 |
DNS SURVEY: OCTOBER 2008
Goals
This study, commissioned by Infoblox, aims to measure the number of DNS servers and quantify the spread of several configuration choices. In particular, the study measured:
- What DNS server software and version is used,
- Whether recursion is supported,
- To what degree redundant servers are topologically diversified,
- Whether servers agree with their parent zone,
- What TTL and SOA values are used,
- Whether a zone has a lame server,
- Whether servers are configured for IPv6, SPF, or DNSSEC.
Datasets
Dataset I -- Random IP Addresses
For this Dataset, we probed a random subset of all IPv4 addresses in use on the Internet. We began with an October 2008 snapshot of the global routing table taken from the Route Views project with a total of 1,911,124,210 routed IPv4 addresses. We then eliminated .mil/.gov subnets and a few subnets where the operators had previously asked us to be excluded from future scans and then randomly selected 5% of the remaining IPs for our survey, leaving us with 99,295,351 addresses to probe.
Dataset II -- Nameserver authoritative for .com/.net domains
This Dataset contains nameservers authoritative for a registered .com or .net domain. We treat this as a separate Dataset because the authoritative name servers can be assumed to be more stable over time, better maintained, and more heavily used on average than nameservers randomly discovered. Furthermore, this Dataset is used to characterize the adoption of new technologies in the DNS, namely IPv6, DNSSEC, and SPF. From a list we received from Verisign with 182 million .com and 28 million .net domains, we randomly chose a set of one million domains and randomly select one one of the servers authoritative for that domain.
Results
Number of Nameservers
We sent a simple DNS query to each probe address in the two data sets., which asks for the IPv4 address of a.root-servers.net, and has the RD bit set. A response indicates that there is a DNS server listening on the probe address. We did not implement timeouts and retransmission, so packet loss may affect these measurements. On the other hand, non-DNS responses of services listening on UDP port 53 are counted as DNS servers. The following table summarizes the number of queries and replies:
| Dataset I | ||
| Hosts queried | 99,295,351 | |
| Hosts replying | 618,312 | 0.62% |
Note that some addresses sent back more than one reply, even though we sent only one query. This happens either because the probe address actually sends multiple responses for a single query, or because the reply source address may be different than the query destination address. We suspect that some ISPs intercept incoming DNS queries and forward them to a central server, but the server responds from its own address.
Based on these numbers we can estimate that there about 11,900,000 nameservers running on the Internet. Our previous estimate was 11,700,000 in October 2007. Some fraction of these servers can be expected to be part of malware activities as shown by Dagon et al.
Software Versions
For each nameserver found, we attempted to determine its server software and version using a combination of two techniques. First, we use the fpdns tool to fingerprint the server, which usually results in a range classification of possible versions, for example "BIND 8.3.0-RC1 -- 8.4.4". Second, we send a version.bind query to the address and refine the fpdns result iff the version reported by version.bind falls in the range of possible versions as determined by fpdns (one exception being newer BIND 9 version that we subsume in the highest BIND classification that fpdns provides). While the version.bind technique is simple, many servers are configured to report no result or an obscured result. Hence, we give preference to the fpdns classification.
Our analysis determined the following distribution of namerserver software and versions.
| Server sofware | Dataset I | Dataset II | ||
|---|---|---|---|---|
| BIND | 263,011 | 42.54% | 618,949 | 58.65% |
| 4.9.3-4.9.11 | 322 | 0.05% | 2,988 | 0.28% |
| 8.1-REL -- 8.2.1-T4B | 1,439 | 0.23% | 5,165 | 0.49% |
| 8.2.2-P3 -- 8.3.0-T2A | 338 | 0.05% | 10,584 | 1% |
| 8.3.0-RC1 -- 8.4.4 | 7,000 | 1.13% | 65,233 | 6.18% |
| 9.0.0b5 -- 9.0.1 | 306 | 0.05% | 272 | 0.03% |
| 9.1.0 -- 9.2.0rc3 | 4,250 | 0.69% | 1,103 | 0.10% |
| 9.2.0rc4 -- 9.2.2-P3 | 7,742 | 1.25% | 43,460 | 4.12% |
| 9.2.3rc1 -- 9.4.0a0 | 241,614 | 39.08% | 490,144 | 46.44% |
| 9.2.[3-8] | 28,090 | 4.54% | 98,289 | 9.31% |
| 9.3.* | 38,274 | 6.19% | 112,982 | 10.71% |
| 9.4.* | 18,670 | 3.02% | 43,738 | 4.14% |
| 9.5.* | 8,753 | 1.42% | 26,239 | 2.49% |
| unknown | 147,827 | 23.91% | 208,896 | 19.79% |
| Nominum CNS/ANS | 72,560 | 11.74% | 4,612 | 0.44% |
| vermicelli totd | 11,226 | 1.82% | 273 | 0.03% |
| VeriSign ATLAS | 10,093 | 1.63% | 153 | 0.01% |
| Mikrotik dsl/cable | 5,442 | 0.88% | 0 | 0% |
| ATOS Stargate ADSL | 3,578 | 0.58% | 0 | 0% |
| robtex Viking DNS module | 1,823 | 0.29% | 0 | 0% |
| DJ Bernstein TinyDNS | 1,226 | 0.20% | 47,632 | 4.51% |
| bboy MyDNS | 1,219 | 0.20% | 41,927 | 3.97% |
| JHSOFT simple DNS plus | 572 | 0.09% | 13,523 | 1.28% |
| PowerDNS | 618 | 0.10% | 48,275 | 4.57% |
| Microsoft Windows DNS 2003 | 530 | 0.09% | 1,082 | 0.10% |
| Alteon ACEswitch | 511 | 0.08% | 0 | 0% |
| Cisco CNR | 484 | 0.08% | 270 | 0.03% |
| Runtop dsl/cable | 479 | 0.08% | 544 | 0.05% |
| Raiden DNSD | 378 | 0.06% | 2 | 0% |
| Beehive CoDoNS | 304 | 0.05% | 5 | 0% |
| Axis video server | 289 | 0.05% | 0 | 0% |
| sheerdns | 230 | 0.04% | 270 | 0.03% |
| Microsoft Windows DNS 2000 | 234 | 0.04% | 551 | 0.05% |
| Microsoft Windows DNS NT4 | 218 | 0.04% | 825 | 0.08% |
| Other | 244,354 | 39.52% | 277,227 | 26.27% |
| No match found | 122,155 | 19.76% | 131,746 | 12.48% |
| timeout | 120,166 | 19.43% | 131,097 | 12.42% |
| no result | 1,102 | 0.16% | 13,461 | 21.07% |
It is surprising to see such a large number of home routers being reachable from the Internet on Port 53.
Recursion
To test for open recursors we send a unique query for a name in a zone that we control to each nameserver. If we receive a valid response to this query, we say that the target is an open resolver.
We found 271,688 nameservers in Dataset I that support recursion. Extrapolating to the entire address space, we estimate that there are 4,300,000 open resolvers on the Internet that reply to a query. Note, that our last year's scan found a significant number of open resolvers that will forward a query, but not respond. These servers are not counted in our current experiment to keep the results consistent with the overall number of name server that we report.
The following table shows the software running on open resolvers that respond to recursive queries.
| Server sofware | Dataset I | Dataset II | ||
|---|---|---|---|---|
| BIND 9 | 41,437 | 88.86% | 262,582 | 59.78% |
| BIND 8 | 831 | 1.78% | 56,947 | 12.96% |
| bboy MyDNS | 707 | 1.52% | 6,783 | 1.54% |
| DJ Bernstein TinyDNS | 379 | 0.81% | 6,066 | 1.38% |
| sheerdns | 234 | 0.50% | 271 | 0.06% |
| PowerDNS | 160 | 0.34% | 9,429 | 2.15% |
| JHSOFT simple DNS plus | 89 | 0.19% | 5,486 | 1.25% |
| UltraDNS | 36 | 0.08% | 5,193 | 1.18% |
| Other | 3,578 | 7.67% | 79,172 | 18.02% |
| Timeout | 303 | 0.65% | 7,422 | 1.69% |
| No match found | 3,263 | 7.00% | 73,533 | 16.74% |
Source port randomization
Servers that send queries from predictable source ports are vulnerable to cache poisoning attacks. We test the degree of randomization using the DNS OARC Porttest. The test distinguishes between great, good, and poor randomization. The results in the following table only include servers for which the porttest yielded a result (e.g., non-recursive servers are excluded from the tests by definition). Furthermore, we executed the porttest only on a subset of servers so to not overload the OARC test server.| Dataset I | Dataset II | |||
| Poor | 6,851 | 23.99% | 3,974 | 43.16% |
| Good | 202 | 0.71% | 124 | 1.35% |
| Great | 21,506 | 75.30% | 5,109 | 55.49% |
| Server sofware | Dataset I | Dataset II | ||
|---|---|---|---|---|
| BIND 9 | 32941 | 48.26% | 69,690 | 80.41% |
| Nominum CNS | 16,859 | 24.70% | 268 | 0.31% |
| Mikrotik dsl/cable | 614 | 0.90% | 0 | 0% |
| JHSOFT simple DNS plus | 446 | 0.65% | 4,644 | 5.36% |
| vermicelli totd | 212 | 0.31% | 0 | 0% |
| Microsoft Windows DNS 2003 | 176 | 0.26% | 549 | 0.63% |
| BIND 8 | 160 | 0.23% | 804 | 0.93% |
| Microsoft Windows DNS 2000 | 91 | 0.13% | 310 | 0.36% |
| ATOS Stargate ADSL | 54 | 0.08% | 0 | 0% |
| robtex Viking DNS module | 53 | 0.08% | 0 | 0% |
| PowerDNS | 36 | 0.05% | 20 | 0.02% |
| Cisco CNR | 36 | 0.05% | 1 | 0.00% |
| Other | 15,824 | 23.18% | 10,711 | 12.36% |
| Timeout | 3,997 | 5.86% | 9,036 | 10.43% |
| No match found | 12,039 | 17.64% | 1,651 | 1.91% |
| Total servers | 68,263 | 86,666 | ||
Results for Dataset II -- Authoritative Nameservers
The following tests are particular to the second data set since they require knowledge of a zone for which a server is authoritative.Zone transfer (AXFR)
We test for zone transfer by invoking the dig command with the parameters
dig @
If the transfer fails or times out, we interpret this as AXFR being not supported. We find that out of 12,850 zones, 3,955 (30.78%) zones support AXFR.
IPv6
In this part of the survey, we are interested in finding out how many zones have at least one nameserver with an IPv6 address. While Verisign does not allow insertion of AAAA glue records in the COM/ZONE files, zone owners may elect to add them to their own zones.
To make the comparison, we ask for the IPv4 and IPv6 addresses (AAAA records) of all authoritative nameservers for each zone in Dataset II.
Among 161,300 zones we scanned, we found only 711 (0.44%) zones that report at least one IPv6-addressed nameserver.
Note that because the probed nameservers come from domains in the COM and NET zones, this data is not necessary an accurate reflection of worldwide IPv6 adoption for DNS nameservers.
DNSSEC
DNSSEC is an evolving protocol. The first version (RFC 2535, March 1999) defines the KEY, SIG, and NXT record types. The second version (RFC 4035, March 2005) essentially obsoletes the first-generation RR types and adds four new ones: DNSKEY, NSEC, RRSIG, and DS. We queried the set of nameservers for both old and new RR types.
In Dataset II, we found only 45 DNSSEC records.
DNSSEC adoption is still very small -- similar to last year's level. This trend surprises since DNS security had been taken more seriously after the recent problems with DNS poisoning.
Our results are limited to .com and .com zones and probably under-represents DNSSEC adoption across the whole Internet, since some European CCTLDs have been more proactive in encouraging the use of DNSSEC.
SPF
Sender Policy Framework (SPF) is an anti-spam technique by which organizations can list valid sources of email (i.e., IP addresses) from their domain. To publish SPF information, an organization creates a TXT record in their zone file. Mail transfer agents may lookup SPF information when receiving email messages. In addition to the TXT record format, SPF now also has its own DNS RR, type 99.
Within data set II, we found 176,496 (16.72%) servers with TXT-based SPF records or with type 99 records.
Are a zone's nameservers topologically dispersed?
RFC 2182 states: secondary servers must be placed at both topologically and geographically dispersed locations on the Internet, to minimize the likelihood of a single failure disabling all of them. While we do not test for geographic diversity, we can easily examine the topologic aspects of a zone's nameservers. Our assumption that topologic locality implies geographic locality is is true in most, but not quite all cases. The following table shows the percentage of zones having all their authoritative nameservers within the given CIDR-sized subnets:
| CIDR Mask | Percentage | Cumulative |
|---|---|---|
| 32 | 8.4% | 8.4% |
| 31 | 17.2% | 25.6% |
| 30 | 7.1% | 32.7% |
| 29 | 6.4% | 39.1% |
| 28 | 3.4% | 42.6% |
| 27 | 2.4% | 45.0% |
| 26 | 1.7% | 46.7% |
| 25 | 1.5% | 48.2% |
| 24 | 1.6% | 49.8% |
| 23 | 3.9% | 53.7% |
| 22 | 2.1% | 55.8% |
| 21 | 1.6% | 57.4% |
| 20 | 3.9% | 61.3% |
| 19 | 1.7% | 63.0% |
| 18 | 1.4% | 64.4% |
| 17 | 0.8% | 65.1% |
| 16 | 0.6% | 65.8% |
Matching of authoritative NS records
Here we examine whether delegation NS records (listed in the parent zone) match the authoritative NS records (found in the zone itself). We distinguish between match, not match, and the case where the supposedly-authoritative nameservers (learned from the parent zone) did not return any NS records for the zone
.| Match | 569,457 | 54.5% |
|---|---|---|
| Mismatch | 96,748 | 9.3% |
| No authoritative nameserver | 378,260 | 36.2% |
Matching of TTL records across NS records
Here we consider two slightly different cases. The first table shows the percentage of zones where the authoritative nameservers return NS records with mis-matched TTLs. This includes all NS records from all nameservers for a zone. The first column is the number of unique TTLs returned:
| Same for all NS | 1,009,572 | 96.4% |
|---|---|---|
| Different | 37,318 | 3.56% |
Conformity of SOA records
The SOA record are supposed to be within certain ranges. We test what fraction of servers adhere to the suggested values.Refresh
RFC 1912 suggests that the SOA Refresh value should be at least 20 minutes and no longer than 12 hours. The following table shows the distribution of Refresh values:
| <20m | 39,085 | 3.76% |
|---|---|---|
| 20m to 12h | 899,308 | 86.61% |
| >12h | 99,986 | 9.63% |
Retry
RFC 1912 suggests that the SOA Retry value is typically less than the Refresh value. The following table shows the distribution of Retry values:
| retry <= refresh | 1,005,159 | 97.0% |
|---|---|---|
| retry > refresh | 31,402 | 3.0% |
Expire
RFC 1912 suggests that the SOA Expire value should be at least 2 weeks and no longer than 4 weeks. The following table shows the distribution of Expire values:
| <2w | 758,108 | 73.78% |
|---|---|---|
| 2w to 4w | 167,075 | 16.26% |
| >4w | 102,302 | 9.96% |
Minimum
RFC 2308 suggests that the SOA Minimum value (aka the negative caching TTL) should be at least 1 hour and no longer than 3 hours. Common nameserver implementations usually enforce their own negative caching limits of 3 hours or less. The following table shows the distribution of Minimum values:
| <1h | 234,465 | 22.67% |
|---|---|---|
| 1h to 3h | 148,956 | 14.40% |
| >3h | 650,898 | 62.93% |
Matching of serial numbers
Not-matching serial numbers on different authoritative servers for a zone indicate a configuration problem.| Same | 1,009,572 | 96.44% |
|---|---|---|
| Different | 37,318 | 3.56% |
Note that this only includes zones that responded with at least one valid SOA record.
© 2020 The Measurement Factory.