ODoQ: Oblivious DNS-over-QUIC
Aditya Kulkarni, Tamal Das, Vivek Balachandran
TL;DR
ODoQ addresses the privacy-vs-latency gap in DNS by introducing a proxy-based Oblivious DNS-over-QUIC flow that preserves client identity from the recursive resolver while leveraging QUIC for low-latency, encrypted queries. It extends DoQ with a separate intermediary to hide client IPs, using HPKE for secure query encryption and per-query symmetric keys for responses. The paper details the three-party protocol, decryption-key rotation handling, and observes that ODoQ can achieve reduced RTTs versus DoT/DoH while enhancing privacy, with future work including prototyping and performance comparison. This approach aims to enable practical, privacy-preserving DNS with low latency in real-world deployments.
Abstract
The Domain Name System (DNS), which converts domain names to their respective IP addresses, has advanced enhancements aimed at safeguarding DNS data and users' identity from attackers. The recent privacy-focused advancements have enabled the IETF to standardize several protocols. Nevertheless, these protocols tend to focus on either strengthening user privacy (like Oblivious DNS and Oblivious DNS-over-HTTPS) or reducing resolution latency (as demonstrated by DNS-over-QUIC). Achieving both within a single protocol remains a key challenge, which we address in this paper. Our proposed protocol -- 'Oblivious DNS-over-QUIC' (ODoQ) -- leverages the benefits of the QUIC protocol and incorporates an intermediary proxy server to protect the client's identity from exposure to the recursive resolver.