New DNSSEC charts on stats.sidnlabs.nl
In this blog post we introduce five new figures related to DNSSEC usage and security that we publish on our statistics page stats.sidnlabs.nl. SIDN Labs, together with registrars, are encouraging the use of DNSSEC now for several years. Initiatives like the DNSSEC-validation monitor and user-friendly plugins that allow owners of websites to implement DNSSEC checks try to raise awareness. As a consequence, the .nl zone has an adoption of DNSSEC with over 40%.
DNSSEC related statistics, observed at our name servers and collected and analyzed with our ENTRADA platform, are already available on stats.sidnlabs.nl. Now, we have added new charts that show the number of DNSSEC validating resolvers per autonomous system (AS).
We show, in which ASs validating DNSSEC resolvers are located and for how many monthly queries they are responsible. We assume that every resolver that queries at least 1.000 times per month for DS or DNSKEY and has the DO flag set is validating signatures. We chose this limit to rule out false classification of resolvers that send only a few DNSEEC related queries for testing purposes or that serve validating clients.
The first graph (Figure 1) shows the number of queries that we have received from validating resolvers, separated by the AS in which the resolver is located. We have observed queries from 38.964 ASs in November 2015. From those, we select 1.000 ASs from which we receive the most queries.
Figure 1: Share of queries that are sent from validating resolvers. The size of the boxes indicates the total number of queries. A blue colored cell indicates that we receive many queries from validating resolvers from this AS.
Figure 2 shows the same information, but now only for ASs that are assigned to organizations in the Netherlands.
Figure 2: Share of queries that are sent from validating resolvers from Dutch ASs.
The third graph shows the resolvers of the open resolver services of Google and OpenDNS.
Figure 3: Share of queries that are sent from validating resolvers from open Google and OpenDNS resolvers.
Note, that there are still many resolvers that do not validate DNSSEC signatures, despite the wide support of DNS software like BIND and Unbound.
In the Netherlands, DNSSEC validation is heterogeneous. Some ASs locate validating resolvers that are responsible for almost all of the received queries from this AS, whereas other ASs locate almost no validating resolvers. Both groups include ASs from large Dutch ISPs.As for open resolver services: Google has enabled validation on all of their resolvers. In comparison, we were not able to identify validating resolvers of OpenDNS.
Although, the graph in Figure 4 does not show DNSSEC validating resolvers, it is still closely related to DNS security. DNSSEC was introduced to fight, among others, DNS spoofing attacks. Port randomization is another countermeasure to make spoofing attacks harder.
We show, how many resolvers still use a small number of ports when sending DNS requests to our name servers. We measure this by calculating the daily standard deviation of the port numbers for each resolver as described here. We can calculate the standard deviation fast and easy and it gives us a rough estimation of the randomness of the used ports. We can see, that the majority of resolvers use a reasonably wide range of ports. However, some resolvers still use only a very limited range of ports to query our name servers. Looking at the number of received queries indicates, that especially small resolvers seem to have this issue.
Figure 4: Share of resolvers that have a high, medium and low degree of port randomness.
In the last chart (Figure 5) we show how many resolvers, which use a small range of ports to send us queries, are located in the Netherlands. Additionally, we show in which AS these resolvers are located.
Figure 5: The number of unsecure resolvers that are located in Dutch ASs.
Now, readers might ask themselves: “If only a few resolvers have a weak source port randomness, what do we need DNSSEC for?”.
Well, first, a random source port does not make a DNS cache poising attack impossible for an attacker but only decrease the chance of a successful attack. DNSSEC adds additional security.
Second, a random selection of source ports does not protect against attackers that are able to carry out a Man-in-the-Middle attack.
Third, DNSSEC does not only provide authentication and integrity between a recursive resolver and an authoritative name server but also between the stub resolver of the client and the authoritative name server. However, therefore it is necessary, that the stub resolver is validating as well.
Last, DNSSEC enables the DANE protocol to improve the security of TLS connections.
For those reasons, among others, DNSSEC is an important extension to DNS and we promote its deployment.
As usual, we publish the raw data in JSON format on our website and we invite other researchers and organizations to give us feedback on how to improve our charts. Also, please let us know if you are missing any kind of information.