{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,10]],"date-time":"2026-04-10T16:05:52Z","timestamp":1775837152317,"version":"3.50.1"},"reference-count":48,"publisher":"Association for Computing Machinery (ACM)","issue":"CoNEXT4","license":[{"start":{"date-parts":[[2024,11,25]],"date-time":"2024-11-25T00:00:00Z","timestamp":1732492800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["Proc. ACM Netw."],"published-print":{"date-parts":[[2024,12]]},"abstract":"<jats:p>DNS-over-HTTPS (DoH) is a privacy-enhancing protocol that encrypts plaintext query data in DNS resolution. However, DoH often faces accessibility challenges due to phenomena known as DoH downgrades, where DoH queries are reverted to plaintext DNS queries. Unlike downgrades in other security protocols, which are undoubtedly malicious, the act of downgrading DoH queries can be both desirable and undesirable depending on the context; e.g., enterprise networks are officially advised to avoid or downgrade DoH for security reasons. Recent research has drawn attention to the deeper examination of the phenomena of DoH downgrades, focusing on the prevalence, techniques, and potential bypass strategies. However, existing studies on DoH downgrades have several limitations, notably that they severely overestimate the severity of DoH downgrades across the globe as they lack any distinction between desirable and undesirable downgrades of DoH. In this work, we conduct a large-scale measurement study to provide a more accurate depiction of the DoH downgrade landscape. By minimizing the influence of desirable downgrades of DoH in our measurement probes, we show a skewed long-tail distribution of DoH downgrades across the globe. Our stateful probing techniques also reveal hidden DoH filtering mechanisms that were previously undetected. Furthermore, we design near perfect bypass strategies against existing DoH downgrades. Our study expands our limited understanding of DoH downgrades, offering a more accurate, fine-grained, and comprehensive view of the phenomena.<\/jats:p>","DOI":"10.1145\/3696385","type":"journal-article","created":{"date-parts":[[2024,11,25]],"date-time":"2024-11-25T11:15:47Z","timestamp":1732533347000},"page":"1-22","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":3,"title":["Measuring DNS-over-HTTPS Downgrades: Prevalence, Techniques, and Bypass Strategies"],"prefix":"10.1145","volume":"2","author":[{"ORCID":"https:\/\/orcid.org\/0009-0004-6954-0571","authenticated-orcid":false,"given":"Jinseo","family":"Lee","sequence":"first","affiliation":[{"name":"KAIST, Daejeon, Republic of Korea"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-3227-2505","authenticated-orcid":false,"given":"David","family":"Mohaisen","sequence":"additional","affiliation":[{"name":"University of Central Florida, Orlando, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-8334-2262","authenticated-orcid":false,"given":"Min Suk","family":"Kang","sequence":"additional","affiliation":[{"name":"KAIST, Daejeon, Republic of Korea"}]}],"member":"320","published-online":{"date-parts":[[2024,11,25]]},"reference":[{"key":"e_1_2_1_1_1","doi-asserted-by":"publisher","unstructured":"Donald E. Eastlake 3rd. 2011. Transport Layer Security (TLS) Extensions: Extension Definitions. RFC 6066. https:\/\/doi.org\/10.17487\/RFC6066","DOI":"10.17487\/RFC6066"},{"key":"e_1_2_1_2_1","doi-asserted-by":"publisher","DOI":"10.1145\/2810103.2813707"},{"key":"e_1_2_1_3_1","volume-title":"Visible ASNs: Customer Populations (Est.). https:\/\/stats.labs.apnic.net\/aspop Retrieved","author":"APNIC.","year":"2024","unstructured":"APNIC. 2024. Visible ASNs: Customer Populations (Est.). https:\/\/stats.labs.apnic.net\/aspop Retrieved April, 2024 from"},{"key":"e_1_2_1_4_1","volume-title":"Proceedings of the 2021 NDSS DNS Privacy Workshop (Virtual Event) (DNSPRIV '21)","author":"Basso Simone","year":"2021","unstructured":"Simone Basso. 2021. Measuring DoT\/DoH blocking using OONI probe: a preliminary study. In Proceedings of the 2021 NDSS DNS Privacy Workshop (Virtual Event) (DNSPRIV '21). The Internet Society, Reston, VA, USA, 10 pages. https:\/\/www.ndss-symposium.org\/ndss-paper\/auto-draft-123\/"},{"key":"e_1_2_1_5_1","volume-title":"ts-028-dnscheck. OONI. https:\/\/github.com\/ooni\/spec\/blob\/master\/nettests\/ts-028-dnscheck.md Retrieved","author":"Basso Simone","year":"2024","unstructured":"Simone Basso. 2022. ts-028-dnscheck. OONI. https:\/\/github.com\/ooni\/spec\/blob\/master\/nettests\/ts-028-dnscheck.md Retrieved April, 2024 from"},{"key":"e_1_2_1_6_1","volume-title":"DNSCurve: Usable security for DNS. DNSCurve. https:\/\/dnscurve.org Retrieved","author":"Bernstein Daniel Julius","year":"2023","unstructured":"Daniel Julius Bernstein. 2009. DNSCurve: Usable security for DNS. DNSCurve. https:\/\/dnscurve.org Retrieved August, 2023 from"},{"key":"e_1_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2015.39"},{"key":"e_1_2_1_8_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-031-28486-1_23"},{"key":"e_1_2_1_9_1","volume-title":"Anonymous, Louis-Henri Merino, David Fifield, Amir Houmansadr, and Dave Levin.","author":"Bock Kevin","year":"2020","unstructured":"Kevin Bock, iyouport, Anonymous, Louis-Henri Merino, David Fifield, Amir Houmansadr, and Dave Levin. 2020. Exposing and Circumventing China's Censorship of ESNI. Technical Report. Geneva."},{"key":"e_1_2_1_10_1","volume-title":"Proceedings of the 2021 Asia-Pacific Signal and Information Processing Association Annual Summit and Conference (Virtual Event) (APSIPA ASC '21). IEEE","author":"Gonzalez Casanova Lionel F","year":"2021","unstructured":"Lionel F Gonzalez Casanova and Po-Chiang Lin. 2021. Generalized Classification of DNS over HTTPS Traffic with Deep Learning. In Proceedings of the 2021 Asia-Pacific Signal and Information Processing Association Annual Summit and Conference (Virtual Event) (APSIPA ASC '21). IEEE, New York, NY, USA, 1903--1907. https:\/\/ieeexplore.ieee.org\/document\/9689667"},{"key":"e_1_2_1_11_1","doi-asserted-by":"publisher","DOI":"10.1145\/3487552.3487849"},{"key":"e_1_2_1_12_1","volume-title":"https:\/\/www.chromium.org\/Home\/ Retrieved","author":"Projects The Chromium","year":"2023","unstructured":"The Chromium Projects. 2023. Chromium. https:\/\/www.chromium.org\/Home\/ Retrieved June, 2023 from"},{"key":"e_1_2_1_13_1","volume-title":"China is now blocking all encrypted HTTPS traffic that uses TLS 1.3 and ESNI. ZDNet. https:\/\/www.zdnet.com\/article\/china-is-now-blocking-all-encrypted-https-traffic-using-tls-1--3-and-esni\/ Retrieved","author":"Cimpanu Catalin","year":"2023","unstructured":"Catalin Cimpanu. 2020. China is now blocking all encrypted HTTPS traffic that uses TLS 1.3 and ESNI. ZDNet. https:\/\/www.zdnet.com\/article\/china-is-now-blocking-all-encrypted-https-traffic-using-tls-1--3-and-esni\/ Retrieved August, 2023 from"},{"key":"e_1_2_1_14_1","volume-title":"DHS CISA to provide DoH and DoT servers for government use. ZDNet. https:\/\/www.zdnet.com\/article\/dhs-cisa-to-provide-doh-and-dot-servers-for-government-use\/ Retrieved","author":"Cimpanu Catalin","year":"2024","unstructured":"Catalin Cimpanu. 2020. DHS CISA to provide DoH and DoT servers for government use. ZDNet. https:\/\/www.zdnet.com\/article\/dhs-cisa-to-provide-doh-and-dot-servers-for-government-use\/ Retrieved March, 2024 from"},{"key":"e_1_2_1_15_1","volume-title":"NSA warns against using DoH inside enterprise networks. ZDNet. https:\/\/www.zdnet.com\/article\/nsa-warns-against-using-doh-inside-enterprise-networks\/ Retrieved","author":"Cimpanu Catalin","year":"2024","unstructured":"Catalin Cimpanu. 2021. NSA warns against using DoH inside enterprise networks. ZDNet. https:\/\/www.zdnet.com\/article\/nsa-warns-against-using-doh-inside-enterprise-networks\/ Retrieved March, 2024 from"},{"key":"e_1_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSP51992.2021.00026"},{"key":"e_1_2_1_17_1","volume-title":"DNS Privacy Project. https:\/\/dnsprivacy.org\/public_resolvers\/ Retrieved","author":"Dickinson Sara","year":"2023","unstructured":"Sara Dickinson. 2023. Public Resolvers. DNS Privacy Project. https:\/\/dnsprivacy.org\/public_resolvers\/ Retrieved June, 2023 from"},{"key":"e_1_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.1515\/popets-2015-0009"},{"key":"e_1_2_1_19_1","volume-title":"Proceedings of the 2nd USENIX Workshop on Free and Open Communications on the Internet","author":"Filasto Arturo","year":"2012","unstructured":"Arturo Filasto and Jacob Appelbaum. 2012. OONI: open observatory of network interference. In Proceedings of the 2nd USENIX Workshop on Free and Open Communications on the Internet (Bellevue, WA, USA) (FOCI '12). USENIX Association, Berkeley, CA, USA, 8 pages. https:\/\/www.usenix.org\/conference\/foci12\/workshop-program\/presentation\/filast%C3%B2"},{"key":"e_1_2_1_20_1","unstructured":"Christian Grothoff Matthias Wachs Monika Ermert and Jacob Appelbaum. 2015. NSA's MORECOWBELL: Knell for DNS. Technical Report. GNUnet e.V. Halle Germany."},{"key":"e_1_2_1_21_1","volume-title":"Zero-Knowledge Middleboxes. In Proceedings of the 31st USENIX Security Symposium","author":"Grubbs Paul","year":"2022","unstructured":"Paul Grubbs, Arasu Arun, Ye Zhang, Joseph Bonneau, and Michael Walfish. 2022. Zero-Knowledge Middleboxes. In Proceedings of the 31st USENIX Security Symposium (Boston, MA, USA) (USENIX Security '22). USENIX Association, Berkeley, CA, USA, 4255--4272. https:\/\/www.usenix.org\/conference\/usenixsecurity22\/presentation\/grubbs"},{"key":"e_1_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-75551-7_10"},{"key":"e_1_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-98785-5_23"},{"key":"e_1_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.17487\/RFC8484"},{"key":"e_1_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1145\/2046707.2046730"},{"key":"e_1_2_1_26_1","doi-asserted-by":"publisher","DOI":"10.17487\/RFC7858"},{"key":"e_1_2_1_27_1","volume-title":"Proceedings of the 10th USENIX Workshop on Free and Open Communications on the Internet (Virtual Event) (FOCI '20)","author":"Huang Qing","year":"2020","unstructured":"Qing Huang, Deliang Chang, and Zhou Li. 2020. A Comprehensive Study of DNS-over-HTTPS Downgrade Attack. In Proceedings of the 10th USENIX Workshop on Free and Open Communications on the Internet (Virtual Event) (FOCI '20). USENIX Association, Berkeley, CA, USA, 8 pages. https:\/\/www.usenix.org\/conference\/foci20\/presentation\/huang"},{"key":"e_1_2_1_28_1","volume-title":"The NSA and GCHQ's QUANTUMTHEORY Hacking Tactics. The Intercept_. https:\/\/theintercept.com\/document\/nsa-gchqs-quantumtheory-hacking-tactics\/ Retrieved","author":"The","year":"2023","unstructured":"The Intercept_. 2014. The NSA and GCHQ's QUANTUMTHEORY Hacking Tactics. The Intercept_. https:\/\/theintercept.com\/document\/nsa-gchqs-quantumtheory-hacking-tactics\/ Retrieved June, 2023 from"},{"key":"e_1_2_1_29_1","volume-title":"https:\/\/ipinfo.io\/products\/asn-api Retrieved","author":"ASN","year":"2024","unstructured":"IPinfo. 2024. ASN API. https:\/\/ipinfo.io\/products\/asn-api Retrieved April, 2024 from"},{"key":"e_1_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.1145\/3442381.3450084"},{"key":"e_1_2_1_31_1","volume-title":"kdig -- Advanced DNS lookup utility. Knot DNS. https:\/\/www.knot-dns.cz\/docs\/2.6\/html\/man_kdig.html Retrieved","author":"Knot DNS.","year":"2024","unstructured":"Knot DNS. 2018. kdig -- Advanced DNS lookup utility. Knot DNS. https:\/\/www.knot-dns.cz\/docs\/2.6\/html\/man_kdig.html Retrieved March, 2024 from"},{"key":"e_1_2_1_32_1","doi-asserted-by":"publisher","DOI":"10.1145\/3355369.3355580"},{"key":"e_1_2_1_33_1","volume-title":"GeoLite2 Free Geolocation Data. https:\/\/dev.maxmind.com\/geoip\/geolite2-free-geolocation-data Retrieved","year":"2023","unstructured":"MaxMind. 2023. GeoLite2 Free Geolocation Data. https:\/\/dev.maxmind.com\/geoip\/geolite2-free-geolocation-data Retrieved June, 2023 from"},{"key":"e_1_2_1_34_1","volume-title":"Firefox for Desktop. https:\/\/www.mozilla.org\/en-US\/firefox\/new\/ Retrieved","author":"Mozilla Corporation","year":"2023","unstructured":"Mozilla Corporation. 2023. Firefox for Desktop. https:\/\/www.mozilla.org\/en-US\/firefox\/new\/ Retrieved June, 2023 from"},{"key":"e_1_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.5555\/3241189.3241215"},{"key":"e_1_2_1_36_1","volume-title":"The Interconnection Database. https:\/\/www.peeringdb.com\/ Retrieved","author":"DB.","year":"2024","unstructured":"PeeringDB. 2024. The Interconnection Database. https:\/\/www.peeringdb.com\/ Retrieved April, 2024 from"},{"key":"e_1_2_1_37_1","volume-title":"Become a Peer. https:\/\/www.proxyrack.com\/become-a-peer\/ Retrieved","year":"2023","unstructured":"Proxyrack. 2023. Become a Peer. https:\/\/www.proxyrack.com\/become-a-peer\/ Retrieved June, 2023 from"},{"key":"e_1_2_1_38_1","volume-title":"https:\/\/www.proxyrack.com\/residential-proxies\/ Retrieved","author":"Proxyrack Residential Proxies","year":"2023","unstructured":"Proxyrack. 2023. Residential Proxies | Proxyrack. https:\/\/www.proxyrack.com\/residential-proxies\/ Retrieved May, 2023 from"},{"key":"e_1_2_1_39_1","doi-asserted-by":"publisher","DOI":"10.1109\/ISCC58397.2023.10217976"},{"key":"e_1_2_1_40_1","volume-title":"Wood","author":"Rescorla Eric","year":"2020","unstructured":"Eric Rescorla, Kazuho Oku, Nick Sullivan, and Christopher A. Wood. 2020. Encrypted Server Name Indication for TLS 1.3. Internet-Draft draft-ietf-tls-esni-06. Internet Engineering Task Force. https:\/\/datatracker.ietf.org\/doc\/draft-ietf-tls-esni\/06\/ Expired."},{"key":"e_1_2_1_41_1","volume-title":"Wood","author":"Rescorla Eric","year":"2023","unstructured":"Eric Rescorla, Kazuho Oku, Nick Sullivan, and Christopher A. Wood. 2023. TLS Encrypted Client Hello. Internet-Draft draft-ietf-tls-esni-17. Internet Engineering Task Force. https:\/\/datatracker.ietf.org\/doc\/draft-ietf-tls-esni\/17\/ Work in Progress."},{"key":"e_1_2_1_42_1","doi-asserted-by":"publisher","DOI":"10.1109\/JSAC.2011.111214"},{"key":"e_1_2_1_43_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-16161-2_27"},{"key":"e_1_2_1_44_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP40000.2020.00031"},{"key":"e_1_2_1_45_1","doi-asserted-by":"publisher","DOI":"10.1145\/3407023.3409192"},{"key":"e_1_2_1_46_1","volume-title":"Proceedings of the 23rd USENIX Security Symposium","author":"Wustrow Eric","unstructured":"Eric Wustrow, Colleen M. Swanson, and J. Alex Halderman. 2014. TapDance: End-to-Middle Anticensorship without Flow Blocking. In Proceedings of the 23rd USENIX Security Symposium (San Diego, CA, USA) (USENIX Security '14). USENIX Association, Berkeley, CA, USA, 159--174. https:\/\/www.usenix.org\/conference\/usenixsecurity14\/technical-sessions\/presentation\/wustrow"},{"key":"e_1_2_1_47_1","volume-title":"Proceedings of the 20th USENIX Security Symposium","author":"Wustrow Eric","unstructured":"Eric Wustrow, Scott Wolchok, Ian Goldberg, and J. Alex Halderman. 2011. Telex: Anticensorship in the Network Infrastructure. In Proceedings of the 20th USENIX Security Symposium (San Francisco, CA, USA) (USENIX Security '11). USENIX Association, Berkeley, CA, USA, 30. https:\/\/www.usenix.org\/conference\/usenix-security-11\/telex-anticensorship-network-infrastructure"},{"key":"e_1_2_1_48_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2015.18"}],"container-title":["Proceedings of the ACM on Networking"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3696385","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3696385","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,8,23]],"date-time":"2025-08-23T01:24:58Z","timestamp":1755912298000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3696385"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,11,25]]},"references-count":48,"journal-issue":{"issue":"CoNEXT4","published-print":{"date-parts":[[2024,12]]}},"alternative-id":["10.1145\/3696385"],"URL":"https:\/\/doi.org\/10.1145\/3696385","relation":{},"ISSN":["2834-5509"],"issn-type":[{"value":"2834-5509","type":"electronic"}],"subject":[],"published":{"date-parts":[[2024,11,25]]},"assertion":[{"value":"2024-11-25","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}