Encrypted DNS Still Leaks Traffic Patterns Through Plaintext Headers, Study Finds
New research shows that DNS-over-TLS, HTTPS, and QUIC expose DNS flows via plaintext packet headers, enabling eavesdroppers to identify and exploit IoT device traffic.
Encrypted DNS protocols such as DNS-over-TLS (DoT), DNS-over-HTTPS (DoH), and DNS-over-QUIC (DoQ) are widely deployed to protect the privacy of DNS queries by encrypting their contents. However, a new study reveals that these protocols still leak critical information through plaintext packet headers, allowing an eavesdropper to detect DNS traffic flows. The research, conducted by a team including Martine S. Lenders, focuses on Internet of Things (IoT) devices, where the privacy leak is particularly pronounced due to predictable traffic patterns.
The study demonstrates that an attacker on a wireless link between an IoT device and its gateway can easily separate DNS packets from other data packets by examining plaintext header fields such as TCP sequence numbers, UDP ports, and IP addresses. Once identified, the attacker can block DNS traffic, profile the device, or perform DNS-specific analysis. "We show that the sequence number in the TCP header, the ports in UDP header, the addresses in the IP header, and other plaintext header fields can hint at the nature of the encrypted content," Lenders explained.
To address this privacy gap, the researchers propose a method called header elision, built on DNS over CoAP (Constrained Application Protocol), which they standardized as RFC 9953 in March 2026. CoAP carries DNS inside ordinary application traffic, similar to DoH, but adds two key privacy-enhancing features: block-wise transfer, which splits request and response bodies into equal-sized blocks to normalize packet lengths, and Static Context Header Compression (SCHC), which replaces header fields with opaque rule identifiers and removes them from the packet. "To improve the situation fundamentally, we propose the elision of headers. Our proposal is not limited to IoT networks but can also be used on the larger Internet," Lenders said.
The team tested their approach using 296 deployment scenarios derived from 58,768 DNS request and response pairs from the HTTP Archive. They trained a Random Forest classifier to identify DNS flows and found that two types of leaks were most revealing: source and destination addresses (including ports and plaintext hostnames) when a device communicates with separate DNS and data servers, and monotonic counters such as TCP sequence numbers and CoAP message IDs that reveal the rhythmic pattern of DNS queries preceding data fetches.
By implementing peer-based SCHC rules and using a small CoAP block size of 64 bytes, the researchers reduced classifier accuracy from near-perfect to between 77% and 86%, compared to a random guess baseline of 50%. While this still leaves the attacker correct most of the time, Lenders noted that the attack requires significant computational resources: "In our attack scenario, the feature vector is very large because we use every bit of the packet as the input. So, even with a powerful compute cluster, this analysis may take days."
The study also recommends additional defenses for non-IoT environments, including obfuscating sequence numbers and addresses using protocols like QUIC, OSCORE, and Oblivious DNS, and introducing unpredictable packet timing where latency constraints allow. The researchers have released their data corpus, code, and results under a public DOI for further study. This research highlights that encryption alone is insufficient for privacy; careful attention to metadata leakage is essential, especially as IoT deployments continue to grow.