Guardians of DNS Integrity: A Remote Method for Identifying DNSSEC Validators Across the Internet

TL;DR

This paper introduces a novel remote method to identify DNSSEC-validating resolvers across the Internet, enabling large-scale measurement of DNSSEC deployment and validation practices.

Contribution

The paper presents a new two-step remote technique combining large-scale scanning and classification to identify DNSSEC validators and non-validators at Internet scale.

Findings

Most open resolvers are DNSSEC-enabled.

Less than 18% of IPv4 resolvers validate DNS responses.

A significant portion of resolvers actively query DNS root servers.

Abstract

DNS Security Extensions (DNSSEC) provide the most effective way to fight DNS cache poisoning attacks. Yet, very few DNS resolvers perform DNSSEC validation. Identifying such systems is non-trivial and the existing methods are not suitable for Internet-scale measurements. In this paper, we propose a novel remote technique for identifying DNSSEC-validating resolvers. The proposed method consists of two steps. In the first step, we identify open resolvers by scanning 3.1 billion end hosts and request every non-forwarder to resolve one correct and seven deliberately misconfigured domains. We then build a classifier that discriminates validators from non-validators based on query patterns and DNS response codes. We find that while most open resolvers are DNSSEC-enabled, less than 18% in IPv4 (38% in IPv6) validate received responses. In the second step, we remotely identify closed non-forwarders in networks that do not have inbound Source Address Validation (SAV) in place. Using the classifier built in step one, we identify 37.4% IPv4 (42.9% IPv6) closed DNSSEC validators and cross-validate the results using RIPE Atlas probes. Finally, we show that the discovered (non)-validators actively send requests to DNS root servers, suggesting that we deal with operational recursive resolvers rather than misconfigured machines.