Encrypted DNS runs across much of the Internet. DNS over TLS, HTTPS, and QUIC keep the contents of a query away from anyone watching a network link. The encryption covers the message inside each packet. The packet still carries plaintext headers, and those values mark a flow as DNS.
A new study measures this gap for the Internet of Things and offers a way to close part of it.
The team studied an eavesdropper on a wireless link between a small device and its gateway. Such an attacker separates DNS packets from data packets, then blocks the DNS traffic, profiles the device, or runs DNS-specific analysis. Identification of the flow opens the door to each of these moves.
Earlier work on this problem passed over the plaintext that survives encryption. “We show that the sequence number in the TCP header, the ports in UDP header, the addresses in the IP header, and other plaintext header fields can hint at the nature of the encrypted content,” co-author Martine S. Lenders told Help Net Security. “Our advice to operators is: do not ignore those values and select them carefully,” Lenders explained.
Eliding headers on small devices
The team built on DNS over CoAP, a protocol they brought through the IETF as RFC 9953 in March 2026. CoAP carries DNS inside ordinary application traffic, the same way HTTPS carries it for DoH. Two added pieces matter for privacy. Block-wise transfer, a segmentation technique for CoAP, cuts request and response bodies into equal blocks, which evens out packet lengths. Static Context Header Compression, known as SCHC, a generic header compression framework, replaces header fields with an opaque rule identifier and removes them from the packet.
“To improve the situation fundamentally, we propose the elision of headers. Our proposal is not limited to IoT networks but can also be used on the larger Internet,” Lenders said.
The researchers generated 296 deployment scenarios from a corpus of 58,768 request and response pairs drawn from the HTTP Archive. They trained a Random Forest classifier on the resulting traffic and measured which header fields gave away the DNS flows.
Counters and addresses give traffic away
Two leaks stood out. Source and destination data, meaning addresses, ports, and any plaintext hostname, carried the most weight when a device talked to separate DNS and data servers. Monotonic counters formed the second leak. A DNS query and response pair tends to precede each data fetch, and that rhythm shows through TCP sequence numbers, DTLS sequence numbers, CoAP message IDs, and tokens.
One leak traced to a software detail. TinyDTLS, a common library the team used, copies the record epoch and sequence number into the cipher nonce. The encrypted nonce then works as a counter and exposes the same pattern.
The accuracy that remains
The authors introduce peer-based SCHC rules and combine them with a small CoAP block-size of 64 bytes. This brought classifier accuracy down to a range of 77 to 86 percent, depending on the data and DNS formats. Random guessing sits at 50 percent, the point that renders this kind of attack useless. The defense raises the attacker’s cost and leaves the attacker correct most of the time.
Lenders set that result against the compute it demands. “It is worth noting that, in our attack scenario, the feature vector is very large because we use every bit of the packet as the input,” Lenders said. “So, even with a powerful compute cluster, this analysis may take days, but you never know. Even if such analysis is not used to implement a live attack, it can be used for off-line data mining.”
Two additional defenses for non-IoT operation came with that assessment. “First, obfuscate sequence numbers and addresses. QUIC, OSCORE, and Oblivious DNS provide the necessary building blocks if header elision is not applicable. We should use them!” Lenders said. The second defense covers timing. “Second, use more unpredictable timings of sending packets. In constrained IoT deployments, this is not an option because latency is already higher, but definitely doable in less constrained environments,” Lenders concluded.
The approach reaches past small devices. Header elision and length equalization apply wherever an operator controls both ends of a compression hop. The team released the data corpus, code, and results for other researchers under a public DOI.
