K-resolver: Towards Decentralizing Encrypted DNS Resolution
This addresses privacy concerns for internet users by decentralizing DNS resolution, though it is an incremental improvement over existing DoH/DoT methods.
The paper tackles the privacy issue of centralized DNS over HTTPS/TLS (DoH/DoT) by proposing K-resolver, a mechanism that disperses DNS queries across multiple resolvers to prevent any single resolver from learning a user's entire browsing history, with evaluation showing negligible overhead when using well-provisioned servers.
Centralized DNS over HTTPS/TLS (DoH/DoT) resolution, which has started being deployed by major hosting providers and web browsers, has sparked controversy among Internet activists and privacy advocates due to several privacy concerns. This design decision causes the trace of all DNS resolutions to be exposed to a third-party resolver, different than the one specified by the user's access network. In this work we propose K-resolver, a DNS resolution mechanism that disperses DNS queries across multiple DoH resolvers, reducing the amount of information about a user's browsing activity exposed to each individual resolver. As a result, none of the resolvers can learn a user's entire web browsing history. We have implemented a prototype of our approach for Mozilla Firefox, and used it to evaluate the performance of web page load time compared to the default centralized DoH approach. While our K-resolver mechanism has some effect on DNS resolution time and web page load time, we show that this is mainly due to the geographical location of the selected DoH servers. When more well-provisioned anycast servers are available, our approach incurs negligible overhead while improving user privacy.