ADoX Deployment in the Wild

The DNS ecosystem has long focused on encrypting the client‑to‑resolver leg with protocols like DoT, DoH and DoQ, but the recursive‑to‑authoritative hop has been a blind spot. RFC 9539 introduces ADoX, a unilateral, opportunistic method allowing resolvers to contact authoritative servers over TLS or QUIC without prior coordination. By probing millions of nameservers and open resolvers, researchers have quantified how far this privacy‑enhancing technology has progressed in 2026.

Results reveal a stark concentration of ADoX support. One.com alone accounts for nearly two million domains that respond over both ADoT and ADoQ, while other providers such as WEDOS and TIMEWEB contribute smaller shares. Overall, only 0.93 % of the 331 million domains examined are reachable via encrypted resolver‑to‑authoritative paths, and merely 0.32 % of nameserver IPs accept ADoX traffic. The limited adoption is further underscored by the scarcity of open resolvers capable of handling ADoQ and the dominance of Quad9 in the few ADoT‑capable resolvers observed.

The implications for internet privacy are significant. Without widespread ADoX deployment, adversaries can still perform traffic analysis or inject malicious responses at the critical middle stage of DNS resolution. The concentration of capability in a handful of operators creates a systemic risk, as any regression or misconfiguration could expose millions of domains. Stakeholders—including DNS operators, registries, and privacy‑focused organizations—must prioritize broader ADoX rollout and encourage standards‑compliant implementations to achieve truly end‑to‑end encrypted DNS. Continued measurement and transparent reporting will be essential to track progress and guide policy decisions.