QNAME Minimisation
QNAME Minimisation is the RFC 9156 DNS privacy technique that reduces how much of a user's original query name and query type a recursive resolver exposes to upstream authoritative name servers.
Definition
QNAME Minimisation is defined by RFC 9156, DNS Query Name Minimisation to Improve Privacy, published in November 2021 as an Internet Standards Track RFC. It obsoletes RFC 7816, the 2016 Experimental version of the same idea.
A QNAME is the query name in a DNS request, and QTYPE is the requested record type. Without minimisation, a recursive resolver can send the full original QNAME and QTYPE to each authoritative server it queries during iterative resolution. RFC 9156 changes that resolver behavior so upstream servers receive only the part needed for the next delegation step, plus a resolver-selected QTYPE that can avoid exposing the original type.
Mechanism
The mechanism is local to resolver behavior; RFC 9156 says it does not change the DNS protocol itself. When a resolver cannot answer from cache, it looks for the closest delegation point it already knows. It then builds a shorter name by adding only the next relevant label or labels from the original QNAME. The resolver keeps walking the delegation chain until it reaches the server that can answer the original query.
That means a higher-level authoritative server should not need to see a full host name if it only needs to point the resolver toward a child zone. RFC 9156 also relaxed the earlier RFC 7816 preference for using NS as the minimising QTYPE. It allows other QTYPEs and names A or AAAA as good candidates because they are widely handled and can blend into ordinary resolver traffic.
The standard also requires resolvers that support QNAME minimisation to limit the number of outgoing queries per user request. That matters because names with many labels can otherwise cause extra upstream lookups while the resolver probes for zone cuts.
Privacy Boundary
QNAME Minimisation is a data-minimization move inside DNS. RFC 9076 explains that DNS transactions can reveal both the originator and the query contents, and that a QNAME may reveal communication relationships, software context, or sensitive browsing intent. RFC 6973 frames data minimization as sending, collecting, and retaining the least data needed for the task.
The boundary is narrow but real. QNAME minimisation reduces what authoritative name servers and some on-path observers can learn during iterative resolution. It does not hide the full query from the recursive resolver chosen by the client. RFC 9156 is explicit that it offers no protection against the recursive resolver itself.
Agent Context
Agents amplify DNS metadata because they may issue many background requests: primary destinations, embedded resources, APIs, telemetry endpoints, model-provider domains, package registries, payment hosts, and content retrieval targets. QNAME minimisation cannot decide whether those requests are appropriate, but it can reduce unnecessary disclosure to parts of the DNS hierarchy that do not need the full name.
For an agent platform, the governance issue is whether resolver behavior is part of the deployment record. If an organization claims that an agent uses privacy-preserving DNS, it should say whether the recursive resolver performs QNAME minimisation, whether encrypted DNS is also used, and where full query names remain visible.
Governance Use
A governed resolver configuration should record whether QNAME minimisation is enabled, which QTYPE strategy is used for minimized queries, how outgoing queries are capped per user request, and what fallback behavior applies when minimized resolution fails. It should also document cache behavior, telemetry, and resolver software version.
For audit trails, the important distinction is between three observers: the stub-to-recursive path, the recursive resolver, and the authoritative-server path. QNAME minimisation mostly addresses the last one. Pairing it with DNS over HTTPS, DNS over TLS, or DNS over QUIC can address different transport exposures, but the recursive resolver still remains a trust boundary.
Limits
QNAME Minimisation is not anonymity, DNS encryption, DNSSEC, resolver trust, content filtering, consent, or proof that no one can infer user behavior. It can also have operational costs. RFC 9156 cites research finding that minimisation can increase DNS lookups and failed lookups, although cache warmth can reduce the overhead.
The safest reading is therefore modest: QNAME minimisation removes unnecessary query detail from some DNS hops. It should be part of a resolver privacy posture, not the whole posture.
Source Discipline
Claims about the definition, algorithm, QTYPE guidance, query limits, performance effects, and recursive-resolver limitation should cite RFC 9156. Claims about DNS privacy risks, QNAME sensitivity, and resolver visibility should cite RFC 9076. Claims about data minimization as a privacy principle should cite RFC 6973. Claims about the earlier experimental status should cite RFC 7816.
Spiralist Reading
Spiralism reads QNAME Minimisation as a useful discipline of partial speech. The machine still asks, but it learns not to tell every intermediary the whole question. In a networked society, restraint is often a protocol behavior before it becomes an ethics statement.
For agents, that restraint should be visible. If software can act at machine speed, its infrastructure should reveal where it refused unnecessary disclosure and where the full record still remained exposed.
Related Pages
- DNS over HTTPS
- DNS over QUIC
- Discovery of Designated Resolvers
- SVCB and HTTPS Resource Records
- Oblivious DNS over HTTPS
- Encrypted Client Hello
- Data Minimization
- AI Agent Observability
Sources
- RFC Editor, RFC 9156: DNS Query Name Minimisation to Improve Privacy, Standards Track RFC, November 2021.
- IETF Datatracker, RFC 9156 datatracker record.
- RFC Editor, RFC 9076: DNS Privacy Considerations, Informational RFC, July 2021.
- RFC Editor, RFC 6973: Privacy Considerations for Internet Protocols, Informational RFC, July 2013.
- RFC Editor, RFC 7816: DNS Query Name Minimisation to Improve Privacy, Experimental RFC, March 2016.