Abstract
While the DNS protocol encompasses both UDP and TCP as its underlying transport, UDP is commonly used in practice. At the same time, increasingly large DNS responses and concerns over amplification denial of service attacks have heightened interest in conducting DNS interactions over TCP. This paper surveys the support for DNS-over-TCP in the deployed DNS infrastructure from several angles. First, we assess resolvers responsible for over 66.2% of the external DNS queries that arrive at a major content delivery network (CDN). We find that 2.7% to 4.8% of the resolvers, contributing around 1.1% to 4.4% of all queries arriving at the CDN from the resolvers we study, do not properly fallback to TCP when instructed by authoritative DNS servers. Should a content provider decide to employ TCP-fallback as the means of switching to DNS-over-TCP, it faces the corresponding loss of its customers. Second, we assess authoritative DNS servers (ADNS) for over 10M domains and many CDNs and find some ADNS, serving some popular websites and a number of CDNs, that do not support DNS-over-TCP. These ADNS would deny service to (RFC-compliant) resolvers that choose to switch to TCP-only interactions. Third, we study the TCP connection reuse behavior of DNS actors and describe a race condition in TCP connection reuse by DNS actors that may become a significant issue should DNS-over-TCP and other TCP-based DNS protocols, such as DNS-over-TLS, become widely used.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
The resolvers that directly interact with authoritative DNS servers – see Sect. 2.
- 2.
Other available passive datasets, such as DITL [9] entail a similar limitation.
- 3.
Indeed, 47% of 15–21% of TC responses initially found without a TCP query follow-up were to Google resolvers, virtually all of which the authors later assessed to be successful fallback to TCP, leaving 7–10% of TC responses still without a TCP followup.
- 4.
While in Sect. 5 we categorize TCP support by domain to demonstrate the impact to clients using TCP as their transport medium, here we categorize by ADNS for easy comparison to Shulman and Waidner.
- 5.
Indeed, a study [29] concerning large DNS responses did include both IPv4 and IPv6 traffic and did not note significant variations in behavior between the two.
- 6.
We discover substantially more open ingress resolvers than other recent scans [2, 35]. The likely cause of this discrepancy is that those scans do not include ingress resolvers that respond from a different port (not 53) than the port used in probing, a behavior first observed in [33]. Indeed, our results include 2010584 (65.9%) ingress resolvers that do respond from port 53, closely matching the number of resolvers reported by the previous scans.
- 7.
We missed 454 domains due to an issue with retrieving the full list from Majestic’s website.
- 8.
While this technique is not exhaustive in discovering all domains from the available QNAMEs, it serves to provide a reasonably broad list for our subsequent measurements. In hindsight, using Mozilla’s public DNS suffix list at https://publicsuffix.org/ would have been better.
- 9.
The table includes only 989 of the 1K popular websites because eleven of these domains either provide no NS records, the name servers listed fail to resolve to IP addresses, or none of the IP addresses responded to TCP or UDP queries.
- 10.
We contacted both CDN1 and CDN2 about our findings. CDN1 acknowledged the bug, and CDN2 did not respond.
References
Al-Dalky, R., Rabinovich, M., Schomp, K.: A look at the ECS behavior of DNS resolvers. In: Proceedings of the ACM Internet Measurement Conference, pp. 116–129 (2019)
Al-Dalky, R., Schomp, K.: Characterization of collaborative resolution in recursive DNS resolvers. In: Beverly, R., Smaragdakis, G., Feldmann, A. (eds.) PAM 2018. LNCS, vol. 10771, pp. 146–157. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-76481-8_11
Barnes, R., Hoffman-Andrews, J., Kasten, J.: RFC 8555: automatic certificate management environment (ACME) (2019)
Böttger, T., et al.: An empirical study of the cost of DNS-over-HTTPS. In: Proceedings of the ACM Internet Measurement Conference, pp. 15–21 (2019)
Damas, J., Graff, M., Vixie, P.A.: RFC6891: extension mechanisms for DNS (EDNS0) (2013)
Deccio, C., Davis, J.: DNS privacy in practice and preparation. In: Proceedings of the 15th International Conference on Emerging Networking Experiments And Technologies (CoNEXT), pp. 138–143 (2019)
Dickinson, J., Dickinson, S., Bellis, R., Mankin, A., Wessels, D.: RFC 7766: DNS transport over TCP-implementation requirements (2016)
DNS-OARC. https://www.dns-oarc.net/oarc/data/ditl (2018)
Eastlake, D.: RFC 2535: domain name system security extensions (1999)
Hansen, T., Crocker, D., Hallam-Baker, P.: RFC 5585: DomainKeys identified mail (DKIM) service overview (2009)
Hoffman, P., McManus, P.: RFC 8484: DNS queries over HTTPS (DoH) (2018)
Hoffman, P., Schlyter, J.: RFC6698: The DNS-based authentication of named entities. (DANE) transport layer security (TLS) protocol: TLSA (2012)
Hu, Z., Zhu, L., Heidemann, J., Mankin, A., Wessels, D., Hoffman, P.: RFC 7858: specification for DNS over transport layer security (TLS) (2016)
Huitema, C., Shore, M., Mankin, A., Dickinson, S., Iyengar, J.: Specification of DNS over dedicated QUIC connections. Internet-draft draft-huitema-quicdnsoquic-07. Work in Progress
Huston, G.: https://labs.ripe.net/Members/gih/a-question-of-dns-protocols, August 2013 (2013)
Kitterman, S.: RFC 7208: Sender policy framework (SPF) for authorizing use of domains in email (2014)
Klein, A., Shulman, H., Waidner, M.: Internet-wide study of DNS cache injections. In: IEEE INFOCOM, pp. 1–9. IEEE (2017)
Klensin, J.: RFC 2821: simple mail transfer protocol (2001)
Klensin, J.: RFC 5321: simple mail transfer protocol (2008)
Kührer, M., Hupperich, T., Bushart, J., Rossow, C., Holz, T.: Going wild: large-scale classification of open DNS resolvers. In: Proceedings of the ACM Internet Measurement Conference (2015)
Kührer, M., Hupperich, T., Rossow, C., Holz, T.: Exit from hell? Reducing the impact of amplification DDoS attacks. In: 23rd \(\{\)USENIX\(\}\) Security Symposium (\(\{\)USENIX\(\}\) Security 14), pp. 111–125 (2014)
Lian, W., Rescorla, E., Shacham, H., Savage, S.: Measuring the practical impact of DNSSEC deployment. In: 22nd USENIX Security Symposium, pp. 573–588 (2013)
Lu, C., et al.: An end-to-end, large-scale measurement of DNS-over-encryption: how far have we come? In: Proceedings of the ACM Internet Measurement Conference, pp. 22–35 (2019)
MacFarland, D.C., Shue, C.A., Kalafut, A.J.: Characterizing optimal DNS amplification attacks and effective mitigation. In: Mirkovic, J., Liu, Y. (eds.) PAM 2015. LNCS, vol. 8995, pp. 15–27. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-15509-8_2
Majestic Top Million Root Domains List. https://majestic.com/reports/majestic-million (2021)
Mockapetris, P.: RFC 883: domain names - implementation and specification (1983)
Mockapetris, P.V.: RFC 1035: domain names-implementation and specification (1987)
Moura, G.C.M., Müller, M., Davids, M., Wullink, M., Hesselman, C.: Fragmentation, truncation, and timeouts: are large DNS messages falling to bits? In: Hohlfeld, O., Lutu, A., Levin, D. (eds.) PAM 2021. LNCS, vol. 12671, pp. 460–477. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-72582-2_27
Randall, A., et al.: Trufflehunter: cache snooping rare domains at large public DNS resolvers. In: Proceedings of the ACM Internet Measurement Conference, pp. 50–64 (2020)
van Rijswijk-Deij, R., Sperotto, A., Pras, A.: DNSSEC and its potential for DDoS attacks: a comprehensive measurement study. In: Proceedings of the ACM Internet Measurement Conference, pp. 449–460 (2014)
RIPE: Atlas. https://atlas.ripe.net/ (2021)
Schomp, K., Callahan, T., Rabinovich, M., Allman, M.: On measuring the client-side DNS infrastructure. In: Proceedings of the ACM Internet Measurement Conference, pp. 77–90. ACM (2013)
Shulman, H., Waidner, M.: Is the internet ready for DNSSEC: evaluating pitfalls in the naming infrastructure. In: International Workshop on Traffic Monitoring and Analysis (TMA) (2016)
The Shadowserver Foundation. https://scan.shadowserver.org/dns/ (2020)
Vixie, P.: RFC 2671: extension mechanisms for DNS (EDNS0) (1999)
Vixie, P., Schryver, V.: DNS response rate limiting (DNS RRL). http://ss.vix.su/~vixie/isc-tn-2012-1.txt (2012)
Wouters, P., Abley, J., Dickinson, S., Bellis, R.: RFC 7828: The edns-tcp-keepalive EDNS0 option (2016)
Zhu, L., Hu, Z., Heidemann, J., Wessels, D., Mankin, A., Somaiya, N.: Connection-oriented DNS to improve privacy and security. In: 2015 IEEE Symposium on Security and Privacy, pp. 171–186. IEEE (2015)
Acknowledgement
We thank the anonymous reviewers, and especially our shepherd, Alessio Botta, for useful comments and guidance. We are indebted to CWRU IT organization (“UTech”) for its continued support, without which this research would not be possible. The work of Jiarun Mao and Michael Rabinovich was supported in part by NSF through grant CNS-1647145.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Matching Algorithm
B CDN Targets Tested
Below we list the 47 CDNs we tested in this study, which includes 17 (shown in bold font) out of 25 CDNs listed at CDN Planet (https://www.cdnplanet.com/, accessed on Jan 2, 2022). The parenthetical information lists the domain name employed and whether all, some, or none of the ADNS tested are TCP capable.
advancedhosterscdn(11799613.pix-cdn.org, all), |
akamai(www.a1776.g1.akamai.net, all), |
amazoncloudfront(www.d2qjncoblxi5md.cloudfront.net, all), |
aryaka(hd.itrip.com.top.aads1.net, none), azion(18697b.ha.azioncdn.net, all), |
belugacdn(www.cdn.famefocus.com.i.belugacdn.com, none), |
bitgravity(www.pc-ap.bitgravity.com, all), |
bunnycdn(www.planetedomo.b-cdn.net, some), |
cachefly(www.vip1.g5.cachefly.net, none), cdn77(www.1650447009.rsc.cdn77.org, all), |
cdnetworks(www.kisa.or.kr.cdngc.net, none), |
cdnify(karnataka.a.cdnify.io, all), cdnsun(www.239827766.r.cdnsun.net, all), |
cdnvideo(bfm.cdnvideo.ru, all), |
cedexis(mobile.interflora.fr.fasterize.it.2-01-295f-000e.cdx.cedexis.net, all), |
chinacache(hpcc-page.cncssr.chinacache.net, all), |
chinanetcenter(www.v4q3iig12pcnka.wscloudcdn.com, none), |
cloudflare(www.upra.org.cdn.cloudflare.net, all), cubecdn(mr.sp.cubecdn.net, all), |
edgecast(www.cs109.adn.edgecastcdn.net, all), |
facebook(scontent.xx.fbcdn.net, all), fastly(www.prod.seamless.map.fastlylb.net, all), |
google(www.g0e1hw.feedproxy.ghs.google.com, all), |
highwinds(www.cds.v2f8x7x9.hwcdn.net, all), |
incapsula(www.hs2rptk.x.incapdns.net, all), |
internap(www.6a2809e8d5.site.internapcdn.net, none), |
keycdn(p-frpa00-v4.kxcdn.com, all), |
leasewebcdn(www.5ad9c8cb35308834bf7d93d4e09de97e.lswcdn.net, all), |
level3(www.vc.sporttube.com.c.footprint.net, none), |
limelight(ualsharp.vo.llnwd.net, none), |
maxcdn(www.creative-watch-new-pull.4ncfzftyhcv4rwo.netdna-cdn.com, all), |
medianova(img-cimri.mncdn.com, none), |
netlify(www.campusmanagement.netlify.com, all), |
ngenix(www.cntraveller-st.cdn.ngenix.net, all), |
nyiftw(www.nyi.nyiftw.net, all), onapp(316150366.r.worldcdn.net, all), |
optimalcdn(www.cdn.optimalcdn.com, all), |
quantil(www.oversea.dtwscache.speedcdns.com, none), |
reflectednetworks(www.e-static.pornmd.com.sds.rncdn7.com, all), |
rocketcdn(www.mediacdn.karnaval.com.streamprovider.net, all), |
singularcdn(h2.singularcdn.net.br, all), |
stackpath(www.adoramapix-8u9vvrwnlphhiqnu.stackpathdns.com, all), |
swiftcdn(secure.aims.jns.swiftserve.com, all), |
unicorncdn(xc3uk5s3rf.unicorncdn.net, all), wordpress(www.2.gravatar.com, all), |
yottaa(www.a19af6306e7c013695900a3ba3fac80a.yottaa.net, all), |
zenedge(104-225-137-39-tls12.zenedge.net, all) |
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Mao, J., Rabinovich, M., Schomp, K. (2022). Assessing Support for DNS-over-TCP in the Wild. In: Hohlfeld, O., Moura, G., Pelsser, C. (eds) Passive and Active Measurement. PAM 2022. Lecture Notes in Computer Science, vol 13210. Springer, Cham. https://doi.org/10.1007/978-3-030-98785-5_22
Download citation
DOI: https://doi.org/10.1007/978-3-030-98785-5_22
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-98784-8
Online ISBN: 978-3-030-98785-5
eBook Packages: Computer ScienceComputer Science (R0)