Oblivious DNS over HTTPS Hiding Client Identity in Modern DNS Resolution
- by Staff
The Domain Name System, while foundational to the operation of the internet, has historically lacked robust privacy protections. Each DNS query traditionally reveals not only the domain name being resolved but also the IP address of the client making the request. This exposure enables on-path observers, such as internet service providers, governments, or malicious entities, to track user behavior by simply monitoring DNS traffic. Even encrypted DNS protocols like DNS over HTTPS (DoH) and DNS over TLS (DoT) have improved confidentiality by encrypting the communication channel but still leave a critical piece of metadata exposed: the identity of the client to the resolver. In response to this limitation, a novel approach called Oblivious DNS over HTTPS (ODoH) was developed to protect user privacy even further by cryptographically separating the client’s identity from the content of their DNS queries.
ODoH, first formalized in the Internet Engineering Task Force through RFC 9230, builds upon the DoH framework but introduces a relay mechanism and a public key encryption layer to obscure the source of the query from the DNS resolver. In a traditional DoH model, a client directly contacts a DoH-compatible resolver over HTTPS, encrypting the query in transit but still associating it with the client’s IP address. While this prevents third parties from eavesdropping, the resolver still sees both who is asking and what they are asking for. ODoH changes this dynamic by introducing a third party—a relay—between the client and the target resolver. The relay is a proxy that forwards encrypted DNS queries from the client to the resolver and returns responses back, all without being able to see the decrypted query itself.
The ODoH process begins when a client selects a target resolver and obtains its public key, which it uses to encrypt the DNS query. This encrypted payload is then sent to the relay over HTTPS. The relay, unaware of the contents of the payload, forwards it to the designated ODoH target resolver, also over HTTPS. The resolver uses its private key to decrypt the query, processes it like any normal DNS request, and then encrypts the response using a key derived from the initial encrypted request. The encrypted response is returned to the relay, which forwards it to the client. At no point in this process does the relay know the content of the query, nor does the resolver know the identity of the client, assuming the relay and the resolver do not collude.
This separation of duties provides a significant privacy benefit. By ensuring that no single entity can observe both the client IP and the DNS query content, ODoH makes it significantly harder for any intermediary or service provider to construct detailed profiles of user activity based on DNS traffic. This approach addresses one of the most persistent privacy concerns in internet architecture—the unavoidable visibility of DNS lookups—and it does so without requiring major changes to existing client or server software stacks beyond support for the ODoH protocol.
The deployment of ODoH has been driven by privacy-centric organizations and browser developers, with early implementations integrated into platforms like Firefox in collaboration with Cloudflare. These deployments often utilize a dual-provider model, where one entity operates the relay and another operates the resolver, to reduce the likelihood of collusion and enhance trustworthiness. In addition to browser-based clients, ODoH support is gradually being integrated into mobile platforms and system resolvers, expanding its potential impact across the broader internet user base.
Operationally, ODoH introduces some challenges, including the need for coordination between relays and target resolvers and the additional latency introduced by proxying traffic. The cryptographic overhead and additional network hop can slightly delay query resolution, although optimizations in implementation and caching strategies have mitigated many of these concerns in practice. From a security perspective, ODoH must also be resilient against various attacks, including replay attacks, denial-of-service targeting the relay, and potential attempts by adversaries to correlate timing and volume patterns across the relay and resolver. These risks are actively being addressed in evolving protocol enhancements and through careful architectural design, such as load balancing and randomized request routing.
From a policy and regulatory standpoint, ODoH raises important considerations. By limiting visibility into DNS traffic, it challenges traditional models of content filtering, parental controls, and network-level security monitoring. This tension between privacy and oversight is not new in internet governance, but ODoH intensifies the debate by removing the possibility of passive surveillance even by trusted network operators. As such, its adoption has been met with both praise from privacy advocates and scrutiny from regulatory bodies concerned about transparency, cybersecurity, and lawful intercept capabilities.
Nonetheless, ODoH represents a significant and thoughtful evolution in the DNS ecosystem. It aligns with a broader trend in internet protocol design that prioritizes user privacy and minimizes metadata exposure, following similar developments in areas such as TLS encryption, encrypted Server Name Indication (SNI), and QUIC transport. Together, these changes are reshaping the expectations of user anonymity and data protection at the network layer.
In conclusion, Oblivious DNS over HTTPS is a powerful response to longstanding privacy gaps in the Domain Name System. By decoupling the client’s identity from the content of their DNS queries, it offers a technically elegant and practically effective solution to DNS surveillance. While still in the early stages of widespread adoption, ODoH sets a new standard for what privacy-respecting internet infrastructure can look like, paving the way for a future where users can navigate the digital world with greater assurance that their most basic actions—looking up a name—are not being quietly observed.
The Domain Name System, while foundational to the operation of the internet, has historically lacked robust privacy protections. Each DNS query traditionally reveals not only the domain name being resolved but also the IP address of the client making the request. This exposure enables on-path observers, such as internet service providers, governments, or malicious entities,…