What is QNAME Minimization?
QNAME Minimization (RFC9156) is the process of ensuring that the DNS resolver only includes enough data to resolve the next part of the domain when ‘walking the DNS tree’.
Example of DNS resolution without QNAME Minimization:
1. The client sends the DNS request to the Recursive Resolver (your ISP, etc) for the domain: example.networkhoudini.com
2. As it does not have a cached record for the domain, it queries the root nameserver (.), with the request “Where is example.networkhoudini.com?“
3. If the root server (.) does not have an answer to this query, it will respond with the “.com” nameserver IP so the recursive resolver can query it.
4. The recursive resolver will then query the .com nameserver with “Where is example.networkhoudini.com?“
5. The DNS tree will be walked with the request “Where is example.networkhoudini.com ?” until it has an answer, and then provides it to the client.
Example of DNS Resolution with QNAME Minimization:
1. The client sends the DNS request to the Recursive Resolver (that uses QNAME Minimization) for the domain: example.networkhoudini.com
2. The resolver does not have a cached record for the domain, so it queries the root nameserver (.), with the request “Where is .com?“
3. The resolver then queries the .com nameservers with the request “Where is networkhoudini.com?“
4. Once it has the name servers for networkhoudini.com, it will query it with “Where is example.networkhoudini.com?“
5. Once the final record has been provided (with the IP address), the recursive resolver provides it to the client.
Why would you use it?
While it may not seem like a big deal to send your requests to various intermediate servers, you are still providing information to servers that are distributed worldwide, and providing data that they ultimately don’t need. Metadata collected on these queries can be captured and analysed for a variety of reasons.
Does it protect my DNS queries?
No, not on its own. While it does stop leaking information to servers that do not require it (DNS is usually done in plain text, and as such, is seen on the wire by ISP’s etc), it can be used within an overall security strategy with things like DOH (DNS over HTTPS) / DOT (DNS over TLS) and DNSSEC to improve your security posture.
What resolvers use QNAME Minimization?
DNS software such as BIND and Unbound can be configured to use it. Some public resolvers also use it, such as OpenDNS/Umbrella, Cloudflare, and Google (in places).
Thanks for reading!