Designing for Tussle in (Encrypted) DNS

Recent concerns over the privacy implications of the Domain Name System (DNS) have led to encrypting DNS queries and responses through protocols like DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT). While the trend towards encryption is a positive development, the resulting centralization of the DNS has fomented tussles involving ISPs, browser and device vendors, content delivery networks, and users. Current deployment trends, should they continue, result in dynamics that will increase barriers to entry to competition and threaten consumer protection. This development makes it necessary for us to re-think name resolution to allow tussles to play out within the context of the design of the Internet architecture. This paper articulates several current DNS tussles and offers principles to guide system design and implementation such that all stakeholders in the space could participate. We then explore how a refactored client DNS mechanism can open up new possibilities for de-centralized name resolution, preserving the benefits of encrypted DNS while satisfying other architectural desiderata, including performance, resilience, and privacy.