The Domain Name System (DNS) is the foundation of a human-usable Internet, responding to client queries for host-names with corresponding IP addresses and records. Traditional DNS is also unencrypted, and leaks user information to network operators. Recent efforts to secure DNS using DNS over TLS (DoT) and DNS over HTTPS (DoH) have been gaining traction, ostensibly protecting traffic and hiding content from on-lookers. However, one of the criticisms of DoT and DoH is brought to bear by the small number of large-scale deployments (e.g., Comcast, Google, Cloudflare): DNS resolvers can associate query contents with client identities in the form of IP addresses. Oblivious DNS over HTTPS(ODoH) safeguards against this problem. In this paper we ask what it would take to make ODoH practical? We describe ODoH, a practical DNS protocol aimed at resolving this issue by both protecting the client's content and identity. We implement and deploy the protocol, and perform measurements to show that ODoH has comparable performance to protocols like DoH and DoT which are gaining widespread adoption, while improving client privacy, making ODoH a practical privacy enhancing replacement for the usage of DNS.

中文翻译：

---

HTTPS上的遗忘DNS（ODoH）：DNS的实用隐私增强

域名系统（DNS）是可人类使用的Internet的基础，它响应客户端对具有相应IP地址和记录的主机名的查询。传统的DNS也是未加密的，会将用户信息泄漏给网络运营商。最近使用TLS上的DNS（DoT）和HTTPS上的DNS（DoH）来保护DNS的努力日趋流行，表面上保护了流量并向旁观者隐藏了内容。但是，对DoT和DoH的批评之一是由少量的大规模部署（例如Comcast，Google，Cloudflare）引起的：DNS解析器可以将查询内容与IP地址形式的客户端身份相关联。HTTPS（ODoH）上的遗忘DNS可以防止此问题。在本文中，我们问如何使ODoH实用？我们描述ODoH，一种旨在通过保护客户端的内容和身份来解决此问题的实用DNS协议。我们实施并部署了该协议，并进行了测量，以显示ODoH具有与DoH和DoT等协议相媲美的性能，这些协议已得到广泛采用，同时改善了客户端隐私，使ODoH成为实用的隐私增强功能，可替代DNS的使用。