GMOPlus
Encrypted DNS Still Tells an Eavesdropper Where to Look
ONLINEEN

Encrypted DNS Still Tells an Eavesdropper Where to Look

Encrypted DNS hides query content, but plaintext packet headers still expose your traffic. New IoT research reveals the gap and how to close it.

23 Haziran 2026·5 dk okuma

Encrypted DNS Still Tells an Eavesdropper Where to Look

Encrypted DNS has become one of the most widely promoted tools for protecting user privacy online. Protocols like DNS over TLS (DoT), DNS over HTTPS (DoH), and DNS over QUIC (DoQ) have been adopted broadly across the modern Internet, with major browsers, operating systems, and network devices supporting them out of the box. The basic promise is simple: encrypt your DNS queries so that nobody watching your network traffic can see which domain names you are looking up. That promise, however, turns out to be only partially fulfilled. New research focused on Internet of Things (IoT) devices reveals that even when DNS queries are fully encrypted, a passive eavesdropper can still gather meaningful intelligence simply by analyzing what is left in plain sight.

What Encrypted DNS Actually Protects

To understand the problem, it helps to be clear about what DNS encryption does and does not cover. When you type a web address into your browser, your device sends a DNS query to resolve that domain name into an IP address before any actual connection is made. Without encryption, anyone monitoring the network link between your device and the DNS resolver can read that query in plain text, learning exactly which websites you intend to visit.

Protocols such as DoT, DoH, and DoQ solve this by wrapping the DNS message in a layer of encryption. The content of the query, the domain name being looked up, is hidden inside an encrypted packet. If an eavesdropper intercepts that packet, they cannot read the question you asked or the answer the resolver returned.

However, encryption covers only the payload inside each packet. Every packet also carries a set of plaintext headers that describe the flow at a network level. These headers include details such as source and destination IP addresses, port numbers, packet size, timing, and protocol identifiers. Collectively, these values form what researchers call metadata or traffic fingerprints, and they remain fully visible to anyone watching the network, regardless of whether the DNS content itself is encrypted.

Why Metadata Leakage Is a Serious Privacy Problem

The plaintext headers attached to encrypted DNS packets are not random noise. They carry structured, predictable signals that mark a particular flow as DNS traffic. Port 853 is the registered port for DNS over TLS. DNS over HTTPS runs on port 443, the same port as standard web traffic, but its patterns of request and response timing are distinct enough to fingerprint. A skilled observer does not need to read the query itself to know that DNS is happening, and from there the analysis can go much further.

Traffic analysis techniques allow researchers and, by extension, real-world adversaries to correlate encrypted DNS flows with specific services, device types, and usage behaviors. The size and timing of packets, the cadence of repeated queries, and the direction of traffic can all serve as identifiers. In practical terms, this means an eavesdropper positioned on a network link, a malicious ISP, a compromised router, or a surveillance infrastructure, can still build a detailed picture of what devices on a network are doing, even when those devices are using encrypted DNS faithfully.

The IoT Angle That Makes This Worse

The new study specifically examines this vulnerability in the context of Internet of Things devices, and the findings carry extra weight. IoT devices present a particularly attractive target for traffic analysis for several reasons.

  • IoT devices tend to have highly repetitive, predictable communication patterns. A smart thermostat, a connected camera, or a voice assistant queries the same domains on regular schedules, making their traffic extremely easy to fingerprint.
  • Many IoT devices cannot be easily updated or reconfigured by end users, so privacy improvements cannot be pushed through the way they might be on a laptop or smartphone.
  • The sheer volume of IoT deployments means that the aggregate surveillance potential is enormous. A single compromised network segment could expose behavioral data from hundreds of devices simultaneously.
  • IoT traffic is often long-lived and continuous, giving an eavesdropper more data points over time compared to occasional human browsing sessions.

The research team modeled an eavesdropper sitting on the link between IoT devices and their DNS resolvers, collecting only the metadata visible in packet headers without decrypting anything. The results confirmed that distinguishing encrypted DNS traffic from other traffic is straightforward, and that correlating it with specific device behaviors is achievable with relatively simple analysis.

Approaches to Closing the Gap

The study does not just diagnose the problem. It also explores potential mitigations aimed at reducing the information available to a passive observer. Several strategies show promise, though each involves trade-offs.

Padding is one of the most straightforward defenses. By artificially adjusting the size of DNS packets to conform to a fixed length or to a randomized distribution, it becomes harder for an eavesdropper to infer query length or content type from packet size alone. Both DoT and DoH support optional padding, though it is not universally enabled.

Traffic shaping and dummy packet injection can blur timing signals by adding artificial delays or fake traffic to break the predictable cadence of real queries. This approach is more computationally expensive and can introduce latency, but it significantly reduces the precision of timing-based fingerprinting.

Encrypted Client Hello (ECH), a relatively recent TLS extension, hides additional connection metadata that previously leaked even in TLS-secured sessions. Combined with encrypted DNS, ECH closes several of the remaining plaintext channels simultaneously.

What This Means for Security and Privacy Practice

The takeaway for organizations and individuals is nuanced. Encrypted DNS is still worth using. It genuinely protects query content from casual surveillance and raises the bar significantly compared to plain DNS. But it should not be treated as a complete privacy solution on its own. Anyone operating IoT infrastructure, running a home network with smart devices, or designing privacy-sensitive applications should understand that metadata leakage is a real, measurable threat.

Network defenders should consider enabling DNS padding where supported, monitoring their own traffic for fingerprinting vulnerabilities, and staying informed about emerging standards such as ECH. Vendors shipping IoT devices with DNS capabilities should treat encrypted DNS with padding enabled as a baseline, not an optional feature.

As the research shows, the envelope may be sealed, but the postmark still tells the story.

encrypted DNSDNS privacyDNS over TLSIoT securitynetwork eavesdropping