ADoX is used here as a short hand term for ‘Recursive resolver to Authoritative server encrypted transport using DoT or DoQ’.
The term ADoT was defined in RFC 9499: DNS Terminology:
“Authoritative DoT (ADoT): … ADoT specifically means DNS-over-TLS for transport between recursive resolvers and authoritative servers”
DoQ was also standardized for transport between recursives and authoritative servers in RFC 9250, so by extension ADoQ means “DNS-over-QUIC for transport between recursive resolvers and authoritative servers”.
Since ADoT/Q is hard to say, we also use ADoX (‘a-docks’) here to mean encrypted transport using either TLS or QUIC!
Who is doing ADoX today? See Operator Activities and the ADOT zone monitoring tool
While most activity is around DoT, as of April 2026 h-root have a experimental DoQ service available!
This is a general initiative with a number of goals around increasing ADoX deployment:
There is a public OARC Mattermost channel for ongoing discussions on this topic
A initial meeting was held to evaluate the current activities around and interest in deployment of ADoX. The minutes can be found here.
Over 2 days at OARC 45 informal lunchtime discussion sessions were held on this topic. Notes can be found here.
https://ripe91.ripe.net/programme/meeting-plan/sessions/48/
The DPRIVE working group at IETF was chartered to work on encrypting the stub to recursive communications from its creation in 2014 until 2018, when it was re-chartered to include working on the recursive resolver to authoritative server problem.
Between 2018 and 2021 at least 6 solutions and at least 12 drafts were discussed in the working group to try to find a solution that enabled authoritative servers to securely publish credentials in the DNS that recursive resolvers could then use to authenticate encrypted connections to those servers.
Unfortunately no solution found consensus due to several hurdles:
As a result, work stopped in DPRIVE in around 2021 on this and attention turned to trying to standardise an opportunistic model that could be used for experimentation (see below).
Acknowledging the multiple restrictions that the current delegation model posed on the DNS protocol as whole, the IETF created the DELEG working group in 2024. It is hoped that work from that group will provide an mechanism to specify authenticated encryption credentials at the delegation point to be deployed within the DNS.
RFC 9539 - Unilateral Opportunistic Deployment of Encrypted Recursive-to-Authoritative DNS is now published was published in February 2024.
This document sets out steps that DNS servers (recursive resolvers and authoritative servers) can take unilaterally (without any coordination with other peers) to defend DNS query privacy against a passive network monitor by directly probing port 853 to see if an authoritative servers supports encrypted transports.
A new Internet Draft was first published in June 2025 proposing a new mechanism based on SVCB records Authoritative DNS Transport Signaling:
This document proposes a mechanism for authoritative DNS servers to opportunistically signal their support for alternative transport protocols (e.g., DNS over TLS (DoT), DNS over HTTPS (DoH) and DNS over QUIC (DoQ)) directly within the Additional section of authoritative DNS responses. This “hint-based” approach aims to enable resolvers to discover and upgrade transport connections more efficiently, thereby improving privacy, security, and performance for subsequent interactions.
The authors have an open source prototype implementation https://github.com/johanix/tdns and would love feedback. This was discussed in the DNSOP meeting at IETF 123 and seems to be gaining support.
The following tables give an overview of the implementation status of various features in popular Open source implementations
| Feature | Recursives | Upstream proxy | |||||
|---|---|---|---|---|---|---|---|
| Software | Unbound | BIND | Knot Resolver | PowerDNS Recursive | dnsdist | ||
| Unilateral probing | Prototyping at IETF Hackathon |
Experimental implementation |
|||||
| Other discovery | Experimental auto discovery |
||||||
| DoT | Y | Y | Y | Y | |||
| DoQ | Y |
| Feature | Load Balancer/proxy | Authoritatives | |||||
|---|---|---|---|---|---|---|---|
| Software | dnsdist | NSD | BIND | Knot Auth | PowerDNS Auth (1) | ||
| DoT | Y | Y | Y | Y | |||
| DoQ | Y | Y |
This table is a work in progress and some entries require references and/or more details. Please send updates/corrections to sara@sinodun.com
| Who | What |
|---|---|
| Google Public DNS | Unilateral probing: Said they have implemented RFC9539 and “And ADoT is in use for around 6% of egress traffic.” |
| Quad9 | Unilateral probing: They use PowerDNS Recursor and enabled RFC9539 probing in July 2025 |
| Let’s Encrypt | Are sharing plans to enable DoX from their Hickory recursive resolver written in Rust to a set of auth servers that are known to support encrypted transports |
A monitoring tool is now available at ADoT Zone monitoring which is currently run on a monthly basis to list a total of around 25 nameservers and 65 zones that answer queries on port 853 over DNS-over-TLS. A summary is produced below.
| Who | What |
|---|---|
| b-root and h-root | Have enabled experimental DNS over TLS support |
| Did a pilot back in 2018 and are observed to have DoT enabled on port 853 today on facebook.com, instagram.com and whatsapp.com zones. | |
| ccTLDs | Two ccTLDs .gr (Greece) .kg (Krgyzstan) have DoT enabled on port 853 today |
| deSEC | Announced on the DPRIVE mailing list that they have support for DoT and DoQ on our authoritative anycast deployments. |
| Wikimedia | Have DoT enabled on multiple zones including wikipedia.org |
| CDN77 | Hosting provider |
| One.com | Hosting provider |
| NextDNS | Hosting provider |
| namebay.co | Hosting provider |
| Timeweb | Hosting provider |
| Wedos | Hosting provider |
| Others | powerdns.com, wildberries.ru, m-online.net,… |
As of April 2026, h-root also have an experimental DoQ service running. Anyone interested in testing is welcome to try it out and contact them at hroot@arl.army.mil with any issues.