Is Protective DNS Blocking the Wild West?

TL;DR

This study evaluates the effectiveness and transparency of Protective DNS services using passive measurements of real DNS queries in a large research network, revealing significant inconsistencies and operational challenges.

Contribution

It provides the first large-scale passive measurement analysis of Protective DNS performance and transparency issues in a real-world research network environment.

Findings

Blocklists are inconsistent in goals and transparency.

Protective DNS services face operational challenges at scale.

Lack of oversight complicates threat mitigation.

Abstract

We perform a passive measurement study investigating how a Protective DNS service might perform in a Research & Education Network serving hundreds of member institutions. Utilizing freely-available DNS blocklists consisting of domain names deemed to be threats, we test hundreds of millions of users' real DNS queries, observed over a week's time, to find which answers would be blocked because they involve domain names that are potential threats. We find the blocklists disorderly regarding their names, goals, transparency, and provenance making them quite difficult to compare. Consequently, these Protective DNS underpinnings lack organized oversight, presenting challenges and risks in operation at scale.