Is Protective DNS Blocking the Wild West?
David Plonka, Branden Palacio, Debbie Perouli
TL;DR
Protective DNS (PDNS) is evaluated in Research & Education Networks by passively measuring how three freely-available blocklists would affect real user DNS queries. The study analyzes nearly 900 million DNS responses and finds substantial divergence in blocklist content and governance, with only limited overlap among lists. The results highlight the lack of provenance and standardized blocking taxonomy, raising questions about fairness, privacy, and scalability of PDNS deployment in RENs. The work argues for transparent provenance, consistent blocking goals, and measurement-friendly designs to enable safe and effective PDNS adoption in large-scale educational networks.
Abstract
We perform a passive measurement study investigating how a Protective DNS service might perform in a Research & Education Network serving hundreds of member institutions. Utilizing freely-available DNS blocklists consisting of domain names deemed to be threats, we test hundreds of millions of users' real DNS queries, observed over a week's time, to find which answers would be blocked because they involve domain names that are potential threats. We find the blocklists disorderly regarding their names, goals, transparency, and provenance making them quite difficult to compare. Consequently, these Protective DNS underpinnings lack organized oversight, presenting challenges and risks in operation at scale.