Keeping the DNS independent and resilient
As part of my Ph.D. research at the University of Twente, I will carry out an empirical study of how the implementation of the DNS architecture is evolving. The motivation for my work is the increasing concern in the global technical community that the DNS is becoming concentrated in the hands of a decreasing number of operators: a process which could threaten the DNS’s independence and resilience. In this blogpost, I outline the problem space and the research questions that my study will address.
Domain Name System
The main purpose of the Domain Name System (DNS) is to map the domain name of a remote machine to its IP address. The DNS plays a critical and central role in the internet, because almost every interaction between two machines is preceded by a DNS lookup. By design, it is a hierarchical system, with a distributed name space and decentralised access.
Figure 1 shows how a DNS lookup works. Suppose that the client wants to look up the IP address of example.com. To do that, it sends a DNS query to a recursive resolver (interaction 1 in Figure 1), which walks through the DNS naming hierarchy on behalf of the client. The resolver starts at the root, which refers the resolver to the servers of .com (interaction 2). They .com name servers refer to the servers of example.com (interaction 3), which provide the resolver with the requested IP address (interaction 4). The resolver forwards the address to the client, and finally the client can use the IP address of example.com to connect to the site (not shown in Figure 1).
Figure 1: An example of a DNS lookup and the components and stakeholders involved.
With great power comes great responsibility
The architecture described gives DNS operators both great responsibility and great power. On the one hand, operators of zones such as the root, .com, or example.com have the responsibility to keep their name servers available all the time. If in Figure 1 none of the name servers for example.com are reachable, the domain effectively becomes unavailable. The responsibility is even greater if the operator manages zones that delegate many domains, as with the root or a TLD such as .com or .nl.
On the other hand, operators have a lot of power over their clients. First, operators of recursive resolvers can track every DNS request that their clients make, which can reveal sensitive information. Second, because a DNS request precedes virtually every connection set up on the internet, operators of resolvers are gatekeepers for their clients. They can block access to certain domains or serve the wrong answer to their clients. Finally, they also need to keep their resolvers available all the time. If clients cannot reach a resolver to serve their queries, they are effectively offline.
Therefore, DNS operators have the responsibility to run their service transparent and in a non-discriminatory manner.
In the hands of many
To distribute the responsibility and power, the DNS is designed to be in the hands of many. As shown in Figure 1, clients can usually select from multiple recursive resolvers to query the DNS. For example, most clients can typically choose between their ISP’s resolver and a public resolver service, such as Google Public DNS. Also, each domain (such as the root, .com, and example.com) can have multiple name servers run by different organisations.
That arrangement should make the DNS resilient against outages, as well as reducing the likelihood of significant number of components being controlled by the same organisation. For instance, going back to Figure 1, if example.com's authoritative name server x fails, there are still two other servers available. Also, if the client does not trust resolver 1 to serve the correct answers, it can choose resolver 2 instead.
Suspected concentration of the DNS
Recent incidents, however, suggest that the actual deployment of the DNS is changing. A major distributed denial of service (DDoS) attack on DNS provider Dyn in 2016 rendered many popular web services unavailable for hours. Affected domains included twitter.com, linkedin.com and airbnb.com. All of which had multiple name servers configured, but every single one of their servers was hosted by Dyn. So, when Dyn became unavailable, all their name servers became unavailable.
Similar trends have been observed where recursive resolvers are concerned. For example, some governments force internet service providers (ISPs) sometimes to block DNS requests relating to adult content. As well as blocking the requests, an ISP will typically set up the home routers supplied to customers in such a way that customers can't choose a resolver other than the one provided by the ISP. If the ISP is required to block certain queries to its recursive resolvers, the (less tech-savvy) user has no choice but to accept this form of censorship.
The signs are that the DNS might be becoming more and more concentrated in the hands of a few organisations. It seems that many domains rely on the same organisations to run their authoritative name servers and the majority of DNS queries are served by a few large resolver operators. And that appears to have negative implications for the resilience and independence of the DNS and therefore the internet as a whole.
That raises the question:
Are the independence and resilience of the DNS threatened?
In my PhD research, I first want to investigate the extent to which the DNS is concentrated.
Previous studies have found that the concentration of DNS providers serving popular websites has continued, even after the attack on Dyn. I want to build on those findings by analysing the concentration on the technical and organisational levels, and by studying the process's (business) drivers.
I then want to establish whether the current deployment of the DNS is indeed a threat to the resilience and independence of the DNS, and thus of the internet as a whole.
Finally, I intend to analyse existing measures for mitigating the threats and consider what else might be done.
I will carry out the PhD research in collaboration with the Department of Design and Analysis of Communication Systems (DACS) at the University of Twente.