The size of DNS queries and their responses are among the most important features that can be used to classify encrypted DNS traffic.
To mitigate this, implementing padding is essential and is mentioned in the DoH specification (RFC8484).
Padding can be done with HTTP/2 padding frames (RFC7540 § 6.1), by rewriting DNS packets to include or remove the EDNS(0) padding option (RFC7830), or by adding a dummy HTTP/2 header (guaranteed to not be compressed) to make the total length a multiple of the block size.
For DoT, DNS packets must be modified to add or remove the EDNS(0) padding option.
The size of DNS queries and their responses are among the most important features that can be used to classify encrypted DNS traffic.
To mitigate this, implementing padding is essential and is mentioned in the DoH specification (RFC8484).
Padding can be done with HTTP/2 padding frames (RFC7540 § 6.1), by rewriting DNS packets to include or remove the EDNS(0) padding option (RFC7830), or by adding a dummy HTTP/2 header (guaranteed to not be compressed) to make the total length a multiple of the block size.
For DoT, DNS packets must be modified to add or remove the EDNS(0) padding option.