Skip to main content

A First Look at QNAME Minimization in the Domain Name System

  • Conference paper
  • First Online:
Passive and Active Measurement (PAM 2019)


The Domain Name System (DNS) is a critical part of network and Internet infrastructure; DNS lookups precede almost any user request. DNS lookups may contain private information about the sites and services a user contacts, which has spawned efforts to protect privacy of users, such as transport encryption through DNS-over-TLS or DNS-over-HTTPS.

In this work, we provide a first look on the resolver-side technique of query name minimization (qmin), which was standardized in March 2016 as RFC 7816. qmin aims to only send minimal information to authoritative name servers, reducing the number of servers that full DNS query names are exposed to. Using passive and active measurements, we show a slow but steady adoption of qmin on the Internet, with a surprising variety in implementations of the standard. Using controlled experiments in a test-bed, we validate lookup behavior of various resolvers, and quantify that qmin both increases the number of DNS lookups by up to 26%, and also leads to up to 5% more failed lookups. We conclude our work with a discussion of qmin’s risks and benefits, and give advice for future use.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others


  1. 1.

    We turn DNSSEC validation off to achieve comparable behavior (validating DNSSEC requires more queries to be sent); we also note that the combination of qmin and DNSSEC may induce further complexities beyond the scope of this work.


  1. RIPE Atlas measurement for a.b.qnamemin-test.internet.nlTXT (2017).

  2. RIPE Atlas measurement for (2017).

  3. RIPE Atlas measurement for ripe-hackathon6.nlnetlabs.nlAAAA (2017).

  4. RIPE Atlas measurement for ripe-hackathon6.nlnetlabs.nlAAAA. Ripe MSM IDs: 16428213, 16428214, 16428215, 16428216, 16428217, 16428218, 16428219, 16428220, 16428221, 16428222 (2017)

    Google Scholar 

  5. RIPE Atlas measurement for whoami.akamai.netA (2017).

  6. Bortzmeyer, S.: DNS privacy considerations. RFC 7626 (Informational), August 2015.

  7. Bortzmeyer, S.: DNS query name minimisation to improve privacy. RFC 7816 (Experimental), March 2016.

  8. Bortzmeyer, S., Huque, S.: NXDOMAIN: there really is nothing underneath. RFC 8020 (Proposed Standard), November 2016.

  9. Bortzmeyer, S.: PowerDNS - add qname minimisation (2015).

  10. Castro, S., Wessels, D., Fomenkov, M., Claffy, K.: A day at the root of the internet. ACM SIGCOMM Comput. Commun. Rev. 38(5), 41–46 (2008)

    Article  Google Scholar 

  11. Cisco: Cisco Umbrella Top 1M List, September 14–30 2018.

  12. Cooper, A., et al.: Privacy Considerations for Internet Protocols. RFC 6973, July 2013.

  13. CZ.NIC: Knot resolver 1.0.0 released (2016).

  14. Dittrich, D., Kenneally, E., et al.: The Menlo Report: Ethical Principles Guiding Information and Communication Technology Research. US Department of Homeland Security (2012)

    Google Scholar 

  15. DNS OARC: Day In The Life of the Internet (2017 and 2018).

  16. Dolmans, R.: QNAME Minimization in Unbound, RIPE 72 (2016).

  17. Durumeric, Z., Wustrow, E., Halderman, J.A.: ZMap: fast internet-wide scanning and its security applications. In: USENIX Security (2013)

    Google Scholar 

  18. Fujiwara, K., Kato, A., Kumari, W.: Aggressive Use of DNSSEC-Validated Cache. RFC 8198 (Proposed Standard), July 2017.

  19. Hardaker, W.: Analyzing and mitigating privacy with the DNS root service. In: NDSS: DNS Privacy Workshop, 2018 (2018)

    Google Scholar 

  20. Hoffman, P.E., McManus, P.: DNS queries over HTTPS (DoH). RFC 8484, October 2018.

  21. Hu, Z., Zhu, L., Heidemann, J., Mankin, A., Wessels, D., Hoffman, P.E.: Specification for DNS over transport layer security (TLS). RFC 7858, May 2016.

  22. Imana, B., Korolova, A., Heidemann, J.: Enumerating privacy leaks in DNS data collected above the recursive. In: NDSS: DNS Privacy Workshop, 2018. San Diego, California, USA, Feburary 2018.

  23. ISC: Release notes for bind version 9.13.2 (2018).

  24. Mockapetris, P.: Domain names - concepts and facilities. RFC 1034, November 1987.

  25. NLnet Labs: Nlnet labs: Unbound chanelog (2018).

  26. Pappas, V., Wessels, D., Massey, D., Lu, S., Terzis, A., Zhang, L.: Impact of configuration errors on DNS robustness. IEEE J. Sel. Areas Commun. 27(3), 275–290 (2009)

    Article  Google Scholar 

  27. Partridge, C., Allman, M.: Ethical considerations in network measurement papers. Commun. ACM 59, 58–64 (2016)

    Article  Google Scholar 

  28. Rose, S., Larson, M., Massey, D., Austein, R., Arends, R.: DNS security introduction and requirements. RFC 4033, March 2005.

  29. Rose, S., Larson, M., Massey, D., Austein, R., Arends, R.: Protocol modifications for the DNS security extensions. RFC 4035, March 2005.

  30. Rose, S., Larson, M., Massey, D., Austein, R., Arends, R.: Resource records for the DNS security extensions. RFC 4034, March 2005.

  31. Scheitle, Q., et al.: A long way to the top: significance, structure, and stability of internet top lists. In: IMC 2018, Boston, USA. arXiv:1805.11506 November 2018

  32. Schmitt, P., Edmundson, A., Feamster, N.: Oblivious DNS: practical privacy for DNS queries. arXiv:1806.00276 (2018)

  33. de Vries, W.B., Scheitle, Q., Müller, M., Toorop, W., Dolmans, R., van Rijswijk-Deij, R.: Datasets and Scripts (2019).

  34. Wang, Z.: Understanding the performance and challenges of DNS query name minimization. In: 17th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/12th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE), pp. 1115–1120. IEEE (2018)

    Google Scholar 

  35. Wullink, M., Moura, G.C., Müller, M., Hesselman, C.: ENTRADA: a high-performance network traffic data streaming warehouse. In: 2016 IEEE/IFIP Network Operations and Management Symposium (NOMS), pp. 913–918. IEEE (2016)

    Google Scholar 

Download references


This work was partially funded by the German Federal Ministry of Education and Research under project X-Check (grant 16KIS0530). Partial funding was also supplied by SURFnet Research on Networks.

Author information

Authors and Affiliations


Corresponding author

Correspondence to Wouter B. de Vries .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

de Vries, W.B., Scheitle, Q., Müller, M., Toorop, W., Dolmans, R., van Rijswijk-Deij, R. (2019). A First Look at QNAME Minimization in the Domain Name System. In: Choffnes, D., Barcellos, M. (eds) Passive and Active Measurement. PAM 2019. Lecture Notes in Computer Science(), vol 11419. Springer, Cham.

Download citation

  • DOI:

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-15985-6

  • Online ISBN: 978-3-030-15986-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics