Before Toasters Rise Up: A View into the Emerging DoH Resolver's Deployment Risk

Abstract

As an encryption protocol for DNS queries, DNS-over-HTTPS (DoH) is becoming increasingly popular, and it mainly addresses the last-mile privacy protection problem. However, the security of DoH is in urgent need of measurement and analysis due to its reliance on certificates and upstream servers. In this paper, we focus on the DoH ecosystem and conduct a one-month measurement to analyze the current deployment of DoH resolvers. Our findings indicate that some of these resolvers use invalid certificates, which can compromise the security and privacy advantages of the protocol. Furthermore, we found that many providers are at risk of certificate outages, which could cause significant disruptions to the DoH ecosystem. Additionally, we observed that the centralization of DoH resolvers and upstream DNS servers is a potential issue that needs addressing to ensure the stability of the ecosystem.