Chronos-DNS: An Open-Source, Distributed Telemetry Fabric for Auditing Encrypted DNS Performance and Security

The global Internet is currently undergoing a critical security transition from legacy, unencrypted Domain Name System (DNS) query resolution over UDP/TCP port 53 to cryptographically secured transport protocols: DNS-over-HTTPS (DoH, RFC 8484) and DNS-over-TLS (DoT, RFC 7858). While encryption prevents passive eavesdropping and query manipulation, it introduces transport-layer and cryptographic handshake overheads that alter latency profiles, connection state lifespans, and reliability. This paper presents Chronos-DNS, a production-ready, cloud-native distributed measurement fabric designed to continuously collect, store, and visualize metrics from standard and encrypted resolver end-points. We detail the engineering lifecycle of this system, demonstrating how asynchronous network polling, relational telemetry persistence, zero-trust network topology (via Cloudflare Tunnels), and containerized git-driven CI/CD deployment work in unison to provide high-resolution, empirical datasets. Our proof-of-concept deployment on AWS EC2, monitored via Prometheus and Grafana, validates that DoT and DoH protocols present distinct performance trade-offs, making this measurement framework highly relevant to long-term internet engineering research, such as that conducted by the WIDE Project, CAIDA, and RIPE NCC.