1. Home
2. Documentation
3. How it works

What is Query Name Minimisation?

Query Name Minimisation (qname minimisation) is a privacy-enhancing technique for Domain Name System (DNS) resolution that reduces the amount of information sent to upstream name servers. It is designed to limit unnecessary data exposure and mitigate the risk of DNS-based tracking or surveillance.

Traditionally, DNS resolvers send the full domain name (e.g., www.example.com) to each level of the DNS hierarchy, even when that level does not need the entire query. This allows intermediate authoritative servers to see more information than necessary, creating potential privacy risks.

How Query Name Minimisation Works

The concept behind qname minimisation is simple: send only the part of the domain name necessary for each step of the resolution process. This follows the principle of “need-to-know.”

Without qname minimisation (Traditional DNS resolution):

1. The resolver asks the root server: “Where is www.example.com?”
2. The root server refers the resolver to the .com TLD server.
3. The resolver asks the .com TLD server: “Where is www.example.com?”
4. The TLD server refers the resolver to the example.com authoritative server.
5. The resolver asks the example.com server: “Where is www.example.com?”
6. The authoritative server returns the IP address.

At each step, unnecessary parts of the query (www. and example.com) are exposed to servers that do not need them.

With qname minimisation enabled:

1. The resolver asks the root server: “Where is .com?”
2. The root server refers the resolver to the .com TLD server.
3. The resolver asks the .com TLD server: “Where is example.com?”
4. The TLD server refers the resolver to the example.com authoritative server.
5. The resolver asks the example.com server: “Where is www.example.com?”
6. The authoritative server returns the IP address.

By only sending the required portion of the domain name at each step, the resolver limits exposure of the full query to unnecessary parties.

Benefits of Query Name Minimisation

Query Name Minimisation enhances privacy by reducing the amount of data exposed to upstream DNS servers. Traditionally, full domain names are sent to each DNS server during the resolution process, but with qname minimisation, only the necessary parts are shared. This prevents unnecessary tracking by third parties, making it harder for entities to monitor user activity based on DNS queries.

Another key advantage is the reduction of data leakage. Since only the essential components of a domain query are sent at each stage, authoritative name servers and potential adversaries receive minimal information. This limits their ability to observe full query patterns, further protecting user privacy.

In addition to privacy benefits, qname minimisation also improves security. It helps mitigate certain types of attacks, such as DNS metadata collection by malicious actors who attempt to gather intelligence from exposed DNS queries. By restricting the visibility of full domain queries, qname minimisation reduces the risk of data being exploited for surveillance or cyberattacks.

Limitations and Considerations

Despite its advantages, qname minimisation comes with some limitations. One of the main challenges is compatibility. Some older DNS servers do not handle qname minimisation correctly, which can lead to resolution failures or unexpected behaviour. While modern DNS software increasingly supports this feature, network administrators should be aware of potential interoperability issues.

Another consideration is the potential performance impact. Since qname minimisation requires additional queries to be sent at different stages of the resolution process, there may be a slight increase in query latency. However, the trade-off is generally minimal compared to the privacy benefits, and in most cases, users will not notice a significant difference in performance.

Lastly, it is important to understand that qname minimisation is not a complete privacy solution. While it reduces data exposure, it does not encrypt DNS queries. This means that network observers, such as ISPs or adversaries with access to unencrypted DNS traffic, can still see query patterns. For comprehensive privacy, qname minimisation should be used alongside encrypted DNS protocols such as DNS over HTTPS (DoH) or DNS over TLS (DoT), which protect queries from interception and tampering.