Analyzing the Costs (and Benefits) of DNS, DoT, and DoH for the Modern Web


Austin Hounsel, Kevin Borgolte, Paul Schmitt, Jordan Holland, Nick Feamster


July 2019 Full paper


Essentially all Internet communication relies on the Domain Name System (DNS), which first maps a human-readable Internet destination or service to an IP address before two endpoints establish a connection to exchange data. Today, most DNS queries and responses are transmitted in cleartext, making them vulnerable to eavesdroppers and traffic analysis. Past work has demonstrated that DNS queries can reveal everything from browsing activity to user activity ina smart home. To mitigate some of these privacy risks, twonew protocols have been proposed: DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT). Rather than sending queries andresponses as cleartext, these protocols establish encrypted tunnels between clients and resolvers. This fundamental architectural change has implications for the performance of DNS, as well as for content delivery.In this paper, we measure the effect of DoH and DoT onname resolution performance and content delivery.

We find that although DoH and DoT response times can be higher than for conventional DNS (Do53), DoT can perform better than both protocols in terms of page load times, and DoH can at best perform indistinguishably from Do53. However, when network conditions degrade, webpages load quickest with Do53, with a median of almost 0.5 seconds faster compared to DoH. Furthermore, in a substantial amount of cases, a web-page may not load at all with DoH, while it loads successfully with DoT and Do53. Our in-depth analysis reveals various opportunities to readily improve DNS performance, for example through opportunistic partial responses and wire format caching.

  title       = {{Analyzing the Costs (and Benefits) of DNS, DoT, and DoH for the Modern Web}},
  author      = {Hounsel, Austin and Borgolte, Kevin and Schmitt, Paul and Holland, Jordan and Feamster, Nick},
  date        = {2019-07-18},
  eprint      = {1907.08089},
  eprintclass = {cs.NI},
  eprinttype  = {arxiv},
  note        = {Full paper},
  url         = {}