The DNS privacy protection mechanisms, DNS over TLS (DoT) and DNS over HTTPS (DoH),
only work correctly if both the server and client support the Strict Privacy profile and no vulnerability exists in the implemented TLS/HTTPS.
According to the requirements of TLS and HTTPS, the Strict Privacy
profile has the following two premises: 1) The server
should provide a PKIX certificate or a DNSSEC-validated chain
to a TLSA record. 2) The client should obtain the IP and
corresponding domain of the connecting server. Hence, the main subjects in our paper are
DNS Strict Privacy (DNS-SP), which contain DoT-SP and
DoH-SP. DNS-SP server not only support DNS encryption
but also are equipped with a pair of available (IP, domain).
Due to the rules we used for assembling the DNS-SP
list, the real configuration of DoT/DoH servers would
be far worse than our analysis result on DNS-SP servers.
The details of the applied rules can be find in our paper.