DNS privacy faces a fundamental tension: public resolvers—“honest but curious”—can observe users’ full query histories, while existing encryption mechanisms fail to mitigate this inherent threat. This paper proposes a near-zero-trust DNS architecture centered on two innovations: (1) a client-driven voting-based shuffle network for anonymous, collaborative updates of popular domain records, resisting collusion-based tracking; and (2) a lightweight local popularity cache, where end devices autonomously maintain and dynamically update high-frequency domain lists, drastically reducing remote resolution requests. Integrated with a secure broadcast protocol and load-drift-resilient synchronization, the design preserves geographic relevance and system robustness. Fully compatible with legacy DNS infrastructure, the system remains stable even under low participation rates. Evaluation shows a 37% reduction in average query latency and complete elimination of fine-grained user activity tracking by resolvers.

The Domain Name System (DNS) is involved in practically all web activity, translating easy-to-remember domain names into Internet Protocol (IP) addresses. Due to its central role on the Internet, DNS exposes user web activity in detail. The privacy challenge is honest-but-curious DNS servers/resolvers providing the translation/lookup service. In particular, with the majority of DNS queries handled by public DNS resolvers, the organizations running them can track, collect, and analyze massive user activity data. Existing solutions that encrypt DNS traffic between clients and resolvers are insufficient, as the resolver itself is the privacy threat. While DNS query relays separate duties among multiple entities, to limit the data accessible by each entity, they cannot prevent colluding entities from sharing user traffic logs. To achieve near-zero-trust DNS privacy compatible with the existing DNS infrastructure, we propose LLUAD: it locally stores a Popularity List, the most popular DNS records, on user devices, formed in a privacy-preserving manner based on user interests. In this way, LLUAD can both improve privacy and reduce access times to web content. The Popularity List is proactively retrieved from a (curious) public server that continually updates and refreshes the records based on user popularity votes, while efficiently broadcasting record updates/changes to adhere to aggressive load-balancing schemes (i.e., name servers actively load-balancing user connections by changing record IP addresses). User votes are anonymized using a novel, efficient, and highly scalable client-driven Voting Mix Network - with packet lengths independent of the number of hops, centrally enforced limit on number of votes cast per user, and robustness against poor client participation - to ensure a geographically relevant and correctly/securely instantiated Popularity List.