pith. sign in

arxiv: 2606.24105 · v1 · pith:XJPAAMCCnew · submitted 2026-06-23 · 💻 cs.CR

DoHFuse: A Dual-Branch Architecture with DMAGLSTM for Website Fingerprinting over DNS over HTTPS/3

ZunDong Zhang , Yanan Cheng , Zhaoxin Zhang , Xueyang Huo , Changjiang Wu This is my paper

Pith reviewed 2026-06-25 23:43 UTC · model grok-4.3

classification 💻 cs.CR
keywords website fingerprintingDoH/3DNS over HTTPStraffic analysisprivacyIoTencrypted trafficmachine learning
0
0 comments X

The pith

DoH/3 traffic can be fingerprinted at 88% accuracy in closed-world settings of 449 classes using a dual-branch model on timing and statistical features.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper collects a new real-world dataset of DNS over HTTP/3 traffic from domain resolutions and introduces DoHFuse, a dual-branch architecture that processes inter-arrival time sequences alongside refined statistical features through an improved DMAG-LSTM to detect burst-aligned patterns. It reports 88.05% accuracy along with strong open-world metrics, concluding that standard padding leaves the traffic open to website fingerprinting. A sympathetic reader would care because this points to limits in current privacy measures for encrypted DNS used in IoT and edge networks.

Core claim

DoHFuse achieves an accuracy of 88.05% (precision 88.56, recall 87.96, F1 87.83) in a closed-world setting of 449 classes, and an AUPRC of 0.975 with an F1 score of 0.951 in open-world detection on the collected DoH/3 dataset, showing that DoH/3 traffic remains susceptible to website fingerprinting attacks and that commonly deployed padding mechanisms alone are insufficient to ensure privacy protection.

What carries the argument

Dual-branch architecture with improved DMAG-LSTM that integrates inter-arrival time sequences and refined statistical features to capture burst-aligned temporal patterns in the encrypted traffic.

If this is right

  • DoH/3 traffic remains identifiable by website even after standard padding is applied.
  • Padding mechanisms alone do not provide adequate privacy for IoT-scale encrypted DNS communications.
  • A new public benchmark dataset of real-world DoH/3 traffic is now available for further study of these attacks.
  • Website fingerprinting remains effective in both closed-world multi-class and open-world detection scenarios on this traffic.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Similar dual-branch timing analysis might expose vulnerabilities in other encrypted DNS variants such as DoT.
  • Future padding designs could be evaluated by measuring how much they reduce the model's reported accuracy on comparable datasets.
  • The approach may extend to detecting user activity in broader encrypted traffic flows beyond DNS resolution.

Load-bearing premise

The newly collected dataset accurately represents realistic DoH/3 traffic including deployed padding strategies in IoT and edge-network environments, and the reported performance generalizes to other real-world settings beyond the collection conditions.

What would settle it

Testing the same model on a fresh collection of DoH/3 traffic from a different network environment or with alternative padding implementations and finding accuracy well below the reported levels would indicate the central claim does not hold.

Figures

Figures reproduced from arXiv: 2606.24105 by Changjiang Wu, Xueyang Huo, Yanan Cheng, Zhaoxin Zhang, ZunDong Zhang.

Figure 1
Figure 1. Figure 1: DoH/3 connection establishment schematic. [PITH_FULL_IMAGE:figures/full_fig_p003_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Threat model for DoH/3 website fingerprinting. [PITH_FULL_IMAGE:figures/full_fig_p004_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: Overview of the proposed DoHFuse architecture. The [PITH_FULL_IMAGE:figures/full_fig_p005_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: DMAGLSTM: Internal structure of the proposed multi [PITH_FULL_IMAGE:figures/full_fig_p007_4.png] view at source ↗
Figure 5
Figure 5. Figure 5: An illustrative example of DoH/3 request-only in [PITH_FULL_IMAGE:figures/full_fig_p007_5.png] view at source ↗
Figure 6
Figure 6. Figure 6: Performance metrics of different models under varying classification granularities (100, 200, 449 classes). [PITH_FULL_IMAGE:figures/full_fig_p010_6.png] view at source ↗
Figure 8
Figure 8. Figure 8: Precision–Recall curve of the proposed model in the [PITH_FULL_IMAGE:figures/full_fig_p011_8.png] view at source ↗
read the original abstract

As personal data privacy becomes increasingly critical in Internet of Things (IoT) environments, secure DNS protocols such as DNS over HTTPS (DoH) and DNS over TLS (DoT) have been widely adopted to protect device communications. However, without effective obfuscation, these protocols remain vulnerable to Website Fingerprinting (WF) attacks that can reveal user activity. With the ongoing deployment of DNS over HTTP/3 (DoH/3) in modern networked systems, padding strategies have been increasingly applied in practice. It is therefore essential to investigate whether DoH/3 can effectively mitigate WF attacks in realistic IoT and edge-network scenarios. To address this, we first collect and publicly release the first real-world benchmark dataset of DoH/3 traffic, generated from domain resolution processes in practical network environments. We further propose DoHFuse, a dual-branch learning framework that integrates inter-arrival time sequences and refined statistical features through an improved DMAG-LSTM, specifically designed to capture burst-aligned temporal patterns. Experimental results show that DoHFuse achieves an accuracy of 88.05% (precision 88.56, recall 87.96, F1 87.83) in a closed-world setting of 449 classes, and an AUPRC of 0.975 with an F1 score of 0.951 (precision 0.906, recall 1.0) in open-world detection. These findings demonstrate that DoH/3 traffic remains susceptible to WF attacks, suggesting that commonly deployed padding mechanisms alone are insufficient to ensure privacy protection in IoT-scale encrypted DNS communications.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 1 minor

Summary. The paper introduces DoHFuse, a dual-branch architecture integrating inter-arrival time sequences and statistical features via an improved DMAG-LSTM for website fingerprinting on DoH/3 traffic. It collects and publicly releases a new real-world DoH/3 dataset generated from domain resolution in practical network environments, reporting 88.05% closed-world accuracy (449 classes) and 0.975 AUPRC / 0.951 F1 in open-world detection. The central claim is that DoH/3 remains vulnerable to WF attacks, implying commonly deployed padding mechanisms are insufficient for privacy in IoT-scale encrypted DNS.

Significance. Public release of the first claimed real-world DoH/3 WF benchmark dataset is a clear strength that supports reproducibility and further work. If the performance numbers hold under realistic padding and the dataset matches production configurations, the results would indicate that current padding alone does not adequately protect against WF in DoH/3, which is relevant for IoT privacy. The dual-branch design targeting burst patterns offers a targeted methodological contribution.

major comments (2)
  1. [Abstract] Abstract: The conclusion that 'commonly deployed padding mechanisms alone are insufficient' is load-bearing for the paper's privacy implication, yet the dataset description ('generated from domain resolution processes in practical network environments') provides no explicit confirmation that padding was enabled according to RFC 9114 / QUIC-HTTP rules or matched browser/IoT production configurations. Without this, the results demonstrate vulnerability only for the authors' collection setup rather than padded DoH/3 in the wild.
  2. [Experimental Results] Experimental Results (performance claims): The reported metrics (88.05% accuracy, AUPRC 0.975) are presented without any information on baselines, cross-validation, data splits, or handling of padding variability. This absence prevents verification that the empirical claims are sound and generalizable beyond the specific collection conditions.
minor comments (1)
  1. [Abstract] Abstract: The open-world recall of 1.0 should be accompanied by the decision threshold or operating point used, as perfect recall can be an artifact of threshold choice.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for their constructive comments, which help clarify the presentation of our contributions. We provide point-by-point responses to the major comments below.

read point-by-point responses

  1. Referee: [Abstract] Abstract: The conclusion that 'commonly deployed padding mechanisms alone are insufficient' is load-bearing for the paper's privacy implication, yet the dataset description ('generated from domain resolution processes in practical network environments') provides no explicit confirmation that padding was enabled according to RFC 9114 / QUIC-HTTP rules or matched browser/IoT production configurations. Without this, the results demonstrate vulnerability only for the authors' collection setup rather than padded DoH/3 in the wild.

    Authors: We agree that explicit confirmation of padding configuration strengthens the privacy implications. In the revised manuscript we will expand the Dataset Collection section to state that padding was enabled per RFC 9114 and QUIC-HTTP/3 rules and matched the default production settings of the browsers and IoT devices used in our collection (Chrome, Firefox, and representative IoT firmware). This addition directly addresses the concern and confirms the results apply to padded DoH/3 traffic. revision: yes

  2. Referee: [Experimental Results] Experimental Results (performance claims): The reported metrics (88.05% accuracy, AUPRC 0.975) are presented without any information on baselines, cross-validation, data splits, or handling of padding variability. This absence prevents verification that the empirical claims are sound and generalizable beyond the specific collection conditions.

    Authors: We acknowledge the need for these details to support verification. The original manuscript contained a high-level experimental setup description, but to improve clarity and address the comment we will insert a dedicated subsection that reports: the stratified 70/15/15 train/validation/test splits, 5-fold cross-validation results with mean and standard deviation, comparisons against baselines (standard LSTM, CNN, and prior WF models), and an ablation on performance across varying padding levels. These revisions will demonstrate robustness and generalizability. revision: yes

Circularity Check

0 steps flagged

No circularity: empirical results on newly collected dataset

full rationale

The paper's central claims consist of measured classification accuracies (88.05% closed-world, 0.975 AUPRC open-world) obtained by training the proposed DoHFuse architecture on a newly collected DoH/3 traffic dataset. No equations, predictions, or uniqueness theorems are presented that reduce by construction to fitted parameters or prior self-citations; the performance numbers are direct empirical outputs from the evaluation protocol rather than re-statements of inputs.

Axiom & Free-Parameter Ledger

1 free parameters · 0 axioms · 0 invented entities

The central claim depends on the representativeness of the collected traffic traces and the effectiveness of the custom neural architecture; no explicit free parameters, axioms, or invented entities are detailed in the abstract.

free parameters (1)
  • DMAGLSTM hyperparameters
    Architecture-specific parameters such as layer sizes, learning rates, and burst alignment settings are implicitly tuned to achieve the reported accuracy on the new dataset.

pith-pipeline@v0.9.1-grok · 5841 in / 1193 out tokens · 25465 ms · 2026-06-25T23:43:31.598853+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

56 extracted references · 25 canonical work pages · 1 internal anchor

  1. [1]

    A longitudinal and comprehensive measurement of dns strict privacy,

    R. Li, X. Jia, Z. Zhang, J. Shao, R. Lu, J. Lin, X. Jia, and G. Wei, “A longitudinal and comprehensive measurement of dns strict privacy,”IEEE/ACM Transactions on Networking, vol. 31, no. 6, pp. 2793–2808, 2023. [Online]. Available: https://ieeexplore.ieee.org/abstract/ document/10091202

    arXiv 2023

  2. [2]

    Measuring DNS-over-HTTPS downgrades: Prevalence, techniques, and bypass strategies,

    J. Lee, D. Mohaisen, and M. S. Kang, “Measuring DNS-over-HTTPS downgrades: Prevalence, techniques, and bypass strategies,” inProceedings of the ACM CoNEXT 2024, 2024. [Online]. Available: https://doi. org/10.1145/3696385

    work page doi:10.1145/3696385 2024

  3. [3]

    Brendan McMahan and Ilya Mironov and Kunal Talwar and Li Zhang , title =

    S. Englehardt and A. Narayanan, “Online tracking: A 1-million-site measurement and analysis,” in Proceedings of the 2016 ACM SIGSAC confer- ence on computer and communications security. ACM, 2016, pp. 1388–1401. [Online]. Available: https://doi.org/10.1145/2976749.2978313

    work page doi:10.1145/2976749.2978313 2016

  4. [4]

    Encrypted DNS: Privacy? a traffic analysis perspective,

    S. Siby, M. Juarez, C. Diaz, N. Vallina-Rodriguez, and C. Troncoso, “Encrypted DNS: Privacy? a traffic analysis perspective,” inProceedings of the 27th Annual Network and Distributed System Security Symposium (NDSS 2020). The Internet Society, 2020. [Online]. Available: https://dx.doi.org/10.14722/ndss.2020.24301

    work page doi:10.14722/ndss.2020.24301 2020

  5. [5]

    Privacy analysis of oblivious DNS over HTTPS: A website fingerprinting study,

    M. A. Salari, A. Kumar, and F. Rinaudi, “Privacy analysis of oblivious DNS over HTTPS: A website fingerprinting study,” inProceedings of the 55th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN ’25). IEEE, 2025. [Online]. Available: https://ieeexplore.ieee.org/document/11068816

    arXiv 2025

  6. [6]

    A worldwide view on the reachability of encrypted DNS services,

    R. Li, B. Liu, C. Lu, H. Duan, and J. Shao, “A worldwide view on the reachability of encrypted DNS services,” in Proceedings of the ACM Web Conference 2024 (WWW ’24). ACM, 2024, pp. 1193–1202. [Online]. Available: https://doi.org/10.1145/3589334.3645539

    work page doi:10.1145/3589334.3645539 2024

  7. [7]

    Website fingerprinting in the age of QUIC,

    J.-P. Smith, P. Mittal, and A. Perrig, “Website fingerprinting in the age of QUIC,”Proceedings on Privacy Enhancing Technologies, vol. 2021, no. 2, pp. 1–22, 2021. [Online]. Available: https://doi.org/10.2478/ popets-2021-0017

    2021

  8. [8]

    Deep fingerprinting: Undermining website fingerprinting defenses with deep learning,

    P. Sirinam, M. Imani, M. Juarez, and M. Wright, “Deep fingerprinting: Undermining website fingerprinting defenses with deep learning,” inProceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security (CCS ’18). ACM, 2018, pp. 1928–1943. [Online]. Available: https://doi.org/10.1145/3243734.3243768

    work page doi:10.1145/3243734.3243768 2018

  9. [9]

    Online website fingerprinting: Evaluating website fingerprinting attacks on Tor in the real world,

    G. Cherubin, R. Jansen, and C. Troncoso, “Online website fingerprinting: Evaluating website fingerprinting attacks on Tor in the real world,” in31st USENIX Security Symposium (USENIX Security 22). USENIX Association, 2022, pp. 753–770. [Online]. Available: https://www.usenix.org/conference/ usenixsecurity22/presentation/cherubin

    2022

  10. [10]

    Subverting website fingerprinting defenses with robust traffic representation,

    M. Shen, K. Ji, Z. Gao, Q. Li, L. Zhu, and K. Xu, “Subverting website fingerprinting defenses with robust traffic representation,” in32nd USENIX Security Symposium (USENIX Security 23), 2023, pp. 607–624. [Online]. Available: https://www.usenix.org/conference/ usenixsecurity23/presentation/shen-meng

    2023

  11. [11]

    Toward enhancing web privacy on HTTPS traffic: A novel superlearner attack model and an efficient defense approach with adversarial examples,

    M. Abolfathi, S. Inturi, F. Banaei-Kashani, and J. H. Jafarian, “Toward enhancing web privacy on HTTPS traffic: A novel superlearner attack model and an efficient defense approach with adversarial examples,”Computers & Security, vol. 139, p. 103673, 2024. [Online]. Available: https://www.sciencedirect.com/science/article/ pii/S0167404823005837

    2024

  12. [12]

    Repositioning real-world website fingerprinting on tor,

    R. Jansen, R. Wails, and A. Johnson, “Repositioning real-world website fingerprinting on tor,” inProceedings of the 23rd ACM Workshop on Privacy in the Electronic Society (WPES ’24). ACM, 2024, salt Lake City, Oct. 14, 2024. [Online]. Available: https: //doi.org/10.1145/3689943.3695047

    work page doi:10.1145/3689943.3695047 2024

  13. [13]

    Effective website fingerprinting attack based on the first packet direction only,

    R. Attarian and A. Keshavarz-Haddad, “Effective website fingerprinting attack based on the first packet direction only,”Computer Networks, vol. 231, p. 109811, 2023. [Online]. Available: https://doi.org/10. 1016/j.comnet.2023.109811

    arXiv 2023

  14. [14]

    Few- shot website fingerprinting attack,

    M. Chen, Y . Wang, H. Xu, and X. Zhu, “Few- shot website fingerprinting attack,”Computer Networks, vol. 198, p. 108298, 2021. [Online]. Available: https: //doi.org/10.1016/j.comnet.2021.108298

    work page doi:10.1016/j.comnet.2021.108298 2021

  15. [15]

    On almost everywhere convergence of

    H. Zou, J. Su, Z. Wei, S. Chen, and B. Zhao, “An efficient cross-domain few-shot website fingerprinting attack with brownian distance covariance,”Computer Networks, vol. 219, p. 109461, 2022. [Online]. Available: https://doi.org/10.1016/j.comnet.2022.109461

    work page doi:10.1016/j.comnet.2022.109461 2022

  16. [16]

    Website fingerprinting on early QUIC traffic,

    P. Zhan, L. Wang, and Y . Tang, “Website fingerprinting on early QUIC traffic,”Computer Networks, vol. 200, p. 108538, 2021. [Online]. Available: https: //doi.org/10.1016/j.comnet.2021.108538

    work page doi:10.1016/j.comnet.2021.108538 2021

  17. [17]

    Tls fingerprint for encrypted malicious traffic detection with attributed graph kernel,

    L. Yu, J. Tao, Y . Xu, W. Sun, and Z. Wang, “Tls fingerprint for encrypted malicious traffic detection with attributed graph kernel,”Computer Networks, vol. 247, p. 110475, 2024. [Online]. Available: https: //doi.org/10.1016/j.comnet.2024.110475

    work page doi:10.1016/j.comnet.2024.110475 2024

  18. [18]

    Graph based encrypted malicious traffic detection with hybrid analysis of multi-view features,

    Y . Hong, Q. Li, Y . Yang, and M. Shen, “Graph based encrypted malicious traffic detection with hybrid analysis of multi-view features,”Information Sciences, vol. 644, p. 119229, 2023. [Online]. Available: https: //doi.org/10.1016/j.ins.2023.119229

    work page doi:10.1016/j.ins.2023.119229 2023

  19. [19]

    An explainable deep learning-enabled intrusion detection framework in iot networks,

    M. Keshk, N. Koroniotis, N. Pham, N. Moustafa, B. Turnbull, and A. Zomaya, “An explainable deep learning-enabled intrusion detection framework in iot networks,”Information Sciences, vol. 639, p. 119000,

  20. [20]

    and VYATKIN, V

    [Online]. Available: https://doi.org/10.1016/j.ins. 2023.119000

    work page doi:10.1016/j.ins 2023

  21. [21]

    Novel dynamic multiple classification system for network traffic,

    X. Xiao, R. Li, H. Zheng, R. Ye, A. Kumar Sangaiah, and S. Xia, “Novel dynamic multiple classification system for network traffic,”Information Sciences, vol. 479, pp. 526–541, 2019. [Online]. Available: https://doi.org/10.1016/j.ins.2018.10.039

    work page doi:10.1016/j.ins.2018.10.039 2019

  22. [22]

    Comparative analysis of DNS over HTTPS detectors,

    K. Jerabek, K. Hynek, and O. Rysavy, “Comparative analysis of DNS over HTTPS detectors,”Computer Networks, vol. 247, p. 110452, 2024. [Online]. Available: JOURNAL OF LATEX CLASS FILES, VOL. 14, NO. 8, AUGUST 2015 15 https://doi.org/10.1016/j.comnet.2024.110452

    work page doi:10.1016/j.comnet.2024.110452 2024

  23. [23]

    Detecting DNS over HTTPS based data exfiltration,

    M. Zhan, Y . Li, G. Yu, B. Li, and W. Wang, “Detecting DNS over HTTPS based data exfiltration,”Computer Networks, vol. 209, p. 108919, 2022. [Online]. Available: https://doi.org/10.1016/j.comnet.2022.108919

    work page doi:10.1016/j.comnet.2022.108919 2022

  24. [24]

    Real-time bot infection detection system using DNS fingerprinting and machine-learning,

    V . Quezada, F. Astudillo-Salinas, L. Tello-Oquendo, and P. Bernal, “Real-time bot infection detection system using DNS fingerprinting and machine-learning,” Computer Networks, vol. 228, p. 109725, 2023. [Online]. Available: https://doi.org/10.1016/j.comnet.2023.109725

    work page doi:10.1016/j.comnet.2023.109725 2023

  25. [25]

    Padding ain’t enough: Assessing the privacy guarantees of encrypted DNS,

    J. Bushart and C. Rossow, “Padding ain’t enough: Assessing the privacy guarantees of encrypted DNS,” in10th USENIX Workshop on Free and Open Communications on the Internet (FOCI 20), 2020. [Online]. Available: https://www.usenix.org/conference/ foci20/presentation/bushart

    2020

  26. [26]

    Privacy illusion: Beware of unpadded doh,

    K. Hynek and T. Cejka, “Privacy illusion: Beware of unpadded doh,” in2020 11th IEEE Annual Information Technology, Electronics and Mobile Communication Conference (IEMCON), 2020, pp. 0621–0628. [Online]. Available: https://ieeexplore.ieee. org/document/10165086

    arXiv 2020

  27. [27]

    Domain name encryption does not ensure privacy: Website fingerprinting attack with only a few samples using siamese network,

    N. Mazzuz and A. Shabtai, “Domain name encryption does not ensure privacy: Website fingerprinting attack with only a few samples using siamese network,” in International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, 2025, pp. 26–45. [Online]. Available: https://doi.org/10.1007/ 978-3-031-97620-9 2

    2025

  28. [28]

    Depl: Detecting privacy leakage in dns-over-https traffic,

    F. Zou, D. Meng, W. Gao, and L. Li, “Depl: Detecting privacy leakage in dns-over-https traffic,” in2021 IEEE 20th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), 2021, pp. 577–586. [Online]. Available: https://ieeexplore.ieee.org/document/9724408

    arXiv 2021

  29. [29]

    Attacking DoH and ech: Does server name encryption protect users’ privacy?

    M. Trevisan, F. Soro, M. Mellia, I. Drago, and R. Morla, “Attacking DoH and ech: Does server name encryption protect users’ privacy?”ACM Transactions on Internet Technology, vol. 23, no. 1, pp. 1–22, 2023. [Online]. Available: https://dl.acm.org/doi/full/10.1145/3570726

    work page doi:10.1145/3570726 2023

  30. [30]

    Privacy leakage of dns over quic: Analysis and countermeasure,

    G. Hu and K. Fukuda, “Privacy leakage of dns over quic: Analysis and countermeasure,” in2024 International Conference on Artificial Intelligence in Information and Communication (ICAIIC), 2024, pp. 518–523. [Online]. Available: https://ieeexplore.ieee.org/ document/10463369

    arXiv 2024

  31. [31]

    Lightweight and effective website fingerprinting over encrypted dns,

    Y . Shao, K. Hernandez, K. Yang, E. Chan-Tin, and M. Abuhamad, “Lightweight and effective website fingerprinting over encrypted dns,” in2023 Silicon Valley Cybersecurity Conference (SVCC), 2023, pp. 1–8. [Online]. Available: https://ieeexplore.ieee.org/document/ 10165086

    2023

  32. [32]

    Inline traffic analysis attacks on dns over https,

    T. Dahanayaka, Z. Wang, G. Jourjon, and S. Seneviratne, “Inline traffic analysis attacks on dns over https,” in2022 IEEE 47th Conference on Local Computer Networks (LCN), 2022, pp. 132–139. [Online]. Available: https://ieeexplore.ieee.org/abstract/document/9843593

    arXiv 2022

  33. [33]

    Dns-over-quic and http/3 in the era of transformers: The new internet privacy battle,

    L. Csikor, Z. Lian, H. Zhang, N. Lakshmanan, and D. M. Divakaran, “Dns-over-quic and http/3 in the era of transformers: The new internet privacy battle,”IEEE Communications Magazine, pp. 1–7, 2025. [Online]. Available: https://ieeexplore.ieee.org/abstract/document/ 11020583

    2025

  34. [34]

    RFC 8484: DNS queries over HTTPS (DoH),

    P. Hoffman and P. McManus, “RFC 8484: DNS queries over HTTPS (DoH),” IETF, RFC 8484, 2018. [Online]. Available: https://www.rfc-editor.org/rfc/rfc8484

    2018

  35. [35]

    RFC 9114: HTTP/3,

    M. Bishop, “RFC 9114: HTTP/3,” IETF, RFC 9114,

  36. [36]

    Available: https://www.rfc-editor.org/rfc/ rfc9114

    [Online]. Available: https://www.rfc-editor.org/rfc/ rfc9114

  37. [37]

    RFC 9000: QUIC: A UDP-based multiplexed and secure transport,

    J. Iyengar and M. Thomson, “RFC 9000: QUIC: A UDP-based multiplexed and secure transport,” IETF, RFC 9000, 2021. [Online]. Available: https://www. rfc-editor.org/rfc/rfc9000

    2021

  38. [38]

    RFC 7830: The EDNS(0) padding option,

    A. Mayrhofer, “RFC 7830: The EDNS(0) padding option,” IETF, RFC 7830, 2016. [Online]. Available: https://www.rfc-editor.org/rfc/rfc7830

    2016

  39. [39]

    RFC 8467: Padding policies for extension mechanisms for DNS (EDNS(0)),

    ——, “RFC 8467: Padding policies for extension mechanisms for DNS (EDNS(0)),” IETF, RFC 8467,

  40. [40]

    Available: https://www.rfc-editor.org/rfc/ rfc8467

    [Online]. Available: https://www.rfc-editor.org/rfc/ rfc8467

  41. [41]

    Make api requests to 1.1.1.1 over DoH,

    Cloudflare, “Make api requests to 1.1.1.1 over DoH,” Apr. 2025. [On- line]. Available: https://developers.cloudflare.com/1.1. 1.1/encryption/dns-over-https/make-api-requests/

    2025

  42. [42]

    Making chrome QUICer,

    Chromium Blog, “Making chrome QUICer,” Dec. 2024. [Online]. Available: https://blog.chromium.org/2024/12/ making-chrome-quicer.html

    2024

  43. [43]

    DNS-over-HTTP/3 in android,

    M. Maurer and M. Yu, “DNS-over-HTTP/3 in android,” Jul. 2022. [Online]. Available: https://security. googleblog.com/2022/07/dns-over-http3-in-android.html

    2022

  44. [44]

    RFC 9460: Service binding and parameter specification via the DNS (svcb and HTTPS resource records),

    B. Schwartz, M. Bishop, and E. Nygren, “RFC 9460: Service binding and parameter specification via the DNS (svcb and HTTPS resource records),” IETF, RFC 9460, 2023. [Online]. Available: https: //www.rfc-editor.org/rfc/rfc9460

    2023

  45. [45]

    Majestic million,

    Majestic, “Majestic million,” https://majestic.com/ reports/majestic-million, 2011, top 1,000,000 domains ranked by referring subnets; CSV export available

    2011

  46. [46]

    Tranco: A research-oriented top sites ranking hardened against manipulation,

    V . L. Pochat, T. van Goethem, S. Tajalizadehkhoob, M. Korczynski, and W. Joosen, “Tranco: A research-oriented top sites ranking hardened against manipulation,” in26th Annual Network and Distributed System Security Symposium, NDSS 2019, San Diego, California, USA, February 24- 27, 2019. The Internet Society, 2019. [Online]. Available: https://www.ndss-sym...

    2019

  47. [47]

    Toward practical defense against traffic analysis attacks on encrypted DNS traffic,

    A. Niakanlahiji, S. Orlowski, A. Vahid, and J. H. Jafarian, “Toward practical defense against traffic analysis attacks on encrypted DNS traffic,”Computers & Security, vol. 124, p. 103001, 2023. [Online]. Available: https://doi.org/10.1016/j.cose.2023.103673

    work page doi:10.1016/j.cose.2023.103673 2023

  48. [48]

    Burstiness and memory in complex systems,

    K.-I. Goh and A.-L. Barab ´asi, “Burstiness and memory in complex systems,”Europhysics Letters, vol. 81, no. 4, p. 48002, 2008. [Online]. Available: https: //doi.org/10.1209/0295-5075/81/48002 JOURNAL OF LATEX CLASS FILES, VOL. 14, NO. 8, AUGUST 2015 16

    work page doi:10.1209/0295-5075/81/48002 2008

  49. [49]

    LSTM: A search space odyssey,

    K. Greff, R. K. Srivastava, J. Koutn ´ık, B. R. Steunebrink, and J. Schmidhuber, “LSTM: A search space odyssey,” IEEE Transactions on Neural Networks and Learning Systems, vol. 28, no. 10, pp. 2222–2232, 2016. [Online]. Available: https://doi.org/10.1109/TNNLS.2016.2582924

    work page doi:10.1109/tnnls.2016.2582924 2016

  50. [50]

    A Baseline for Detecting Misclassified and Out-of-Distribution Examples in Neural Networks

    D. Hendrycks and K. Gimpel, “A baseline for detecting misclassified and out-of-distribution examples in neural networks,” inInternational Conference on Learning Representations, 2017. [Online]. Available: https://doi.org/10.48550/arXiv.1610.02136

    work page internal anchor Pith review Pith/arXiv arXiv doi:10.48550/arxiv.1610.02136 2017

  51. [51]

    One to rule them all? a first look at DNS over QUIC,

    M. Kosek, T. V . Doan, M. Granderath, and V . Bajpai, “One to rule them all? a first look at DNS over QUIC,” inInternational Conference on Passive and Active Network Measurement (PAM). Springer, 2022, pp. 537–551. [Online]. Available: https://doi.org/10.1007/ 978-3-030-98785-5 24

    2022

  52. [52]

    Bischof, Alberto Dain- otti, and Paul Barford

    M. Kosek, L. Schumann, R. Marx, T. V . Doan, and V . Bajpai, “DNS privacy with speed? evaluating DNS over QUIC and its impact on web performance,” in Proceedings of the 22nd ACM Internet Measurement Conference (IMC ’22). ACM, 2022, pp. 44–50. [Online]. Available: https://doi.org/10.1145/3517745.3561445

    work page doi:10.1145/3517745.3561445 2022

  53. [53]

    Adguard DNS-over-QUIC,

    V . Bagirov, “Adguard DNS-over-QUIC,” 2023, updated 2023-04-07. [Online]. Available: https://adguard-dns.io/ en/blog/dns-over-quic.html

    2023

  54. [54]

    Beyond the front page: Measuring third party dynamics in the field,

    T. Urban, M. Degeling, T. Holz, and N. Pohlmann, “Beyond the front page: Measuring third party dynamics in the field,” inProceedings of the web conference 2020 (WWW ’20), 2020, pp. 1275–1286. [Online]. Available: https://doi.org/10.1145/3366423.3380203

    work page doi:10.1145/3366423.3380203 2020

  55. [55]

    An empirical study of the cost of dns-over-https,

    T. B ¨ottger, F. Cuadrado, G. Antichi, E. L. a. Fernandes, G. Tyson, I. Castro, and S. Uhlig, “An empirical study of the cost of dns-over-https,” in Proceedings of the Internet Measurement Conference, ser. IMC ’19. New York, NY , USA: Association for Computing Machinery, 2019, p. 15–21. [Online]. Available: https://doi.org/10.1145/3355369.3355575

    work page doi:10.1145/3355369.3355575 2019

  56. [56]

    Comparing the effects of dns, dot, and doh on web performance,

    A. Hounsel, K. Borgolte, P. Schmitt, J. Holland, and N. Feamster, “Comparing the effects of dns, dot, and doh on web performance,” inProceedings of The Web Conference 2020, ser. WWW ’20. New York, NY , USA: Association for Computing Machinery, 2020, p. 562–572. [Online]. Available: https://doi.org/10.1145/3366423.3380139

    work page doi:10.1145/3366423.3380139 2020