Re: "AND the header-level clues that DNS resolution is being requested."
Lets start with the SNI header !
To be fair, SNI was designed to solve a different problem - correctly handling certificates for different domains on the same IP.
As the only working alternative was one-host-per-ip there was no security compromise - before SNI you just sniffed the IP address from the packet headers!
(I'm not saying you don't know this - I just thought it worth pointing out to any one stupid enough to read my posts!)
Biting the hand that feeds IT
