A First Look at SVCB and HTTPS DNS Resource Records in the Wild

TL;DR

This study provides the first large-scale analysis of SVCB and HTTPS DNS resource records, revealing their deployment status, common configurations, and correctness across millions of domains, highlighting increasing adoption and potential privacy benefits.

Contribution

It offers the first comprehensive overview of SVCB and HTTPS record deployment in the wild, analyzing over 400 million domains and verifying record correctness.

Findings

Nearly 4,000 SVCB and 10.5 million HTTPS records observed.

Most records contain ALPN and IP hints, mainly hosted by Cloudflare.

Over 93% of records verified as correct through application layer scans.

Abstract

The Internet Engineering Task Force is standardizing new DNS resource records, namely SVCB and HTTPS. Both records inform clients about endpoint and service properties such as supported application layer protocols, IP address hints or Encrypted Client Hello (ECH) information. Therefore, they allow clients to reduce required DNS queries and potential retries during connection establishment and thus help to improve the quality of experience and privacy of the client. The latter is achieved by reducing visible meta-data, which is further improved with encrypted DNS and ECH. The standardization is in its final stages and companies announced support, e.g., Cloudflare and Apple. Therefore, we provide the first large-scale overview of actual record deployment by analyzing more than 400 M domains. We find 3.96 k SVCB and 10.5 M HTTPS records. As of March 2023, Cloudflare hosts and serves most domains, and most records only contain Application-Layer Protocol Negotiation (ALPN) and IP address hints. Besides Cloudflare, we see adoption by a variety of authoritative name servers and hosting providers indicating increased adoption in the near future. Lastly, we can verify the correctness of records for more than 93 % of domains based on three application layer scans.