Privacy‑Preserving DNS Telemetry Collection

The Domain Name System is a critical component of internet infrastructure, silently resolving domain names into IP addresses billions of times per day. For operators, researchers, and security teams, DNS telemetry—data about how and when DNS queries are made—is invaluable. It enables performance optimization, detection of abuse patterns, identification of emerging threats, and measurement of adoption for new protocols or standards. Yet, the very act of collecting DNS telemetry raises complex ethical and technical challenges, especially around user privacy. DNS queries inherently expose user intent, often in granular and sensitive ways, such as revealing browsing habits, personal interests, or even medical and financial concerns. As privacy expectations grow and legal frameworks like the GDPR and CCPA gain traction, the need for privacy‑preserving DNS telemetry collection has become an urgent focus within the DNS ecosystem.

At the heart of the privacy challenge is the fact that DNS queries are typically initiated by end-user devices or applications, and resolvers act as intermediaries between those clients and authoritative name servers. A resolver, especially a large public or enterprise-grade one, sits in a privileged position, observing all domain lookups initiated by its users. This visibility can be exploited for positive purposes, such as spotting botnet command-and-control traffic or measuring the impact of DNS-based outages. But it also presents risks. When telemetry is gathered without sufficient controls, it can be used to track individuals, link identities to browsing behavior, or correlate activity across different sessions and devices.

Historically, DNS telemetry has often been collected in raw or semi-processed form. Full query logs, including timestamps, source IP addresses, queried domain names, and resolver response data, are typically stored for operational analysis. This practice, while useful from a network management perspective, is problematic from a privacy standpoint. IP addresses can often be linked to specific individuals, especially in home or mobile contexts, and even when IPs are removed, domain query patterns alone can form behavioral fingerprints.

To address these issues, a growing body of work has emerged to develop methods for collecting DNS telemetry in a privacy-preserving manner. One of the foundational strategies is data minimization—the principle of collecting only what is strictly necessary. Instead of logging full IP addresses, resolvers can truncate or anonymize them, for example by zeroing out the last octet of IPv4 addresses or using prefix aggregation for IPv6. This reduces the granularity of the data while preserving its utility for aggregate analysis.

Another key technique involves sampling. Rather than collecting data on every query, a resolver may collect telemetry for a small, randomized subset. This statistical sampling approach can still yield meaningful insights at scale, particularly when the sampling logic is carefully designed to avoid introducing bias. Combined with hashing techniques or encryption at collection time, this approach significantly limits the exposure of user-identifiable information.

More advanced models introduce cryptographic privacy-preserving telemetry systems. One such approach involves the use of differential privacy, a mathematical framework that adds noise to telemetry data before it is collected or analyzed. Differential privacy ensures that no single user’s query behavior can significantly affect the output of an analysis, making it extremely difficult to re-identify individuals. Apple and Google have implemented variants of differential privacy in other telemetry contexts, and similar principles are being explored for DNS data.

In tandem with algorithmic protections, new protocols are being proposed to shift how DNS telemetry is requested and shared. Oblivious DNS-over-HTTPS (ODoH) is one such innovation that helps separate query originators from the content of their queries. In ODoH, a client encrypts its DNS query and sends it through a proxy to the resolver. The resolver sees the query but not the client’s IP address, while the proxy sees the IP address but not the query. This decoupling makes it harder for any single party to track user behavior, even if DNS telemetry is being collected at one of the endpoints.

Efforts are also being made to provide transparency and user control around DNS telemetry. Some resolvers now offer public documentation of their data retention and telemetry practices, including what data is logged, how long it is stored, and for what purposes it is used. This transparency is bolstered by privacy-preserving resolver software such as dnsdist, which includes granular logging controls, and by public resolvers like Quad9, which explicitly commit to not retaining or monetizing user-level DNS data. These transparency measures are essential for building trust in the infrastructure, especially as more applications and operating systems shift to encrypted DNS by default.

Privacy-preserving telemetry is not solely the responsibility of resolvers. Authoritative name servers also collect telemetry in the form of query logs, often without clear knowledge of the originating client due to recursive resolution. Even so, techniques such as QNAME minimization, which reduces the amount of information sent upstream by resolvers, help limit the exposure of user-specific query patterns to authoritative servers. Meanwhile, techniques like passive DNS replication—where DNS responses are collected for historical analysis—are being revisited to ensure they align with modern privacy expectations.

Ultimately, effective privacy-preserving DNS telemetry requires balancing operational utility with user protection. For security researchers, real-time access to DNS query patterns is vital for detecting malware domains, tracking domain generation algorithms (DGAs), and monitoring DNS abuse. For operators, telemetry supports service quality and debugging. But for users, privacy is paramount, and the risks of unchecked data collection are real. To reconcile these needs, a combination of policy, protocol design, and technical innovation is essential.

The evolution of DNS toward encrypted, policy-driven, and application-integrated behavior reflects a broader shift in internet architecture toward privacy by design. As part of this transformation, DNS telemetry must evolve as well—not by eliminating visibility entirely, but by redefining how visibility is granted, scoped, and secured. Privacy-preserving DNS telemetry is not merely a technical challenge but a social contract: a promise that the infrastructure we depend on will strive to protect both functionality and the rights of its users. As standards mature and adoption increases, these efforts will help ensure that DNS remains a trustworthy and responsible cornerstone of the modern internet.

The Domain Name System is a critical component of internet infrastructure, silently resolving domain names into IP addresses billions of times per day. For operators, researchers, and security teams, DNS telemetry—data about how and when DNS queries are made—is invaluable. It enables performance optimization, detection of abuse patterns, identification of emerging threats, and measurement of…