QNAME Minimization

A DNS privacy practice where a recursive resolver sends each upstream server only the part of the query name it strictly needs.

QNAME minimization is a small change that meaningfully improves DNS privacy. Without it, a recursive resolver asks each server in the chain (root, TLD, authoritative) for the full query name like `www.api.example.com`, even though the root only needs to know about `.com`. With QNAME minimization, the resolver asks the root just for `.com`, asks the .com servers just for `example.com`, and only sends the full name to the authoritative server for example.com. The result: intermediaries learn far less about what users are browsing. Unbound, BIND, and most modern resolvers enable it by default.

Reference

RFC 9156

Related terms

DNS Resolver
Recursive Resolver
DoH

Referenced on

Complete Guide to DNS Attacks and DNS Security (Prevention, Testing & Mitigation)
NXDOMAIN Attack: How Nonexistent Domain Floods Exhaust DNS Resolvers
Phantom Domain Attack: How Unresponsive Domains Exhaust DNS Resolvers

Back to the full glossary

Reference

Related terms

See also

Referenced on