The Promise and the Problem With Encrypted DNS
For years, the security community pushed for encrypted DNS as a foundational privacy upgrade for the modern internet. Protocols like DNS over TLS (DoT), DNS over HTTPS (DoH), and DNS over QUIC (DoQ) answered that call. They wrap your DNS queries in layers of encryption, ensuring that anyone watching a network link cannot read the domain names your device is looking up. On the surface, this sounds like a complete solution. In practice, it is not—and new research is making that gap impossible to ignore.
A recent study has confirmed what security researchers have long suspected: encrypted DNS still leaks enough information to tell a motivated eavesdropper exactly where your traffic is headed. The encryption protects the message inside each packet, but the packet itself still carries plaintext headers. Those headers, combined with observable traffic patterns such as timing, packet size, and flow frequency, are enough to fingerprint DNS activity and correlate it back to specific devices and destinations. The content stays hidden. The context does not.
Understanding How DNS Encryption Works—and Where It Falls Short
To appreciate the vulnerability, it helps to understand what encrypted DNS protocols actually protect. When you type a URL into your browser, your device first sends a DNS query asking for the IP address associated with that domain. Traditionally, that query traveled across the network in plaintext, visible to your internet service provider, network administrators, or anyone capable of intercepting traffic along the route.
DNS over HTTPS and its relatives change that by encrypting the payload of the DNS query, tucking it inside an encrypted session so that the domain name itself cannot be read. What these protocols do not change is the structure of the surrounding network communication. Packet headers must remain readable so that routers can direct traffic to the correct destination. Metadata about packet sizes, transmission intervals, and connection behavior flows freely because the underlying transport layer requires it.
This is where the privacy promise breaks down. An eavesdropper does not need to read a DNS query to learn something meaningful from it. By analyzing the observable characteristics of encrypted DNS flows, an attacker can apply traffic analysis techniques to infer which domains a device is querying—even without decrypting a single byte.
What the New Research Found About IoT Devices
The study focused specifically on Internet of Things devices, a category that represents one of the fastest-growing segments of network-connected hardware in both homes and enterprise environments. IoT devices are an especially interesting target for DNS traffic analysis because their behavior tends to be highly predictable and repetitive. A smart thermostat, a connected camera, or a voice assistant sends DNS queries on regular schedules to a small, consistent set of destinations. That predictability makes traffic fingerprinting significantly easier.
Researchers modeled the capabilities of a passive eavesdropper positioned to observe network traffic at the link level. Even with all DNS content encrypted, the observer could identify device types and associated communication patterns by examining flow-level metadata alone. Packet timing, query frequency, burst patterns, and the volume of data transferred in each exchange all served as identifiers. The study found that this kind of analysis could accurately classify IoT devices and predict their likely query targets without breaking any encryption.
The implications extend well beyond the IoT category. While smart home gadgets represent a clear and measurable test case, the same traffic analysis methods apply to smartphones, laptops, and any other networked device. Encrypted DNS reduces the ease of casual surveillance, but it does not eliminate the ability of a sophisticated observer to draw meaningful inferences from what remains visible.
Why Metadata Leakage Is a Serious Privacy Concern
Some readers may wonder whether this type of inferential analysis constitutes a real threat. After all, if no one can read the actual domain names, does pattern observation truly matter? The answer is yes, and it matters quite a lot.
Traffic analysis has a long history as a surveillance tool precisely because metadata is often more revealing than content. Knowing that a device sends encrypted queries to a specific category of service at predictable intervals can expose device type, user behavior, software usage, and even personal habits. In the context of IoT devices, it can reveal whether someone is home, when they wake up, which health monitoring tools they use, and what media services they subscribe to. In enterprise environments, it can expose internal tooling, vendor relationships, and operational patterns.
From a regulatory and compliance standpoint, metadata leakage also complicates the privacy assurances that organizations make to users and customers. Deploying encrypted DNS while remaining unaware of its metadata exposure leaves a meaningful gap between stated privacy goals and actual protection delivered.
Proposed Mitigations and the Road Ahead
The research team did not simply document the problem—they also examined approaches to reduce metadata leakage. Among the mitigations explored are traffic shaping techniques, which normalize packet sizes and timing patterns to obscure behavioral fingerprints. Padding strategies, already incorporated into some DNS protocol specifications, help reduce the information value of individual packet sizes. Aggregation methods that batch queries and responses can blur timing correlations that would otherwise make individual devices identifiable.
None of these solutions is a complete fix on its own. Traffic shaping adds latency and bandwidth overhead. Padding narrows but does not eliminate observable variation. Aggregation introduces delays that may be unacceptable for latency-sensitive applications. Combining multiple techniques provides the strongest protection, but implementation complexity increases accordingly.
What Network Administrators and Security Teams Should Do Now
Organizations and individuals who have deployed encrypted DNS should treat it as one layer in a broader privacy and security architecture rather than a standalone solution. Consider the following steps to reduce exposure:
- Enable query padding on DNS resolvers and clients where the option is supported, as this reduces packet-size-based fingerprinting.
- Use a trusted recursive resolver that implements privacy-preserving features and publishes a clear data retention and logging policy.
- Segment IoT devices onto dedicated network zones with controlled DNS forwarding, limiting the traffic visible to any single observer.
- Monitor DNS traffic patterns internally so that anomalous flows can be detected before external parties exploit them.
- Stay current with protocol developments, including Oblivious DNS over HTTPS (ODoH), which adds an additional layer of separation between the client and the resolver to further limit metadata exposure.
Encrypted DNS Is Necessary but Not Sufficient
The takeaway from this research is not that encrypted DNS is useless—it is not. Encrypting DNS queries removes a major vector for passive content surveillance and represents a meaningful improvement over sending queries in plaintext. The takeaway is that encryption alone does not constitute privacy. Metadata leakage is a real and measurable threat, especially for IoT devices whose predictable communication patterns make traffic analysis straightforward.
As more devices connect to the internet and as surveillance capabilities become more accessible, the gap between what encryption hides and what traffic analysis can infer will only become more consequential. Understanding that gap is the first step toward closing it, and this research provides both the evidence and a direction for the work ahead.