NinjaDoH at MADWeb 2026: Why Censorship-Resistant DNS Matters

At MADWeb 2026, co-located with NDSS 2026 in San Diego, my PhD student Scott Seidenberger presented our paper NinjaDoH: A Censorship-Resistant Moving Target DoH Server Using Hyperscalers and IPNS. In this post, I summarize what we built, what it contributes technically, and why DNS resilience remains a pressing problem. In the paper, we ask a practical question with real policy impact. How do we keep DNS reachable when censorship systems can quickly block known resolver domains and IP addresses?

I keep returning to DNS because it is still one of the easiest control points on the Internet. Even when traffic is encrypted, a fixed resolver footprint becomes predictable and easy to suppress. This was a multi-institution effort between the University of Oklahoma and the University of Texas at San Antonio, and we co-authored it with Scott Seidenberger, Marc Beret, Raveen Wijewickrama, Murtuza Jadliwala, and me.

Scott framed the core threat model in one line: "DNS is the front door to the internet, so if a censor controls DNS, then encryption alone doesn't solve the problem." In this project, that is why we start with DNS reachability before anything else.

Why We Called It NinjaDoH

The name is intentional. The core defense is a moving-target strategy. The resolver does not stay still long enough to be reliably pinned down by routine blocklist updates. Like a ninja that keeps changing position, NinjaDoH is designed to stay one step ahead of static filtering workflows.

Key Novelty: Hyperscaler-Powered Moving Target Defense

The key novelty is not just endpoint rotation by itself, but doing that rotation with hyperscaler infrastructure as the defense surface. Rather than depending on a small, fixed server footprint, we use cloud-scale deployment flexibility to make resolver blocking substantially more expensive and less stable for censors. In many real-world settings, censors cannot broadly block entire hyperscaler ranges without causing major collateral damage to popular, high-use apps and services that also run on those platforms.

The origin of this approach also came from Scott's prior operational experience. As he put it, "I first employed moving target defenses in the military, where we would evade jamming by rapidly changing our frequencies using a pre-shared, secret key that controlled how we would hop from one frequency to the next. I realized that this same methodology could apply at the networking level with public IP addresses." NinjaDoH applies that same logic to resolver infrastructure and network identifiers.

• Hyperscaler footprint as a defensive asset so server identities can shift across large cloud infrastructure rather than remaining at a small set of static targets, making blanket blocking far more costly.
• Continuous moving-target operation where resolver network identifiers rotate over time, reducing the shelf life of list-based blocking decisions.
• IPNS-driven discovery updates so clients retrieve current resolver state through a decentralized naming layer and endpoint updates can propagate without a single brittle publication channel.
• Graceful transition windows where old and new endpoints overlap during cutovers to preserve availability while clients update.

What This Solves That Prior Systems Miss

One recurring gap in circumvention is the DNS bootstrap problem. Many systems assume users already have a trustworthy path to resolve and discover entry points. In heavily controlled networks, that assumption is often false.

As we discuss in the paper and Scott’s presentation, NetShuffle and SpotProxy both provide strong ideas for evasion after discovery succeeds. But NetShuffle still depends on uncensored DNS resolution to bootstrap remapped domains, and SpotProxy can still face fragile rendezvous in environments where both DNS and proxy protocols are tightly filtered.

With NinjaDoH, we target that first-mile dependency directly. If resolver reachability is hardened first, higher-layer circumvention tools inherit a stronger foundation instead of inheriting a DNS bottleneck.

What We Showed in Evaluation

Our evaluation focuses on deployability, performance, and resilience. We show that NinjaDoH remains practical in latency and operating cost while increasing the ongoing work required for censors to keep blocks up to date. In short, it shifts the balance from one-time blocking toward continuous adversarial maintenance.

Why This Matters Now

To me, DNS censorship is no longer just a browsing inconvenience. It affects educational access, journalism, research reproducibility, civil-society communication, and the reliability of everyday digital services. Because DNS controls are cheap to deploy and easy to scale, defenses also need to be operationally realistic, not just conceptually elegant.

Scott also underscored the policy context clearly: "We've recently seen state-level actors exert broader control over internet access. This reminds us that internet security isn't just about protecting privacy, but about securing access. NinjaDoH is a bootstrapping tool that helps give access to the open internet even under incredibly strict regimes."

I see NinjaDoH as one step in that direction. We pair practical protocol design with implementation that can run in the real world and evaluation against the way censorship is actually executed.

Next Steps

We are continuing this line of work on deployment hardening, broader longitudinal measurement, and reproducible artifacts for the community. If your work touches DNS resilience, censorship measurement, or evasive network defense, I would be glad to start new collaborative projects in this direction.

Links

• Project page
• Paper
• Slides
• Code+Dataset