Designing for Tussle in Encrypted DNS

ABSTRACTRecent concerns over the privacy implications of the Domain Name System (DNS) have led to encrypting DNS queries and responses through protocols like DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT). Although the trend towards encryption is a positive development, the accompanying centralization of the DNS has fomented tussles involving ISPs, browser and device vendors, content delivery networks, and users. This paper articulates several current DNS tussles and offers principles to guide system design and implementation such that all stakeholders in the space could participate. We argue that refactoring name resolution in a stub resolver that is separate from devices and applications can preserve the benefits of encrypted DNS while satisfying other architectural desiderata, including performance, resilience, and privacy.