SlideShare a Scribd company logo

ICANN DNS Symposium 2021: Measuring Recursive Resolver Centrality

APNIC, profile picture
APNIC

This document discusses measuring centrality in the DNS recursive resolver market. It finds that a small number of large recursive resolver services account for a large portion of DNS queries, with Google Public DNS being the largest. While some see this as problematic market consolidation, the document notes Google DNS is fast, supports DNSSEC, and does not appear to filter or alter responses. Barriers to entry exist due to the DNS market not being commercially viable on its own. Overall centralization may be less of a concern than applications bypassing the DNS through protocols like DNS-over-HTTPS.

Internet
1 of 47
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
Measuring Recursive Resolver Centrality Geoff Huston, Joao Damas APNIC Labs
Why pick on the DNS? The DNS is used by everyone and everything • Because pretty much everything you do on the net starts with a call to the DNS • If a single entity “controlled” the entire DNS then to all practical purposes that entity would control not just the DNS, but the entire Internet!
This Presentation •What’s the problem with centrality anyway? •What does centrality in the DNS mean? •How to measure DNS centrality •What we measured •What we think it means 3
Centrality • Many aspects of the Internet’s infrastructure are operated by fewer and fewer entities over time • Shift from entrepreneurial ventures to established business practices have largely driven these broad changes that have resulted in amalgamation and market concentration in many aspects of the Internet’s service provision 4
What’s the problem? • Economics A01 (or Adam Smith’s Invisible Hand) • Competition rewards efficient producers • Innovation that increases production efficiency is rewarded • Consumers benefit from increased production efficiency and innovation • Consolidation in the market • Distorts the functions of an open competitive market • Decreases competition pressure • Creates barriers to entry in the market • Reduces pressure for increased production efficiency and innovation • Consumers end up paying a premium 5
Consolidation in the DNS • It’s not a new topic: • For many years BIND was a defacto monopoly provider for DNS software. At the time almost every DNS recursive resolver and authoritative server ran BIND software • Due to a deliberate effort to broaden the DNS resolver space from a monoculture to a richer space, this picture has broadened out to a number of DNS software platforms and is less of a concern these days 6
Consolidation in the DNS Where else might we find consolidation in today’s DNS? • Name Registration services • Name Hosting service providers • Name Resolution providers 7
Let’s Focus! • Here we are going to concentrate on just one of these areas • We will look at the recursive resolver market and try to understand the extent to which we are seeing consolidation of the recursive name resolution function • And then assess to what extent this represents a source of concern in the DNS 8
Recursive Resolvers • This function is generally bundled with an ISP’s access service for public network services • Which means that there is already some level of consolidation in this space as the concentration of these DNS services follows the concentration of ISPs in the retail market 9 https://stats.labs.apnic.net/aspop
Aside: Concentration in the retail ISP market The ISP retail access market is already heavily concentrated/centralised: • 10 ISPs serve some 30% of the Internet’s user base • 90% of users are served by 1,000 ISPs 10
DNS Recursive Resolvers • This function is generally bundled with an ISP’s access service for public network services • So we would expect to see a level of concentration in recursive resolvers in line with the concentration in the ISP access market • The question is: Is there consolidation in the DNS recursive resolution function over and above the existing access market consolidation? • Where might we see such consolidation? 11
Open DNS Resolvers • There are some 6M open DNS resolvers in operation today* • Most of these appear to be inadvertently open due to errant CPE equipment • Where the resolver implementation does not correctly distinguish between “inside” and “outside” and provides a resolution service on all interfaces • That may sound like a large number, but it has got a whole lot better over time! • 33M open resolvers were seen in 2013 ** 12 * https://scan.shadowserver.org/dns/ ** https://indico.dns-oarc.net/event/0/contributions/1/attachments/19/125/201305-dnsoarc-mauch-openresolver.pdf
Open DNS Resolvers as a Service • Others are explicitly configured to offer DNS resolution services as a open service • Hard to say where all this started, but an early example was the the 4.2.2.2 open resolver project offered by BBN Planet in the mid-90’s, though there were many others even then • At that time many ISPs used recursive resolvers as a service and some operated these platforms as a open service as a least cost / lowest admin overhead option • The use of anycast in the DNS made it possible to operate a single service with a distributed footprint • OpenDNS was one of the early offerings of a dedicated recursive resolution service with a scaled up infrastructure • Google Public DNS entered the picture with a service that took scaling to the next level 13 * https://scan.shadowserver.org/dns/
What’s the Centrality Question here? • One way to measure centrality is by “market share” • So the market share question here would be: What proportion of users of the Internet use <X> as their DNS resolver? • We won’t distinguish between end users explicitly adding their own DNS configuration into their platform and ISPs using forwarding structures to pass all DNS queries to an open resolver. Through the lens of “centrality” both paths to using open DNS resolvers look the same! 14
How we* Measure DNS Centrality • We use Google Ads as the main element of this measurement • The measurement script is an embedded block of HTML5 code in an Ad • The Ad runs in campaigns that generate some 10M impressions per day • We get to “see” the DNS in operation from the inside of most mid-to-large ISPs and service providers across the entire Internet • Ads provide very little functionality in the embedded scripts – it’s basically limited to fetching URLs • But that’s enough here, as a URL fetch involves the resolution of a domain name • So we use unique DNS names in every ad, so the DNS queries will be passed though to our authoritative servers 15 * by “we” I mean APNIC Labs!
How we Measure DNS Centrality 16 DNS Stuff! Stub-to-recursive DNS Query Resolver Engine Authoritative Server Ad delivery User–to–recursive resolver mapping Recursive-to-Authoritative DNS Query
Recursive Resolver Behaviours • The task is to match the source of a query of a domain name to both a resolver and an end user • We need to • map query IP source addresses to resolvers • understand how the DNS “manages” queries • how the resolver lists in /etc/resolv.conf are used 17
Mapping Resolver Addresses • We use periodic sweeps with RIPE Atlas to reveal the engine addresses used by popular Open DNS resolvers, and load this into an identification database 18
Understanding Resolver Behaviour 19 Query Distributor Resolver Engine Resolver Engine Resolver Engine Resolver Engine From Client To Server Service Address Engine Address
Resolution Metrics • Average query count per unique name: 3.4 (Dual stack hosts may be a factor here) • Max observed query count in 30 seconds is 1,761 queries! 20 0% 5% 10% 15% 20% 25% 30% 35% 1 2 3 4 5 6 7 8 9 10 % of names Number of queries Queries per Name 30% 20% 10%
Resolution Metrics • Average number of resolvers (IP addresses) per unique name: 2.1 • 30 second maximum resolvers seen: 94 21 0% 10% 20% 30% 40% 50% 60% 1 2 3 4 5 6 7 8 9 10 % of names Number of resolvers Resolvers (IP addrs) per Name 10% 20% 30% 40% 50%
First Resolver vs Full Resolver Set • What happens if the authoritative server always reports SERVFAIL to all queries? • We use a server that always returns a SERVFAIL error code to prompt the client to run through its full set of recursive resolvers 22
SERVFAIL Resolution Metrics • Average query count per unique name: 36.5 • Max observed query count in 30 seconds is 292,942 queries! 23 0% 1% 1% 2% 2% 3% 3% 4% 4% 5% 5% 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 % of names Number of queries Queries per Name 1% 2% 3% 4% (yes, really!)
SERVFAIL Resolution Metrics • Average number of resolvers (IP addresses) per unique name: 8.9 • 30 second maximum resolvers seen: 1,368 24 0% 2% 4% 6% 8% 10% 12% 14% 16% 18% 20% 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 % of names Number of resolvers Resolvers per Name 4% 8% 12% 16%
Recursive Resolver Stats 25 Of the 140,000 visible recursive resolvers, just 150 resolvers account for 20% of all users and 1,500 resolvers account for 50% of all users. 10,000 resolvers account for 90% of all users However we are looking here at resolver IP addresses, and that’s probably misleading. Lets try and group resolver IP addresses into resolver services
Recursive Resolver Stats 26 Of the 14,600 visible recursive resolvers services, just 15 resolver services serve 50% of users 250 resolver services serve 90% of users Is this what we mean by “centralisation”?
Details Lets break this data down into: • Using a “known” open DNS resolver • Using a resolver in the same AS as the user • Using a resolver in the same country as the user • Others 27
”First” Resolver Use 28 70% of users use a resolver located in the same AS as the user (ISP resolver) 17% of users use a resolver located in the same CC as the user (ISP resolver?) 15% of users use the Google open resolver (8.8.8.8)
All Resolver Use (SERVFAIL) 29 70% -> 72% for same ISP 15% -> 29% for Google use (yes, the plotting software performed a colour change – sorry!)
Google DNS 30 Use of Google Service per CC Within each country how many users In that country use Google’s resolver?
Google DNS 31 Use of Google Service by User Count Looking at the total population of users using Google’s service, where are they located?
Google DNS • Google DNS use appears to be equally split between first use (15% of users) and backup resolvers (a further 14% of users) • Within each economy Google DNS is heavily used in some African economies, and central and southern Asian economies • The largest pool of Google DNS users are located in India (19% of Google DNS users) • Significant pools Google users are also seen in the US, China, Nigeria, Brazil and Iran (each CC has some 4% - 6% of Google’s DNS users) 32
Cloudflare’s 1.1.1.1 service 33 Where is Cloudflare used? Cloudflare is extensively used in Turkmenistan (80%), Iran (57%), Niger (54%) Cameroon (54%) and the Congo (49%) Cloudflare market share Cloudflare User breakdown?
Quad9 service 34 Where is Quad9 used? Quad9 market share Quad9 User breakdown?
Iran 35 A major ISP in IRAN, MCCI, distributes its queries across Google, Cloudflare, Yandex, Neustar, OpenDNS, Quad9 and others – all at once!
Who makes the choice? • Is this the ISP‘s resolver performing forwarding of the query to an open resolver, or the users themselves opting out of the ISP service? • The numbers vary, but it is quite common to see 60% - 80% of users in an AS having their queries sent to an open resolver when open resolvers are used 36
Who makes the choice? • Is this the ISP‘s resolver performing forwarding of the query to an open resolver, or the users themselves opting out of the ISP service? • The numbers vary, but it is quite common to see 60% - 80% of users in an AS having their queries sent to an open resolver when open resolvers are used 37 Google DNS at 86% OpenDNS at 27%
Resolver Centrality? • Its not a “small number” of open resolvers • It’s just 1 – Google’s Public DNS • Its not end users reconfiguring their devices • It’s the ISP • And where its not the ISP it’s mainly enterprise customers of ISPs • Is this changing? • Yes, but quite slowly 38
Commentary and Opinions What follows are opinions not data! 39
Is this a centrality “problem”? • It this an emerging distortion of the market that puts excessive market control in the hands of a small set of providers? • A lot of users have the DNS users passed on to auth servers via Google’s service • But does this present us with issues? • 8.8.8.8 is fast, supports DNSSEC validation and does not filter or alter DNS responses (as far as I am aware) • Its cheap, its fast, its well managed, and it works reliably • So what’s the issue? 40
41 https://xkcd.com/1361/
What’s the problem here? • It’s a sensitive issue these days • There are many privacy undertakings in our space, but the undeniable fact is that many “free” services are indirectly funded through advertising revenue, and advertising is based on individual tracking and profiling • Open DNS providers typically provide undertakings that they do not use their query traffic for profiling - and I have no evidence that these undertakings are not being adhered to But I still have some questions as a consumer of their services: • How are these undertakings audited and/or enforced? By whom? • Are there penalties for breaches of these undertakings? • Considering the size of these actors are any of these penalties even meaningful? 42
Barriers to Entry • Why is there one 1 very large Open DNS provider? • Is it because the incumbent is raising the barriers of entry to all potential competitors? • Unlikely, as there is no evidence that this is the case • Or are there “natural” barriers to entry? 43
“Natural” Barriers to Entry • The DNS economy is such a financial wasteland that few have a natural incentive to enter this market • No one pays for queries • Selling query logs can very damaging in terms of reputation and liability – particularly when you cannot get the users’ informed consent to do so • Selling NXDOMAIN substitution is also very damaging in terms of reputation • It can be argued* that only someone with a massive presence is search has a commercial case for deploying a DNS resolver that is “honest” about the DNS (including NXDOMAIN) 44 * And some have from time to time
But… 45
Is all this a distraction? • It’s more likely that the shift of DNS functions into application realms using DoH services as an application function is a far greater threat to the current model of the DNS as a common single infrastructure • Maybe the convergence of • increased autonomy of applications in today’s Internet • the dominant position of Android • The dominant position of Chrome poses a greater potential threat to the integrity of the name infrastructure of the Internet than the issue of recursive resolver use 46
Thanks! Report on Resolver Use: https://stats.labs.apnic.net/rvrs

More Related Content

PDF
RIPE 82: Measuring Recursive Resolver Centrality
APNIC
 
PDF
RIPE 82: An Update on Fragmentation Loss Rates in IPv6
APNIC
 
PDF
RIPE 82: DNS Evolution
APNIC
 
PDF
NANOG32 - DNS Anomalies and Their Impacts on DNS Cache Servers
Chika Yoshimura
 
PDF
NANOG 82: DNS Evolution
APNIC
 
PDF
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
APNIC
 
PPTX
bdNOG 7 - Re-engineering the DNS - one resolver at a time
APNIC
 
PDF
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096
APNIC
 
RIPE 82: Measuring Recursive Resolver Centrality
APNIC
 
RIPE 82: An Update on Fragmentation Loss Rates in IPv6
APNIC
 
RIPE 82: DNS Evolution
APNIC
 
NANOG32 - DNS Anomalies and Their Impacts on DNS Cache Servers
Chika Yoshimura
 
NANOG 82: DNS Evolution
APNIC
 
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
APNIC
 
bdNOG 7 - Re-engineering the DNS - one resolver at a time
APNIC
 
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096
APNIC
 

What's hot (20)

PDF
DNS-OARC 34: Measuring DNS Flag Day 2020
APNIC
 
PDF
Thoughts about DNS for DDoS
APNIC
 
PDF
IETF 100: A signalling mechanism for trusted keys in the DNS
APNIC
 
PDF
RIPE 78: IPv6 reliability measurements
APNIC
 
PDF
DINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNS
APNIC
 
PPTX
Are we really ready to turn off IPv4?
APNIC
 
PDF
2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters
APNIC
 
PDF
RIPE 76: Measuring ATR
APNIC
 
PDF
RIPE 76: TCP and BBR
APNIC
 
PPTX
PLNOG14: DNS, czyli co nowego w świecie DNS-ozaurów - Adam Obszyński
PROIDEA
 
PDF
DNS Openness
APNIC
 
PDF
Experience Using RIR Whois
APNIC
 
PDF
How Time To First Byte (TTFB) Impacts Your Site’s Performance
Medianova
 
PDF
Surge 2014 - Kris Beevers - Data Driven DNS
NS1
 
PDF
65% Performance Gains at Cryptocurrency Platform CoinGecko: An Argo Smart Rou...
Cloudflare
 
PDF
VNIX-NOG 2021: IPv6 Deployment Update
APNIC
 
PPTX
Network latency - measurement and improvement
Matt Willsher
 
PDF
NZNOG 2013 - Experiments in DNSSEC
APNIC
 
PDF
NANOG 74: That KSK Roll
APNIC
 
PDF
BSides: BGP Hijacking and Secure Internet Routing
APNIC
 
DNS-OARC 34: Measuring DNS Flag Day 2020
APNIC
 
Thoughts about DNS for DDoS
APNIC
 
IETF 100: A signalling mechanism for trusted keys in the DNS
APNIC
 
RIPE 78: IPv6 reliability measurements
APNIC
 
DINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNS
APNIC
 
Are we really ready to turn off IPv4?
APNIC
 
2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters
APNIC
 
RIPE 76: Measuring ATR
APNIC
 
RIPE 76: TCP and BBR
APNIC
 
PLNOG14: DNS, czyli co nowego w świecie DNS-ozaurów - Adam Obszyński
PROIDEA
 
DNS Openness
APNIC
 
Experience Using RIR Whois
APNIC
 
How Time To First Byte (TTFB) Impacts Your Site’s Performance
Medianova
 
Surge 2014 - Kris Beevers - Data Driven DNS
NS1
 
65% Performance Gains at Cryptocurrency Platform CoinGecko: An Argo Smart Rou...
Cloudflare
 
VNIX-NOG 2021: IPv6 Deployment Update
APNIC
 
Network latency - measurement and improvement
Matt Willsher
 
NZNOG 2013 - Experiments in DNSSEC
APNIC
 
NANOG 74: That KSK Roll
APNIC
 
BSides: BGP Hijacking and Secure Internet Routing
APNIC
 
Ad

Similar to ICANN DNS Symposium 2021: Measuring Recursive Resolver Centrality (20)

PDF
Resolver concentration presentation for OARC 40 by Joao Damas and Geoff Huston
APNIC
 
PDF
Measuring the centralization of DNS resolution' presentation by Geoff Huston...
APNIC
 
PDF
DNS-OARC 38: The resolvers we use
APNIC
 
PDF
The Resolvers We Use
APNIC
 
PDF
DNS Resolvers and Nameservers (in New Zealand)
APNIC
 
PDF
Authoritative Nameserver Selection and Recursive Resolvers
APNIC
 
PDF
OARC 26: Who's asking
APNIC
 
PDF
Authoritative Nameserver Selection and Recursive Resolvers
APNIC
 
PPTX
Become the Master of Your DNS
ThousandEyes
 
PPTX
DNS
HogrGoran
 
PPTX
IPv6 and the DNS, RIPE 73
APNIC
 
PPTX
ThousandEyes EMEA - Become the Master of Your DNS
ThousandEyes
 
PDF
A Measurement Study of Open Resolvers and DNS Server Version
Yuuki Takano
 
PDF
Measurement Study of Open Resolvers and DNS Server Version
Yuuki Takano
 
PDF
OSMC 2016 - DNS Monitoring from Several Vantage Points by Stéphane Bortzmeyer
NETWAYS
 
PDF
RIPE 86: DNS in EU before dns4EU
APNIC
 
PPTX
HKNOG 5.0 - NSEC caching
APNIC
 
PDF
Measuring ATR: IETF 101
APNIC
 
PDF
DNSDiag - Then and Now (9 years in life of a FOSS Project)
Babak Farrokhi
 
PDF
OpenDNS Whitepaper: Platform Technology
Courtland Smith
 
Resolver concentration presentation for OARC 40 by Joao Damas and Geoff Huston
APNIC
 
Measuring the centralization of DNS resolution' presentation by Geoff Huston...
APNIC
 
DNS-OARC 38: The resolvers we use
APNIC
 
The Resolvers We Use
APNIC
 
DNS Resolvers and Nameservers (in New Zealand)
APNIC
 
Authoritative Nameserver Selection and Recursive Resolvers
APNIC
 
OARC 26: Who's asking
APNIC
 
Authoritative Nameserver Selection and Recursive Resolvers
APNIC
 
Become the Master of Your DNS
ThousandEyes
 
DNS
HogrGoran
 
IPv6 and the DNS, RIPE 73
APNIC
 
ThousandEyes EMEA - Become the Master of Your DNS
ThousandEyes
 
A Measurement Study of Open Resolvers and DNS Server Version
Yuuki Takano
 
Measurement Study of Open Resolvers and DNS Server Version
Yuuki Takano
 
OSMC 2016 - DNS Monitoring from Several Vantage Points by Stéphane Bortzmeyer
NETWAYS
 
RIPE 86: DNS in EU before dns4EU
APNIC
 
HKNOG 5.0 - NSEC caching
APNIC
 
Measuring ATR: IETF 101
APNIC
 
DNSDiag - Then and Now (9 years in life of a FOSS Project)
Babak Farrokhi
 
OpenDNS Whitepaper: Platform Technology
Courtland Smith
 
Ad

More from APNIC (20)

PPTX
APNIC Report, presented at APAN 60 by Thy Boskovic
APNIC
 
PDF
APNIC Update, presented at PHNOG 2025 by Shane Hermoso
APNIC
 
PDF
RPKI Status Update, presented by Makito Lay at IDNOG 10
APNIC
 
PDF
The Internet -By the Numbers, Sri Lanka Edition
APNIC
 
PDF
Triggering QUIC, presented by Geoff Huston at IETF 123
APNIC
 
PDF
DNSSEC Made Easy, presented at PHNOG 2025
APNIC
 
PDF
BGP Security Best Practices that Matter, presented at PHNOG 2025
APNIC
 
PDF
APNIC's Role in the Pacific Islands, presented at Pacific IGF 2205
APNIC
 
PDF
IPv6 Deployment and Best Practices, presented by Makito Lay
APNIC
 
PDF
Cleaning up your RPKI invalids, presented at PacNOG 35
APNIC
 
PDF
The Internet - By the numbers, presented at npNOG 11
APNIC
 
PDF
Transmission Control Protocol (TCP) and Starlink
APNIC
 
PDF
DDoS in India, presented at INNOG 8 by Dave Phelan
APNIC
 
PDF
Global Networking Trends, presented at the India ISP Conclave 2025
APNIC
 
PDF
Make DDoS expensive for the threat actors
APNIC
 
PDF
Fast Reroute in SR-MPLS, presented at bdNOG 19
APNIC
 
PDF
DDos Mitigation Strategie, presented at bdNOG 19
APNIC
 
PDF
ICP -2 Review – What It Is, and How to Participate and Provide Your Feedback
APNIC
 
PDF
APNIC Update - Global Synergy among the RIRs: Connecting the Regions
APNIC
 
PDF
Measuring Starlink Protocol Performance, presented at LACNIC 43
APNIC
 
APNIC Report, presented at APAN 60 by Thy Boskovic
APNIC
 
APNIC Update, presented at PHNOG 2025 by Shane Hermoso
APNIC
 
RPKI Status Update, presented by Makito Lay at IDNOG 10
APNIC
 
The Internet -By the Numbers, Sri Lanka Edition
APNIC
 
Triggering QUIC, presented by Geoff Huston at IETF 123
APNIC
 
DNSSEC Made Easy, presented at PHNOG 2025
APNIC
 
BGP Security Best Practices that Matter, presented at PHNOG 2025
APNIC
 
APNIC's Role in the Pacific Islands, presented at Pacific IGF 2205
APNIC
 
IPv6 Deployment and Best Practices, presented by Makito Lay
APNIC
 
Cleaning up your RPKI invalids, presented at PacNOG 35
APNIC
 
The Internet - By the numbers, presented at npNOG 11
APNIC
 
Transmission Control Protocol (TCP) and Starlink
APNIC
 
DDoS in India, presented at INNOG 8 by Dave Phelan
APNIC
 
Global Networking Trends, presented at the India ISP Conclave 2025
APNIC
 
Make DDoS expensive for the threat actors
APNIC
 
Fast Reroute in SR-MPLS, presented at bdNOG 19
APNIC
 
DDos Mitigation Strategie, presented at bdNOG 19
APNIC
 
ICP -2 Review – What It Is, and How to Participate and Provide Your Feedback
APNIC
 
APNIC Update - Global Synergy among the RIRs: Connecting the Regions
APNIC
 
Measuring Starlink Protocol Performance, presented at LACNIC 43
APNIC
 

Recently uploaded (20)

PDF
Smart Home Technology for Health Monitoring (www.kiu.ac.ug)
publication11
 
PPTX
Funds Management Learning Material for Beg
NKKumar16
 
PDF
Vigrab.top – Online Tool for Downloading and Converting Social Media Videos a...
Vigrab Top
 
PPT
FIRE PREVENTION AND CONTROL PLAN- LUS.FM.MQ.OM.UTM.PLN.00014.ppt
MelwinPaul6
 
PDF
The New Creative Director: How AI Tools for Social Media Content Creation Are...
SageTitans
 
DOCX
Unit-3 cyber security network security of internet system
shivangisharma636228
 
PPTX
E -tech empowerment technologies PowerPoint
kylebalatero12
 
PDF
Best Practices for Testing and Debugging Shopify Third-Party API Integrations...
CartCoders
 
PPTX
presentation_pfe-universite-molay-seltan.pptx
yahyamohibme
 
PPT
isotopes_sddsadsaadasdasdasdasdsa1213.ppt
Kenneth James Alamillo
 
PDF
mera desh ae watn.(a source of motivation and patriotism to the youth of the ...
DtMalhonSharma
 
PPTX
INTERNET------BASICS-------UPDATED PPT PRESENTATION
poonam62133
 
PPTX
newyork.pptxirantrafgshenepalchinachinane
PrashantKoirala12
 
DOC
Rose毕业证学历认证,利物浦约翰摩尔斯大学毕业证国外本科毕业证
acoqwo
 
PPT
Ethics in Information System - Management Information System
faizhossain3
 
PPTX
artificial intelligence overview of it and more
yafotin445
 
PPTX
Database Information System - Management Information System
faizhossain3
 
PDF
SASE Traffic Flow - ZTNA Connector-1.pdf
mackwell7777
 
PPTX
Introduction to cybersecurity and digital nettiquette
shanefrancisjavier21
 
PDF
The Ikigai Template _ Recalibrate How You Spend Your Time.pdf
KinchitJain2
 
Smart Home Technology for Health Monitoring (www.kiu.ac.ug)
publication11
 
Funds Management Learning Material for Beg
NKKumar16
 
Vigrab.top – Online Tool for Downloading and Converting Social Media Videos a...
Vigrab Top
 
FIRE PREVENTION AND CONTROL PLAN- LUS.FM.MQ.OM.UTM.PLN.00014.ppt
MelwinPaul6
 
The New Creative Director: How AI Tools for Social Media Content Creation Are...
SageTitans
 
Unit-3 cyber security network security of internet system
shivangisharma636228
 
E -tech empowerment technologies PowerPoint
kylebalatero12
 
Best Practices for Testing and Debugging Shopify Third-Party API Integrations...
CartCoders
 
presentation_pfe-universite-molay-seltan.pptx
yahyamohibme
 
isotopes_sddsadsaadasdasdasdasdsa1213.ppt
Kenneth James Alamillo
 
mera desh ae watn.(a source of motivation and patriotism to the youth of the ...
DtMalhonSharma
 
INTERNET------BASICS-------UPDATED PPT PRESENTATION
poonam62133
 
newyork.pptxirantrafgshenepalchinachinane
PrashantKoirala12
 
Rose毕业证学历认证,利物浦约翰摩尔斯大学毕业证国外本科毕业证
acoqwo
 
Ethics in Information System - Management Information System
faizhossain3
 
artificial intelligence overview of it and more
yafotin445
 
Database Information System - Management Information System
faizhossain3
 
SASE Traffic Flow - ZTNA Connector-1.pdf
mackwell7777
 
Introduction to cybersecurity and digital nettiquette
shanefrancisjavier21
 
The Ikigai Template _ Recalibrate How You Spend Your Time.pdf
KinchitJain2
 

ICANN DNS Symposium 2021: Measuring Recursive Resolver Centrality

  • 1. Measuring Recursive Resolver Centrality Geoff Huston, Joao Damas APNIC Labs
  • 2. Why pick on the DNS? The DNS is used by everyone and everything • Because pretty much everything you do on the net starts with a call to the DNS • If a single entity “controlled” the entire DNS then to all practical purposes that entity would control not just the DNS, but the entire Internet!
  • 3. This Presentation •What’s the problem with centrality anyway? •What does centrality in the DNS mean? •How to measure DNS centrality •What we measured •What we think it means 3
  • 4. Centrality • Many aspects of the Internet’s infrastructure are operated by fewer and fewer entities over time • Shift from entrepreneurial ventures to established business practices have largely driven these broad changes that have resulted in amalgamation and market concentration in many aspects of the Internet’s service provision 4
  • 5. What’s the problem? • Economics A01 (or Adam Smith’s Invisible Hand) • Competition rewards efficient producers • Innovation that increases production efficiency is rewarded • Consumers benefit from increased production efficiency and innovation • Consolidation in the market • Distorts the functions of an open competitive market • Decreases competition pressure • Creates barriers to entry in the market • Reduces pressure for increased production efficiency and innovation • Consumers end up paying a premium 5
  • 6. Consolidation in the DNS • It’s not a new topic: • For many years BIND was a defacto monopoly provider for DNS software. At the time almost every DNS recursive resolver and authoritative server ran BIND software • Due to a deliberate effort to broaden the DNS resolver space from a monoculture to a richer space, this picture has broadened out to a number of DNS software platforms and is less of a concern these days 6
  • 7. Consolidation in the DNS Where else might we find consolidation in today’s DNS? • Name Registration services • Name Hosting service providers • Name Resolution providers 7
  • 8. Let’s Focus! • Here we are going to concentrate on just one of these areas • We will look at the recursive resolver market and try to understand the extent to which we are seeing consolidation of the recursive name resolution function • And then assess to what extent this represents a source of concern in the DNS 8
  • 9. Recursive Resolvers • This function is generally bundled with an ISP’s access service for public network services • Which means that there is already some level of consolidation in this space as the concentration of these DNS services follows the concentration of ISPs in the retail market 9 https://stats.labs.apnic.net/aspop
  • 10. Aside: Concentration in the retail ISP market The ISP retail access market is already heavily concentrated/centralised: • 10 ISPs serve some 30% of the Internet’s user base • 90% of users are served by 1,000 ISPs 10
  • 11. DNS Recursive Resolvers • This function is generally bundled with an ISP’s access service for public network services • So we would expect to see a level of concentration in recursive resolvers in line with the concentration in the ISP access market • The question is: Is there consolidation in the DNS recursive resolution function over and above the existing access market consolidation? • Where might we see such consolidation? 11
  • 12. Open DNS Resolvers • There are some 6M open DNS resolvers in operation today* • Most of these appear to be inadvertently open due to errant CPE equipment • Where the resolver implementation does not correctly distinguish between “inside” and “outside” and provides a resolution service on all interfaces • That may sound like a large number, but it has got a whole lot better over time! • 33M open resolvers were seen in 2013 ** 12 * https://scan.shadowserver.org/dns/ ** https://indico.dns-oarc.net/event/0/contributions/1/attachments/19/125/201305-dnsoarc-mauch-openresolver.pdf
  • 13. Open DNS Resolvers as a Service • Others are explicitly configured to offer DNS resolution services as a open service • Hard to say where all this started, but an early example was the the 4.2.2.2 open resolver project offered by BBN Planet in the mid-90’s, though there were many others even then • At that time many ISPs used recursive resolvers as a service and some operated these platforms as a open service as a least cost / lowest admin overhead option • The use of anycast in the DNS made it possible to operate a single service with a distributed footprint • OpenDNS was one of the early offerings of a dedicated recursive resolution service with a scaled up infrastructure • Google Public DNS entered the picture with a service that took scaling to the next level 13 * https://scan.shadowserver.org/dns/
  • 14. What’s the Centrality Question here? • One way to measure centrality is by “market share” • So the market share question here would be: What proportion of users of the Internet use <X> as their DNS resolver? • We won’t distinguish between end users explicitly adding their own DNS configuration into their platform and ISPs using forwarding structures to pass all DNS queries to an open resolver. Through the lens of “centrality” both paths to using open DNS resolvers look the same! 14
  • 15. How we* Measure DNS Centrality • We use Google Ads as the main element of this measurement • The measurement script is an embedded block of HTML5 code in an Ad • The Ad runs in campaigns that generate some 10M impressions per day • We get to “see” the DNS in operation from the inside of most mid-to-large ISPs and service providers across the entire Internet • Ads provide very little functionality in the embedded scripts – it’s basically limited to fetching URLs • But that’s enough here, as a URL fetch involves the resolution of a domain name • So we use unique DNS names in every ad, so the DNS queries will be passed though to our authoritative servers 15 * by “we” I mean APNIC Labs!
  • 16. How we Measure DNS Centrality 16 DNS Stuff! Stub-to-recursive DNS Query Resolver Engine Authoritative Server Ad delivery User–to–recursive resolver mapping Recursive-to-Authoritative DNS Query
  • 17. Recursive Resolver Behaviours • The task is to match the source of a query of a domain name to both a resolver and an end user • We need to • map query IP source addresses to resolvers • understand how the DNS “manages” queries • how the resolver lists in /etc/resolv.conf are used 17
  • 18. Mapping Resolver Addresses • We use periodic sweeps with RIPE Atlas to reveal the engine addresses used by popular Open DNS resolvers, and load this into an identification database 18
  • 19. Understanding Resolver Behaviour 19 Query Distributor Resolver Engine Resolver Engine Resolver Engine Resolver Engine From Client To Server Service Address Engine Address
  • 20. Resolution Metrics • Average query count per unique name: 3.4 (Dual stack hosts may be a factor here) • Max observed query count in 30 seconds is 1,761 queries! 20 0% 5% 10% 15% 20% 25% 30% 35% 1 2 3 4 5 6 7 8 9 10 % of names Number of queries Queries per Name 30% 20% 10%
  • 21. Resolution Metrics • Average number of resolvers (IP addresses) per unique name: 2.1 • 30 second maximum resolvers seen: 94 21 0% 10% 20% 30% 40% 50% 60% 1 2 3 4 5 6 7 8 9 10 % of names Number of resolvers Resolvers (IP addrs) per Name 10% 20% 30% 40% 50%
  • 22. First Resolver vs Full Resolver Set • What happens if the authoritative server always reports SERVFAIL to all queries? • We use a server that always returns a SERVFAIL error code to prompt the client to run through its full set of recursive resolvers 22
  • 23. SERVFAIL Resolution Metrics • Average query count per unique name: 36.5 • Max observed query count in 30 seconds is 292,942 queries! 23 0% 1% 1% 2% 2% 3% 3% 4% 4% 5% 5% 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 % of names Number of queries Queries per Name 1% 2% 3% 4% (yes, really!)
  • 24. SERVFAIL Resolution Metrics • Average number of resolvers (IP addresses) per unique name: 8.9 • 30 second maximum resolvers seen: 1,368 24 0% 2% 4% 6% 8% 10% 12% 14% 16% 18% 20% 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 % of names Number of resolvers Resolvers per Name 4% 8% 12% 16%
  • 25. Recursive Resolver Stats 25 Of the 140,000 visible recursive resolvers, just 150 resolvers account for 20% of all users and 1,500 resolvers account for 50% of all users. 10,000 resolvers account for 90% of all users However we are looking here at resolver IP addresses, and that’s probably misleading. Lets try and group resolver IP addresses into resolver services
  • 26. Recursive Resolver Stats 26 Of the 14,600 visible recursive resolvers services, just 15 resolver services serve 50% of users 250 resolver services serve 90% of users Is this what we mean by “centralisation”?
  • 27. Details Lets break this data down into: • Using a “known” open DNS resolver • Using a resolver in the same AS as the user • Using a resolver in the same country as the user • Others 27
  • 28. ”First” Resolver Use 28 70% of users use a resolver located in the same AS as the user (ISP resolver) 17% of users use a resolver located in the same CC as the user (ISP resolver?) 15% of users use the Google open resolver (8.8.8.8)
  • 29. All Resolver Use (SERVFAIL) 29 70% -> 72% for same ISP 15% -> 29% for Google use (yes, the plotting software performed a colour change – sorry!)
  • 30. Google DNS 30 Use of Google Service per CC Within each country how many users In that country use Google’s resolver?
  • 31. Google DNS 31 Use of Google Service by User Count Looking at the total population of users using Google’s service, where are they located?
  • 32. Google DNS • Google DNS use appears to be equally split between first use (15% of users) and backup resolvers (a further 14% of users) • Within each economy Google DNS is heavily used in some African economies, and central and southern Asian economies • The largest pool of Google DNS users are located in India (19% of Google DNS users) • Significant pools Google users are also seen in the US, China, Nigeria, Brazil and Iran (each CC has some 4% - 6% of Google’s DNS users) 32
  • 33. Cloudflare’s 1.1.1.1 service 33 Where is Cloudflare used? Cloudflare is extensively used in Turkmenistan (80%), Iran (57%), Niger (54%) Cameroon (54%) and the Congo (49%) Cloudflare market share Cloudflare User breakdown?
  • 34. Quad9 service 34 Where is Quad9 used? Quad9 market share Quad9 User breakdown?
  • 35. Iran 35 A major ISP in IRAN, MCCI, distributes its queries across Google, Cloudflare, Yandex, Neustar, OpenDNS, Quad9 and others – all at once!
  • 36. Who makes the choice? • Is this the ISP‘s resolver performing forwarding of the query to an open resolver, or the users themselves opting out of the ISP service? • The numbers vary, but it is quite common to see 60% - 80% of users in an AS having their queries sent to an open resolver when open resolvers are used 36
  • 37. Who makes the choice? • Is this the ISP‘s resolver performing forwarding of the query to an open resolver, or the users themselves opting out of the ISP service? • The numbers vary, but it is quite common to see 60% - 80% of users in an AS having their queries sent to an open resolver when open resolvers are used 37 Google DNS at 86% OpenDNS at 27%
  • 38. Resolver Centrality? • Its not a “small number” of open resolvers • It’s just 1 – Google’s Public DNS • Its not end users reconfiguring their devices • It’s the ISP • And where its not the ISP it’s mainly enterprise customers of ISPs • Is this changing? • Yes, but quite slowly 38
  • 39. Commentary and Opinions What follows are opinions not data! 39
  • 40. Is this a centrality “problem”? • It this an emerging distortion of the market that puts excessive market control in the hands of a small set of providers? • A lot of users have the DNS users passed on to auth servers via Google’s service • But does this present us with issues? • 8.8.8.8 is fast, supports DNSSEC validation and does not filter or alter DNS responses (as far as I am aware) • Its cheap, its fast, its well managed, and it works reliably • So what’s the issue? 40
  • 42. What’s the problem here? • It’s a sensitive issue these days • There are many privacy undertakings in our space, but the undeniable fact is that many “free” services are indirectly funded through advertising revenue, and advertising is based on individual tracking and profiling • Open DNS providers typically provide undertakings that they do not use their query traffic for profiling - and I have no evidence that these undertakings are not being adhered to But I still have some questions as a consumer of their services: • How are these undertakings audited and/or enforced? By whom? • Are there penalties for breaches of these undertakings? • Considering the size of these actors are any of these penalties even meaningful? 42
  • 43. Barriers to Entry • Why is there one 1 very large Open DNS provider? • Is it because the incumbent is raising the barriers of entry to all potential competitors? • Unlikely, as there is no evidence that this is the case • Or are there “natural” barriers to entry? 43
  • 44. “Natural” Barriers to Entry • The DNS economy is such a financial wasteland that few have a natural incentive to enter this market • No one pays for queries • Selling query logs can very damaging in terms of reputation and liability – particularly when you cannot get the users’ informed consent to do so • Selling NXDOMAIN substitution is also very damaging in terms of reputation • It can be argued* that only someone with a massive presence is search has a commercial case for deploying a DNS resolver that is “honest” about the DNS (including NXDOMAIN) 44 * And some have from time to time
  • 46. Is all this a distraction? • It’s more likely that the shift of DNS functions into application realms using DoH services as an application function is a far greater threat to the current model of the DNS as a common single infrastructure • Maybe the convergence of • increased autonomy of applications in today’s Internet • the dominant position of Android • The dominant position of Chrome poses a greater potential threat to the integrity of the name infrastructure of the Internet than the issue of recursive resolver use 46
  • 47. Thanks! Report on Resolver Use: https://stats.labs.apnic.net/rvrs