered critical. These critical vulnerabilities can easily be considered privacy threats as well and include:

  1. Lack of validation of DNS responses in a request

DNS is a hierarchical system, which is just a concise way of saying that DNS is formed by several subsystems organized into a level structure.

However, amongst these different levels there's no "standard" way to ensure that the responses passed through the levels come or go to the appropriate servers.

  1. Lack of encryption

Standard DNS requests are unencrypted. The requests your device(s) make the consequent responses are sent over plaintext as a standard.

This means that anyone can see what DNS requests your devices are making. This isn't just limited to requests through your browser, either. Typically, any application on your device(s) can make a DNS request...

Which can mean that anyone snooping on your network can easily understand what passive or user-initiated requests your device is attempting to resolve or connect to.

  1. DNS Poisoning

DNS Poisoning is where an attacker successfully reroutes DNS traffic intended for one site to a fake and/or malicious version. There are different methods threat actors can use to carry this attack out.

Overall, these attacks are possible because the base system of DNS is insecure - there are no security features built in. You can think of it like an "honor system," where it takes one bad answer to really throw things off.

What's more is that DNS Poisoning is a lot like a virus in that it can spread from server to server, redirecting more and more traffic from the original intended domain to the a fake one.

DNSSEC is a security protocol that helps defend against DNS Poisoning from the DNS/Website side of the exchange.

DoH and DoT

DoH = DNS-over-HTTPS.

As we just learned (or already knew) - DNS wasn't exactly designed with security or privacy in mind. So, naturally, standard DNS queries and responses are sent unencrypted. In other words, the traffic between your device and the DNS server(s) is sent over the network in plaintext format.

Ultimately, this means that anyone or any device that has access to your network can capture and easily see the entirety of your DNS requests.

DoH fixes this by encrypting the DNS resolution process via HTTPS.Therefore, when using the DoH protocol, your DNS requests (and the answers you receive from DNS resolvers) are encrypted while in transit. Ultimately, this means that your DNS traffic is essentially "unreadable" by anyone/any other device eavesdropping on your network.

In some cases, using DoH can help in masking your DNS requests from some bigger players, such as your Internet Service Provider (ISP). Additionally, DoH prevents the effectiveness of certain attack methods, such as man-in-the-middle attacks.

To gain the full privacy and security benefits from utilizing a DoH enabled DNS resolver, you must also make sure that the browsers on all applicable devices are utilizing HTTPS (as opposed to HTTP) as well. It makes little sense to use a DoH-enabled resolver if your regular browser traffic itself is using the standard HTTP protocol (and is otherwise unencrypted).

Even armed with the benefits of DoH explained here, it's important to note that most users should avoid enabling DoH in their browsers.


DNSSEC = DNS Secure Extension

DNSSEC has more to do with the how your DNS resolver communicates with authoritative DNS servers when completing a request.

DNSSEC offers a way for servers involved in the DNS hierarchy to validate that the answer to their queries came from the appropriate "source." This is completed using cryptography signed and authenticated keys for validation.

In fact, DNSSEC operates much how HTTPS does in a browser does in the sense that an SSL certificate is a way for a website to "prove" that it is who it says it is. With DNSSEC, the keys help validate that an authority is who it says it is.

DNSSEC helps prevent a response from a rogue DNS server from hijacking and/or modifying a query to point to an unintended (and frequently malicious) connection. As described above, DNSSEC helps prevent DNS Poisoning and Spoofing by malicious actors.

QNAME minimization

QNAME Minimization = Query Name Minimization

Per RFC 7816, the Internet Engineering Task Force (IETF) describes QNAME Minimization as "where the DNS Resolver no longer sends the full original QNAME to the upstream server."

What this is referring to is the tendency for DNS resolvers to send the full query through every DNS server involved in gathering the final result for your device's request.

Remember, DNS is a hierarchical system. Your DNS resolver typically queries a number of different root and authoritative servers to get the computer readable IP-address so you can connect to a specific website. Often times, sending the full query to every server in the chain is unnecessary.

Let's take an example:

  • You want to visit
  • Your computer doesn't know which IP address points to so it sends a request to your DNS resolver
  • Your DNS resolver will send the request (where is .com?) to the DNS root for a list of Top-Level Domain (TLD) servers
  • Your resolver sends the request to a TLD server
  • The TLD server returns the appropriate authoritative server for where the records for domain is stored
  • Once the authoritative DNS server is "contacted," it will respond with the IP address of

In this example, it's not entirely necessary for your DNS resolver to forward the full query of to the DNS root server as all it will ever return is a list of TLD servers that handle .com.

This is where QNAME Minimization starts to come into play. By minimizing requests to the minimum level of information of needed, we lower the amount of information attached to our query and the chance that our full query gets logged/stored/analyzed somewhere else in the chain.

Final thoughts

DNS is extremely important for the working Internet as we know it today. However, the DNS system is notoriously insecure as it was back in the day.

Fortunately, DoH, DNSSEC, and QNAME Minimization are security protocols that can be used to improve both the privacy and security of users' and their DNS requests.

It is highly encouraged to use DNS providers that implement this type of security technology on their DNS servers.

If you are looking for trusted DNS providers that implement these security technologies and value the privacy of their users, then check out avoidthehack's recommended DNS providers!

And as always, stay safe out there!

Next Post Previous Post