This paper addresses the critical challenge of selecting optimal DNS security protocols for resource-constrained Internet of Things (IoT) devices under stringent resource limitations and dynamic network conditions. We propose the first unified framework that quantitatively evaluates the performance–security trade-offs of DNSSEC, DNS over TLS (DoT), DNS over HTTPS (DoH), and DNS over QUIC (DoQ) from the endpoint resource perspective. Leveraging virtualized network functions (VNFs), we implement an edge-based DNS resolution prototype and model latency, throughput, CPU/memory overhead, and tamper resistance under both cached and uncached query scenarios. Experimental results reveal fundamental differences in robustness and security across protocols and establish the first empirically grounded, dynamic-network-aware decision criteria for protocol selection. Our work delivers a practical, reproducible, and implementation-ready guideline for IoT vendors and deployers to select DNS security protocols aligned with device capabilities and operational constraints.

The DNS (Domain Name System) protocol has been in use since the early days of the Internet. Although DNS as a de facto networking protocol had no security considerations in its early years, there have been many security enhancements, such as DNSSec (Domain Name System Security Extensions), DoT (DNS over Transport Layer Security), DoH (DNS over HTTPS) and DoQ (DNS over QUIC). With all these security improvements, it is not yet clear what resource-constrained Internet-of-Things (IoT) devices should be used for robustness. In this paper, we investigate different DNS security approaches using an edge DNS resolver implemented as a Virtual Network Function (VNF) to replicate the impact of the protocol from an IoT perspective and compare their performances under different conditions. We present our results for cache-based and non-cached responses and evaluate the corresponding security benefits. Our results and framework can greatly help consumers, manufacturers, and the research community decide and implement their DNS protocols depending on the given dynamic network conditions and enable robust Internet access via DNS for different devices.