DNS queries remain vulnerable to application-layer traffic fingerprinting even under encrypted communication, leaking user behavioral patterns. This paper proposes the first purely client-side, lightweight DNS query obfuscation framework. It models user profiling as a probability distribution over interest categories and formulates optimal query forgery as a KL-divergence minimization problem—requiring no trusted third party and preserving full application functionality. The approach innovatively integrates probabilistic user modeling, synthetic DNS query generation, and a modular mobile architecture. Evaluated on a synthetic dataset of one thousand users, the framework achieves a 50% improvement in privacy with only 20% additional DNS traffic overhead; moreover, injecting 40–60% extra synthetic queries provides complete protection against traffic fingerprinting.

Mobile applications continuously generate DNS queries that can reveal sensitive user behavioral patterns even when communications are encrypted. This paper presents a privacy enhancement framework based on query forgery to protect users against profiling attempts that leverage these background communications. We first mathematically model user profiles as probability distributions over interest categories derived from mobile application traffic. We then evaluate three query forgery strategies -- uniform sampling, TrackMeNot-based generation, and an optimized approach that minimizes Kullback-Leibler divergence -- to quantify their effectiveness in obfuscating user profiles. Then we create a synthetic dataset comprising 1,000 user traces constructed from real mobile application traffic and we extract the user profiles based on DNS traffic. Our evaluation reveals that a 50% privacy improvement is achievable with less than 20% traffic overhead when using our approach, while achieving 100% privacy protection requires approximately 40-60% additional traffic. We further propose a modular system architecture for practical implementation of our protection mechanisms on mobile devices. This work offers a client-side privacy solution that operates without third-party trust requirements, empowering individual users to defend against traffic analysis without compromising application functionality.