Exploring Query Name Minimization in DNS Resolution
Delve into the world of query name minimization in DNS resolution, examining its adoption from the perspectives of end users, queries, and recursive resolvers. Understand the common resolver implementations and the techniques described in RFC 7816. Gain insights from user measurements and results from experiments conducted in 2019 and 2020.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
E N D
Presentation Transcript
Measuring Query Name Minimization Joao Damas Geoff Huston APNIC Labs September 2020
Quick Summary Quick Summary NON-query name minimisation resolution sequence
Quick Summary Quick Summary Query name minimisation technique described in RFC 7816
Quick Summary Quick Summary Query name minimisation technique described in RFC 7816
Common Resolver Implementation Status Common Resolver Implementation Status BIND 9 Implemented in 9.14, active in relaxed mode by default Unbound Implemented in 1.7.2, active in non-strict mode Knot Implemented in 1.2.2, active by default Power DNS Recursor Implemented in 4.3.0-alpha1, enabled by default since 4.3.0-beta 1
Common Resolver Implementation Status Common Resolver Implementation Status BIND 9 Implemented in 9.14, active in relaxed mode by default Unbound Implemented in 1.7.2, active in non-strict mode Knot Implemented in 1.2.2, active by default Power DNS Recursor Implemented in 4.3.0-alpha1, enabled by default since 4.3.0-beta 1
Measurements Measurements Let s look at the adoption of query name minimisation from the perspectives of the end user and their queries, and from the perspective of recursive resolvers
Users whose Queries are handled with Users whose Queries are handled with Qname Minimization Minimization Qname
User Measurements User Measurements 2019 Results
User Measurements User Measurements 2019 Results 2020 Results Experiments Qmin Query Type NS A AAAA 99,303,954 18,219,251 1,411,485 16,880,583 1% 7% 0 18% 16% 92% 0% % of all experiments 0% % of Qmin experiments
User Measures User Measures The proportion of users who use recursive resolvers that perform Query Name minimization has risen from 3% of users to 18% of users in the past 12 months. The common resolver behaviour is to perform the discovery queries using query type A, not NS or AAAA
Where are these Users? Where are these Users? CC Qmin Ratio Experiments AD CY IR BW NE KP IN NP MV ZW AF GM PT DE MG BM BY FR ZA NG IQ GE NZ SI CG EC Qmin CC Name 60% 59% 57% 56% 56% 53% 52% 51% 44% 42% 41% 41% 39% 37% 36% 36% 35% 35% 34% 34% 32% 32% 31% 31% 30% 29% 1856 26,011 1,525,556 25,598 114782 1149 14496031 175589 9303 117058 131402 13273 193912 1681871 114996 1462 183944 1290872 858408 1540623 886273 66979 108164 42269 13015 275295 1128 Andorra 15,380 Cyprus 876,474 Iran 14,503 Botswana 64708 Niger 613 DPR Korea 7606073 India 91016 Nepal 4179 Maldives 49396 Zimbabwe 54505 Afghanistan 5460 Gambia 76982 Portugal 626608 Germany 41848 Madagascar 532 Bermuda 64963 Belarus 453342 France 297725 South Africa 532479 Nigeria 291240 Iraq 21725 Georgia 34398 New Zealand 13434 Slovenia 3911 Congo 80786 Ecuador
Resolver Measures Resolver Measures What s a resolver ? Always hard to tell these days. Over a 16 day period we saw 183,438 distinct IP addresses of resolvers 148,230 IPv4 addresses 77,548 distinct /24 subnets 35,209 IPv6 addresses 9,069 distinct /48 subnets
Open Resolvers Open Resolvers What s behind these 50%-70% ratios? Is Qmin only partially deployed in the DNS service anycast constellation? ; Open DNS reso Qmin Ratio Experiments googlepdns 114dns cloudflare opendns dnspai onedns vrsgn quad9 level3 neustar yandex dnswatch dyn cnnic he Qmin Experiments 0% 6% 50% 68% 4% 10% 0% 70% 0% 59% 0% 56% 58% 0% 98% 70,253,285 6,590,007 6,178,049 5,490,013 4,700,366 3,175,244 927,125 760,514 407,443 394,491 246,648 167,079 109,400 54,841 39,240 530 370,145 3,104,221 3,717,390 165,689 317,439 0 534,262 0 231,720 0 94,226 63,938 0 This is more expected! 38,311
ISP Resolvers ISP Resolvers ASN 55836 4837 9808 9498 58543 56046 7922 6730 24560 4835 30986 56040 28573 7018 7552 8151 22394 12322 38266 17676 56041 17633 24445 17799 24444 Qmin Ratio Experiments 59% 5% 8% 0% 0% 51% 0% 50% 0% 51% 32% 0% 0% 0% 0% 0% 0% 60% 1% 2% 1% 64% 1% 0% 0% Qmin Experiments 16,687,545 RELIANCEJIO-IN Reliance Jio Infocomm Limited 622,812 CHINA169-BACKBONE CHINA UNICOM China169 Backbone 824,254 CMNET-GD Guangdong Mobile Communication Co.Ltd. 5 BBIL-AP BHARTI Airtel Ltd. 0 CHINATELECOM-GUANGDONG-IDC Guangdong 3,561,604 CMNET-JIANGSU-AP China Mobile communications corporation CN 620 COMCAST-7922 2,359,887 SUNRISE 4 AIRTELBROADBAND-AS-AP Bharti Airtel Ltd. 1,729,101 CHINANET-IDC-SN China Telecom (Group) 1,016,619 SCANCOM 0 CMNET-GUANGDONG-AP China Mobile communications corporat CN 123 CLARO S.A. 185 ATT-INTERNET4 81 VIETEL-AS-AP Viettel Group 277 Uninet S.A. de C.V. 0 CELLCO 1,074,475 PROXAD 22,059 VODAFONE-IN Vodafone India Ltd. 37,873 GIGAINFRA Softbank BB Corp. 12,526 CMNET-ZHEJIANG-AP China Mobile communications corporation CN 1,030,195 CHINATELECOM-SD-AS-AP ASN for Shandong Provincial Net of CT CN 11,555 CMNET-V4HENAN-AS-AP Henan Mobile Communications Co. 0 CHINATELECOM-LN-AS-AP asn for Liaoning Provincial Net of CT CN 0 CMNET-V4SHANDONG-AS-AP Shandong Mobile Communication C CN AS Name 28,468,311 11,328,596 9,999,271 8,632,305 8,579,142 6,935,852 5,590,304 4,714,894 3,467,579 3,380,595 3,170,873 3,163,238 2,837,684 2,457,623 2,242,776 2,121,346 1,956,376 1,795,299 1,737,413 1,721,203 1,654,582 1,611,910 1,520,748 1,431,372 1,382,238 IN CN CN IN CN US CH IN CN GH BR US VN MX US FR IN JP CN
Observations Observations Query name minimisation is gathering momentum in the past 12 months (3% or users in mid 2019 to 18% of users in mid-2020) While all common vendor code has enabled Query name minimisation, enabling this behaviour in ISP and open resolvers is fragmentary Why is it not deployed? What s the concern?
Questions Questions Where and why is Query Name minimisation important? Does it differ by scale? Small scale recursive resolvers at the edge of the network? ISP-operated recursive resolvers? Open recursive resolvers? Is the query name alone a privacy threat or is the combination of the recursive resolver with the query name the problem? Are there residual issues with handling of empty non-terminals?