ADoX in the Wild
Measuring the deployment of encrypted recursive-to-authoritative DNS (RFC 9539)
Measuring the deployment of encrypted recursive-to-authoritative DNS (RFC 9539)
Our measurements are performed monthly and updates will be published on this website.
As of March 2026, 2 root server operators (B and H), 5 top-level domains (.cy, .arpa, .gr, .πΊπ, and .kg), and 3,074,281 registered domains support some form of ADoX. The H-root, .kg, .arpa, and 1,968,500 registered domains support all the combinations - ADoT and ADoQ over IPv4 and IPv6. This deployment is driven by 4 nameserver IPs at the root level, 12 at the TLD level, and 2,585 NS IPs across registered domains.
Our measurements are performed once per month. We gather a comprehensive list of domains from various sources, including the IANA root zone database of top-level domains, ICANN CZDS, passive DNS, CT logs, and zone transfers. We use zdns to map domain names to NS records, followed by A/AAAA requests to get nameserver IPs. Next, we attempt to establish ADoT and ADoQ connections with each nameserver, disabling certificate validation (as allowed by the RFC 9539). Once we identify the nameservers supporting encryption, we resolve all the domains they are authoritative for over the supported encrypted channel. We define a domain name ADoX-enabled if at least one of its nameservers returns the NOERROR DNS response to our SOA query sent over ADoT or ADoQ.
Below we aggregate biggest ADoX nameservers by their suffix, for example, ns1.one.com, ns2.one.com, and ns3.one.com are represented as *.one.com. Note that a single operator can use multiple suffixes, e.g., wedos.cz and wedos.eu.
| # | Operator | ADoT domains | Operator | ADoQ domains |
|---|---|---|---|---|
| 1. | *.one.com | 1,437,545 | *.one.com | 1,437,545 |
| 2. | *.timeweb.ru | 400,684 | *.hostnet.nl | 396,138 |
| 3. | *.timeweb.org | 400,651 | *.wedos.cz | 255,218 |
| 4. | *.hostnet.nl | 396,138 | *.wedos.eu | 255,090 |
| 5. | *.wedos.cz | 269,645 | *.wedos.com | 254,984 |
| 6. | *.wedos.eu | 269,474 | *.g1-dns.one | 84,931 |
| 7. | *.wedos.com | 269,246 | *.g1-dns.com | 84,931 |
| 8. | *.nazwa.pl | 150,812 | *.antagonist.nl | 43,879 |
| 9. | *.g1-dns.one | 84,931 | *.antagonist.net | 43,879 |
| 10. | *.g1-dns.com | 84,931 | *.desec.org | 13,978 |
| 11. | *.namebay.com | 71,791 | *.agonet.it | 2,938 |
| 12. | *.antagonist.nl | 43,879 | *.ipandmore.email | 2,602 |
| 13. | *.antagonist.net | 43,879 | *.ipandmore.hosting | 2,602 |
| 14. | *.webhosting.dk | 23,244 | *.ipandmore.cloud | 2,602 |
| 15. | *.webspacecontrol.com | 20,466 | *.ipandmore.net | 2,602 |
| 16. | *.freeola.net | 18,701 | *.aspnix.com | 1,487 |
| 17. | *.iq.pl | 15,043 | *.x4w.net | 1,389 |
| 18. | *.glbns.com | 14,487 | *.rhx.info | 1,387 |
| 19. | *.desec.org | 13,966 | *.rollernet.us | 919 |
| 20. | *.virtualns.net | 9,540 | *.lynet.eu | 732 |
The table below shows the highest-ranked ADoX domains according to the Tranco list. As of March 2026, Tranco contains 5,677 ADoT and 1,752 ADoQ domains.
| Rank | ADoT domain | Rank | ADoQ domain |
|---|---|---|---|
| 5. | facebook.com | 147. | one.one |
| 12. | instagram.com | 1713. | loteriadehoy.com |
| 15. | fbcdn.net | 2006. | one.com |
| 27. | wikipedia.org | 3901. | eu.org |
| 41. | whatsapp.net | 6284. | sport1.de |
| 55. | whatsapp.com | 8769. | hostnet.nl |
| 80. | wa.me | 9961. | lectio.dk |
| 105. | root-servers.net | 10367. | digitalaudience.io |
| 109. | cdninstagram.com | 15342. | wedos.cz |
| 121. | cdn77.org | 16899. | bloggersdelight.dk |
We set up two domains - dot.adox-deployment.com and doq.adox-deployment.com - with nameservers that support ADoT or ADoQ. The easiest way to test how it works is with kdig. Below is the ADoT example:
$ kdig @91.98.28.152 dot.adox-deployment.com +tls +norec ;; TLS session (TLS1.3)-(ECDHE-X25519)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM) ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 14208 ;; Flags: qr aa; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1 ;; EDNS PSEUDOSECTION: ;; Version: 0; flags: ; UDP size: 1232 B; ext-rcode: NOERROR ;; EDE: 0 (Other): 'This is a test ADoT nameserver' ;; QUESTION SECTION: ;; dot.adox-deployment.com. IN A ;; ANSWER SECTION: dot.adox-deployment.com. 60 IN A 65.21.183.116
And the ADoQ domain:
$ kdig @91.98.27.230 doq.adox-deployment.com +quic +norec ;; QUIC session (QUICv1)-(TLS1.3)-(ECDHE-X25519)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM) ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 0 ;; Flags: qr aa; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1 ;; EDNS PSEUDOSECTION: ;; Version: 0; flags: ; UDP size: 1232 B; ext-rcode: NOERROR ;; EDE: 0 (Other): 'This is a test ADoQ nameserver' ;; QUESTION SECTION: ;; doq.adox-deployment.com. IN A ;; ANSWER SECTION: doq.adox-deployment.com. 60 IN A 65.21.183.116
The domains were configured as follows:
To be published:
Oct, 2026
If you want to find out more about this project please contact me at yevheniya.nosyk@korlabs.io.