Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Guardians of DNS Integrity: A Remote Method for Identifying DNSSEC Validators Across the Internet

Yevheniya Nosyk, Maciej Korczyński, Andrzej Duda

TL;DR

The paper tackles the challenge of measuring DNSSEC validator deployment at Internet scale by introducing a remote two-step method. Step 1 actively identifies open resolvers and uses deliberately misconfigured domains to label validators versus non-validators, then trains a classifier on DNSSEC query patterns. Step 2 extends this approach to closed, non-forwarding resolvers by exploiting networks without inbound SAV and applying the same classifier to observed queries, with cross-validation from RIPE Atlas and root-server traffic analysis. The results reveal that while many open resolvers claim DNSSEC support, only a minority actually validate, whereas a sizable fraction of closed resolvers do validate; the method demonstrates broad coverage across countries and ASes and provides a scalable, permission-light way to assess DNSSEC deployment and operational behavior in the wild.

Abstract

DNS Security Extensions (DNSSEC) provide the most effective way to fight DNS cache poisoning attacks. Yet, very few DNS resolvers perform DNSSEC validation. Identifying such systems is non-trivial and the existing methods are not suitable for Internet-scale measurements. In this paper, we propose a novel remote technique for identifying DNSSEC-validating resolvers. The proposed method consists of two steps. In the first step, we identify open resolvers by scanning 3.1 billion end hosts and request every non-forwarder to resolve one correct and seven deliberately misconfigured domains. We then build a classifier that discriminates validators from non-validators based on query patterns and DNS response codes. We find that while most open resolvers are DNSSEC-enabled, less than 18% in IPv4 (38% in IPv6) validate received responses. In the second step, we remotely identify closed non-forwarders in networks that do not have inbound Source Address Validation (SAV) in place. Using the classifier built in step one, we identify 37.4% IPv4 (42.9% IPv6) closed DNSSEC validators and cross-validate the results using RIPE Atlas probes. Finally, we show that the discovered (non)-validators actively send requests to DNS root servers, suggesting that we deal with operational recursive resolvers rather than misconfigured machines.

Guardians of DNS Integrity: A Remote Method for Identifying DNSSEC Validators Across the Internet

TL;DR

The paper tackles the challenge of measuring DNSSEC validator deployment at Internet scale by introducing a remote two-step method. Step 1 actively identifies open resolvers and uses deliberately misconfigured domains to label validators versus non-validators, then trains a classifier on DNSSEC query patterns. Step 2 extends this approach to closed, non-forwarding resolvers by exploiting networks without inbound SAV and applying the same classifier to observed queries, with cross-validation from RIPE Atlas and root-server traffic analysis. The results reveal that while many open resolvers claim DNSSEC support, only a minority actually validate, whereas a sizable fraction of closed resolvers do validate; the method demonstrates broad coverage across countries and ASes and provides a scalable, permission-light way to assess DNSSEC deployment and operational behavior in the wild.

Abstract

DNS Security Extensions (DNSSEC) provide the most effective way to fight DNS cache poisoning attacks. Yet, very few DNS resolvers perform DNSSEC validation. Identifying such systems is non-trivial and the existing methods are not suitable for Internet-scale measurements. In this paper, we propose a novel remote technique for identifying DNSSEC-validating resolvers. The proposed method consists of two steps. In the first step, we identify open resolvers by scanning 3.1 billion end hosts and request every non-forwarder to resolve one correct and seven deliberately misconfigured domains. We then build a classifier that discriminates validators from non-validators based on query patterns and DNS response codes. We find that while most open resolvers are DNSSEC-enabled, less than 18% in IPv4 (38% in IPv6) validate received responses. In the second step, we remotely identify closed non-forwarders in networks that do not have inbound Source Address Validation (SAV) in place. Using the classifier built in step one, we identify 37.4% IPv4 (42.9% IPv6) closed DNSSEC validators and cross-validate the results using RIPE Atlas probes. Finally, we show that the discovered (non)-validators actively send requests to DNS root servers, suggesting that we deal with operational recursive resolvers rather than misconfigured machines.
Paper Structure (35 sections, 4 figures, 7 tables)

This paper contains 35 sections, 4 figures, 7 tables.

Table of Contents

  1. Introduction
  2. Background on DNSSEC and Related Work
  3. Background on DNSSEC
  4. DNSSEC Validation
  5. Evaluating Compliance with the DNSSEC RFCs
  6. Authoritative Nameservers
  7. Recursive Resolvers
  8. DO bit
  9. Query patterns
  10. Misconfigured domains
  11. Step 1: Detection of Validating Open Resolvers
  12. Experimental Setup
  13. Identifying DNS resolvers
  14. Validation
  15. Enumeration Results
  16. ...and 20 more sections

Figures (4)

  • Figure 1: Zone structure of a signed domain example.com. Each rectangle represents a resource record set (RRset). Three of them (A,AAAA, and DS) are signed with a Zone Signing Key (ZSK), while DNSKEY RRset is signed with a Key Signing Key (KSK). Note that the DS record was generated by the subdomain of example.com.
  • Figure 2: A sequence of queries performed by a validating recursive resolver. It forms a chain of trust from the initially queried A record of example.com up until the trust anchor (KSK of the root).
  • Figure 3: Implementation of the decision tree classifier on a training dataset with three features ( DS-p, DNSKEY-p, and DNSKEY-c) and two output classes (validator and non-validator).
  • Figure 4: Sending a packet with a forged source IP address.