DNS Survey: October 2010

Geoffrey Sissonc© 2010 The Measurement Factory

November 30, 2010

Abstract

This study, commissioned by Infoblox, undertakes to measure the number of DNS

servers on the Internet and to quantify their various DNS behaviors and configuration

choices.

1 Introduction

In this study we undertook to measure:

• The number of name servers in use in a random 5% sample of the routed IPv4 Internet.

• The configuration of zones and associated name servers in a random 1% sample of thedomains in the .com, .net, and .org zones.

• The implementations and versions of name server software used.

• Whether recursion is supported (i.e., open resolvers).

• Whether recursive name servers use predictable ports.

• Whether authoritative name servers openly permit AXFR.

• Whether name servers support TCP.

• Configuration decisions for DNSSEC.

• Whether DNSSEC-signed zones validate.

• How many name servers support EDNS.

• How many zones are configured for IPv6, SPF, or DKIM.

• How many zones have DNS wildcards.

• What SOA and TTL values are in use in a zone.

• Whether information in a zone agrees with its parent.

• Whether a zone has a lame name server.

• Whether the TTLs of the authoritative NS RRs for a zone match.

• To what degree redundant name servers are topologically diverse.

• How many name servers support 0x20.

• The geographic location of name servers.

$Id: dns_survey_2010.tex,v 1.27 2010-12-09 22:03:29 geoff Exp $

3 RESULTS FOR DATASET I

2 Datasets

This survey comprises results of two distinct data sets. Dataset I is a random 5% sample of therouted IPv4 Internet. Dataset II is a random 1% sample of the domains in the .com, .net, and.org zones.

2.1 Dataset I – Random IP Addresses

To obtain Dataset I, we probed a random sample of all IPv4 addresses routed on the Internet.We began with an October 2010 snapshot of the global routing table taken from the Route ViewsProject with a total of 2,126,357,495 routed IPv4 addresses.[1] We then eliminated addressesending in .0 or .2551, subnets associated with the .mil and .gov domains as well as a few subnetswhose operators had previously requested to be excluded from scans. We then randomly selected5% of the remaining IP addresses for our survey, yielding 105,497,945 IP addresses to probe.

2.2 Dataset II – Second-Level Zones in .com, .net, and .org

Dataset II contains name servers authoritative for a registered .com, .net, or .org domain. Wetreated this as a separate data set because the authoritative name servers are assumed to be morestable over time, better maintained, and more heavily used on average than randomly discoveredname servers. Furthermore, this data set is used to study the adoption of new technologies inthe DNS, namely IPv6, DNSSEC, DKIM, and SPF. We obtained zone files from VeriSign andPublic Interest Registry (PIR) for .com, .net, and .org containing 90 million, 13.4 million, and8.6 million domains respectively, and randomly selected 1% (1,122,518) to probe.

3 Results for Dataset I

3.1 Number of Name Servers

We sent a simple DNS query to each address in Dataset I asking for the IPv4 address fora.root-servers.net and with the RD bit set. A DNS response of any type (including SERV-FAIL) was taken to indicate the presence of a DNS server. We did not implement timeouts andretransmissions, so the results are subject to packet loss; however the amount of packet loss isbelieved to be small, and to have had negligible impact on the results.

Table 1 summarizes the number of queries and replies.

Dataset I

Hosts queried 105,497,945Hosts replying 777,680 0.74%

Table 1: Dataset I results.

Note that some addresses sent back more than one reply, even though we sent only one query.This occurs either because the probe address actually sends multiple responses for a single query,

1While these can be valid host addresses, in practice they are infrequently assigned.

2

or because the reply source address may be different than the query destination address.2 Of thereplying hosts, 23,738 (3.1%) were ones to which we never sent a query. This is in part attributableto network operators who intercept incoming DNS queries and forward them on to other hosts,which then respond using their own addresses.

Based on these figures we estimate that there are approximately 15,553,600 name servers onthe Internet. This is a drop of 746,400 (4.6%) from last year’s estimate of 16,300,000, in spiteof the fact that 1,1131,893 (11.7%) more addresses were probed this year.

4 Name Server Software Versions

For each name server found in both data sets, we attempted to determine the name server softwareand version using a combination of two techniques. First, we used fpdns to fingerprint the server.[2]This typically results in a range classification of possible versions, for example “BIND 8.3.0-RC1– 8.4.4”. Second, we sent a “version.bind” query to the server to refine the fpdns result if andonly if the version reported by version.bind fell in the range of possible versions as determined byfpdns. While we could have used version.bind queries alone, many name servers are configured toreport an obfuscated result or no result at all.

Note that there are limitations to this approach:

• fpdns differentiates between implementations on a best-effort basis. Two implementationscan look identical to fpdns and there may be no way to distinguish between them.

• fpdns has not been actively maintained in recent years.

• Even had fpdns been maintained, there has been a proliferation of commodity routers,firewalls and other “middleboxes” with no-name or proprietary DNS implementations thatwould be difficult to track.

As a consequence, the survey results contain false positive and false negative identifications, andshould be interpreted with caution.

2In a few cases, large numbers of replies were sent from what could be described as “DNS bombs”: hosts thatappeared to be designed to send an unending stream of replies to the source address of a query. We suspect thatthese are malware-infected hosts intended for use in DDoS attacks.

3

4 NAME SERVER SOFTWARE VERSIONS

Figures 1, 2, and 3 summarize the distribution of name server software versions for Dataset I.

0

50

100

150

200

250

300

BIN

D

Nom

inum

CN

S

Ver

mic

elli

totd

robt

ex V

ikin

gD

NS

mod

ule

Mik

rotik

dsl

/cab

le

Rai

den

DN

SD

Ver

iSig

n A

TLA

S

DJ

Ber

nste

inT

inyD

NS

Alte

on A

CE

switc

h

AT

OS

Sta

rgat

e A

DS

L

Mic

roso

ft D

NS

(Win

dow

s 20

00)

bboy

MyD

NS

JHS

OF

Tsi

mpl

e D

NS

plu

s

Cis

co C

NR

Mic

roso

ft D

NS

(Win

dow

s 20

03)

NLn

etLa

bs N

SD

Max

Feo

ktis

tov

smal

l HT

TP

ser

ver

shee

rdns

(oth

er)

(tim

e ou

t)

(no

mat

ch)

Nam

e S

erve

rs (

thou

sand

s)

266,227(34.2%)

93,345(12.0%)

43,064(5.5%)

19,012(2.4%)

17,206(2.2%) 5,059

(0.7%)

4,238(0.5%)

3,548(0.5%)

2,388(0.3%)

2,344(0.3%)

2,103(0.3%)

1,858(0.2%)

611(0.1%)

465(0.1%)

421(0.1%)

310(<0.1%)

302(<0.1%)

284(<0.1%)

1,798(0.2%)

37,469(4.8%)

275,628(35.4%)

Figure 1: Distribution of name server software versions – Dataset I.

4

0

50

100

150

200

250

300

BIND4.8 −4.8.3

BIND4.9.3 −4.9.11

BIND8.1-REL −

8.2.1

BIND8.2.2-P3 −8.3.0-T2A

BIND8.3.0-RC1 −

8.4.7-P1

BIND9.0.0b5 −

9.0.1

BIND9.1.0 −

9.2.0rc3

BIND9.2.0a1 −9.2.2-P3

BIND9.2.3rc1 −9.7.2-P2

Nam

e S

erve

rs (

thou

sand

s)

9(<0.1%)

244(0.1%)

995(0.4%)

193(0.1%)

2,763(1.0%)

293(0.1%)

1,747(0.7%)

3,438(1.3%)

256,545(96.4%)

Figure 2: Breakdown of BIND versions – Dataset I.

0

50

100

150

BIND9.2.[3-8]

BIND9.3.*

BIND9.4.*

BIND9.5.*

BIND9.6.*

BIND9.7.*

UnknownBIND 9Version

Nam

e S

erve

rs (

thou

sand

s)

21,221(8.0%)

76,146(28.6%)

21,278(8.0%) 10,022

(3.8%)

11,535(4.3%)

5,959(2.2%)

120,066(45.1%)

Figure 3: Breakdown of BIND 9 versions – Dataset I.

5

4 NAME SERVER SOFTWARE VERSIONS

Figures 4, 5, and 6 summarize the distribution of name server software versions for Dataset II.

0

20

40

60

80

100

120

BIN

D

DJ

Ber

nste

inT

inyD

NS

JHS

OF

Tsi

mpl

e D

NS

plu

s

bboy

MyD

NS

Pow

erD

NS

shee

rdns

Nom

inum

AN

S

Mic

roso

ft D

NS

(Win

dow

s 20

03)

Ultr

aDN

S

Mic

roso

ft D

NS

(Win

dow

s 20

00)

NLn

etLa

bs N

SD

Sou

rcef

orge

JDN

SS

Cis

co C

NR

TZ

O T

zolk

in D

NS

Mic

roso

ft D

NS

(Win

dow

s N

T4)

XB

ILL

jnam

ed(d

nsja

va)

Dan

Kam

insk

yno

mde

DN

S tu

nnel

Ver

iSig

n A

TLA

S

(oth

er)

(tim

e ou

t)

(no

mat

ch)

Nam

e S

erve

rs (

thou

sand

s)

103,299(53.9%)

3,716(1.9%)

1,389(0.7%)

1,270(0.7%)

772(0.4%)

640(0.3%)

143(0.1%)

72(< 0.1%)

65(< 0.1%)

59(< 0.1%)

48(< 0.1%)

19(< 0.1%)

14(< 0.1%)

14(< 0.1%)

13(< 0.1%)

12(< 0.1%)

11(< 0.1%)

11(< 0.1%)

71(< 0.1%)

14,296(7.5%)

65,672(34.3%)

Figure 4: Distribution of name server software versions – Dataset II.

6

0

20

40

60

80

100

120

BIND4.9.3 −4.9.11

BIND8.1-REL −

8.2.1

BIND8.2.2-P3 −8.3.0-T2A

BIND8.3.0-RC1 −

8.4.7-P1

BIND9.0.0b5 −

9.0.1

BIND9.1.0 −

9.2.0rc3

BIND9.2.0a1 −9.2.2-P3

BIND9.2.3rc1 −9.7.2-P2

Nam

e S

erve

rs (

thou

sand

s)

43(<0.1%)

131(0.1%)

83(0.1%)

1,779(1.7%)

4(<0.1%)

55(0.1%)

2,176(2.1%)

99,027(95.9%)

Figure 5: Breakdown of BIND versions – Dataset II.

0

20

40

60

BIND9.2.[3-8]

BIND9.3.*

BIND9.4.*

BIND9.5.*

BIND9.6.*

BIND9.7.*

UnknownBIND 9Version

Nam

e S

erve

rs (

thou

sand

s)

13,261(13.4%)

46,700(47.2%)

7,199(7.3%) 3,403

(3.4%)2,711(2.7%)

1,428(1.4%)

24,325(24.6%)

Figure 6: Breakdown of BIND 9 versions – Dataset II.

7

5 OPEN RESOLVERS

5 Open Resolvers

Interest in open resolvers derives from their potential use in DNS amplification attacks.[3] To testfor open resolvers, we utilized a domain name we control, and then sent a specially crafted queryfor it to each responding name server in both data sets. Each query had an encrypted label withencoded values for the IP address of the original target host as well as the time of transmission.We then recorded incoming queries for the name and reconciled them with the original queries.

5.1 Open Resolvers in Dataset I

Of responding hosts in Dataset I, 596,025 (79.6%) returned valid replies in response to recursivequeries. This is down slightly from last year’s figure of 81.4%. Extrapolating to the entire addressspace, we estimate that there are as many as 11,920,500 open resolvers on the Internet.

After reconciling the incoming query sources with the original targets, we determined that most(96.6%) of these acted only as proxies, sending queries to other name servers for resolution.

In examining the distinct query sources, we found:

• 19,035 direct open “emitters”, i.e., open resolvers from which we received queries fromdirectly.

• 33,515 indirect open “emitters”, i.e., hosts from which we received queries when we sentqueries to a different host.

There was an overlap of 953 hosts between these two sets. In other words, we received queriesfrom these hosts both when we queried them directly and also when querying other hosts. Aftertaking this into account, we recorded a total of 51,597 distinct open emitters.

In estimating the number of open emitters on the Internet, there is little point in making a linearextrapolation from the above figure. Most of the query sources were not in the 5% sample, and itis likely that many of the same hosts would have responded given an entirely different sample set.However, we can establish a lower bound from the number of direct open emitters. Therefore weestimate that there are at least 380,700 open emitters on the Internet, comprising 0.02% ofthe routed address space.

The total number of open resolvers on the Internet appears to be decreasing with time, but itis still quite high. We urge developers and manufacturers to read and implement RFC 5625,DNS Proxy Implementation Guidelines.[4] Administrators should read and implement RFC 5358,Preventing Use of Recursive Nameservers in Reflector Attacks.[5]

5.2 Relationship Between Open Proxies and Resolvers in Dataset I

Figure 7 characterizes the “many-to-some” relationship between open proxies and resolvers. Morethan 50% of the queries sent to the 592,145 distinct open proxies were resolved by just 232 resolvers.In total there were 33,515 resolvers acting on behalf of proxies. Note that it is unlikely that all ofthese are proxies in the strict sense of the term; some are almost certainly hosts with multiple IPaddresses. However the incidence of this is probably relatively low, as only 13,064 (2.2%) of theobserved proxy/resolver pairs were in the same /24, and only 44,660 (7.5%) were in the same /16.

8

Ope

n P

roxi

es

Resolvers(in decending order of number of associated proxies)

0

500

1000

1500

2000

2500

3000

3500

4000

4500

0 100 200 300 400 500

Figure 7: The many-to-some relationship between open proxies and resolvers.

Ope

n P

roxi

es

Resolvers Networks (/24s)(in decending order of number of associated proxies)

0

5000

10000

15000

20000

25000

30000

0 20 40 60 80 100

Figure 8: The many-to-some relationship between open proxies and resolver networks.

The concentration of proxies to resolvers becomes even clearer when we look at the many-to-somerelationship between proxies and resolver networks (Figure 8). More than 50% of the queries sentto proxies arrived back to us via resolvers on just 70 /24s.

9

6 SOURCE PORT RANDOMIZATION 5.3 Open Resolvers in Dataset II

5.3 Open Resolvers in Dataset II

Of the zones in Dataset II, 114,753 (10.2%) had at least one authoritative name server that isalso an open resolver. This is up from last year’s figure of 7.1%. Additionally, 93,304 (20.5%) ofname servers from Dataset II had recursion enabled. This is down from last year’s figure of 24.2%.One possible interpretation of these opposing changes is that there are fewer poorly configuredauthoritative name servers but comparatively more zones served by them.

In all, we found:

• 15,446 direct open “emitters”, i.e., open resolvers from which we received queries fromdirectly.

• 8,853 indirect open “emitters”, i.e., hosts from which we received queries when we sentqueries to a different host.

There was an overlap of 3,328 hosts between these two sets. In other words, we received queriesfrom these hosts both when we queried them directly and when querying other hosts. After takingthis into account, we recorded a total of 20,971 distinct open emitters, 10.9% of the name serversin Dataset II.

Unlike in Dataset I, many of the indirect emitters appear to be hosts with multiple IP addresses:5,304 (59.9%) of them are on the same /24 as the proxy, and 4,014 (45.3%) are within the same/28. This would account for the substantial overlap between the direct and indirect emitters.

6 Source Port Randomization

Caching resolvers that send queries from predictable source ports are vulnerable to cache poisoningattacks. We examined the source port characteristics of the open resolvers we found in both datasets.

We wrote a daemon to listen for incoming DNS queries with a particular QNAME and return areply with a CNAME reference to a name served by a second instance of the daemon. The secondinstance then returned a CNAME reference to a name served by the first. The process repeateduntil five queries had been received from the source3, upon which the daemon returned an A RR.4

We then sent a specially crafted query to each open resolver in both data sets. As with the openresolver test, each query had an encrypted label with encoded values for the IP address of theoriginal target host as well as the time of transmission. We then recorded incoming queries andreconciled them with the original queries.

The results have been divided into resolvers with clear patterns of port utilization and resolverswith no obvious pattern. We cannot say with certainty that a given resolver has good randomiza-tion as there is no reliable test for randomness (especially with a sample set of only five queries);however, if a resolver exhibits no obvious pattern, it is a good indication that the implementorhas taken steps to randomize source port utilization.[6]

3The sequence number of the query was encoded into the CNAME reference.4We limited the test to five queries as at least one well-known resolver detects a loop on the sixth lookup and

returns SERVFAIL.

10

6.1 Port Randomization in Dataset I

The source port characteristics of the open resolvers in Dataset I are summarized in Figure 9.Note that this data set consists primarily of open DNS proxies and resolvers. Accordingly, it isunlikely that these are provisioned and maintained with the same hygiene as the majority of keyresolvers used by ISPs and major organizations. As a result, they may have a higher incidence ofpoor source port randomization.

0

100

200

300

400

500

600

700

Same Port Mono-tonically

Increasing

Mono-tonically

Decreasing

Alternating Cycling LimitedRange

NoObviousPattern

Nam

e S

erve

rs (

thou

sand

s)

25,052(4.3%)

438(0.1%)

4(<0.1%)

785(0.1%)

510(0.1%)

982(0.2%)

553,538(95.2%)

Figure 9: Source port randomization – Dataset I.

Of the open resolvers in Dataset I, 95.2% showed no obvious pattern; this is up from 89.8% in the2009 survey. In effect, the number of servers with poor randomization was halved since last year’ssurvey, a significant improvement.

11

6 SOURCE PORT RANDOMIZATION 6.1 Port Randomization in Dataset I

Figure 10 shows the distribution of server software versions that exhibited poor port randomiza-tion. While BIND 9 ranks high on this list, this represents older versions of BIND 9 only; versionsreleased on or after July 8, 2008 (9.5.0-P2 or greater, 9.4.2 or greater, and 9.3.5-P2 or greater)implement port randomization (although this can be overridden).[7]

0

5

10

15

20

BIN

D 9

Mik

rotik

dsl

/cab

le

Mic

roso

ft D

NS

(Win

dow

s 20

00)

Nom

inum

CN

S

BIN

D 8

JHS

OF

Tsi

mpl

e D

NS

plu

s

Mic

roso

ft D

NS

(Win

dow

s 20

03)

Mic

roso

ft D

NS

(Win

dow

s N

T4)

(oth

er)

(tim

e ou

t)

(no

mat

ch)

Nam

e S

erve

rs (

thou

sand

s) 16,035(57.7%)

1,480(5.3%) 351

(1.3%)

294(1.1%)

279(1.0%)

114(0.4%)

110(0.4%)

74(0.3%)

234(0.8%)

991(3.6%)

7,809(28.1%)

Figure 10: Name server software versions with apparently poor port randomization – Dataset I.

12

6.2 Port Randomization in Dataset II

The source port characteristics of the open resolvers in Dataset II are summarized in Figure 11.As with Dataset I, it is unlikely that these servers are provisioned and maintained with the samehygiene as most key resolvers.

0

5

10

15

20

25

Same Port Mono-tonically

Increasing

Mono-tonically

Decreasing

Alternating Cycling LimitedRange

NoObviousPattern

Nam

e S

erve

rs (

thou

sand

s)

6,418(23.6%)

140(0.5%) 0

122(0.4%)

3(<0.1%)

64(0.2%)

20,438(75.2%)

Figure 11: Source port randomization – Dataset II.

75.2% of open resolvers in Dataset II showed no obvious pattern; this is up from 65.9% in the2009 survey, a significant improvement.

13

6 SOURCE PORT RANDOMIZATION 6.2 Port Randomization in Dataset II

Figure 12 shows the distribution of server software versions that exhibited poor source port ran-domization. As noted above, BIND 9’s high rank is likely due to older versions of BIND 9, as recentversions implement port randomization. Recent versions of PowerDNS Recursor also implementport randomization.

0

1

2

3

4

5

6

7

BIN

D 9

JHS

OF

Tsi

mpl

e D

NS

plu

s

BIN

D 8

Pow

erD

NS

Mic

roso

ft D

NS

(Win

dow

s 20

03)

Mic

roso

ft D

NS

(Win

dow

s N

T4)

Mic

roso

ft D

NS

(Win

dow

s 20

00)

Ver

mic

elli

totd

(oth

er)

(tim

e ou

t)

(no

mat

ch)

Nam

e S

erve

rs (

thou

sand

s) 5,569(82.5%)

245(3.6%)

93(1.4%)

24(0.4%)

20(0.3%)

8(0.1%)

3(<0.1%)

3(<0.1%)

6(0.1%)

213(3.2%)

563(8.3%)

Figure 12: Name server software versions with apparently poor port randomization – Dataset II.

14

7 Results For Dataset II – Authoritative Name Servers

The following tests are specific to Dataset II as they require knowledge of at least one zone forwhich a name server is authoritative.5

7.1 Zone Transfers (AXFR)

For each zone in Dataset II we tested to see whether one or more name servers permitted zonetransfers. Table 2 shows the results. 11.3% of zones had a name server that permitted zonetransfers, down from 15.8% last year.

Count Percent

AXFR permitted 114,050 11.3%AXFR NOT permitted 897,618 88.7%

Table 2: Zones in Dataset II with at least one name server that permitted AXFR.

We also tested each name server in Dataset II to see whether each one individually permitted zonetransfers. Table 3 shows the results. 26.1% of name servers permitted zone transfers, down from32.3% last year.

Count Percent

AXFR permitted 50,004 26.1%AXFR NOT permitted 141,602 73.9%

Table 3: Name servers for zones in Dataset II that permitted AXFR.

7.2 TCP Support

For each zone in Dataset II we tested to see whether one or more name servers permitted TCP-based DNS transactions. Table 4 shows the results. 83.6% of zones had a name server thataccepted TCP, up slightly from 81.6% last year.

Count Percent

TCP permitted 542,518 83.6%TCP NOT permitted 106,359 16.4%

Table 4: Zones in Dataset II with at least one name server that permitted TCP-based DNStransactions.

We also tested each name server in Dataset II to see whether each one individually permittedTCP-based DNS transactions. Table 5 shows the results. 81.4% of name servers permitted TCP,up from 75.9% last year.

5There is no straightforward method to discover what zones are served by an arbitrary name server.

15

8 DNSSEC

Count Percent

TCP permitted 155,873 81.4%TCP NOT permitted 35,733 18.6%

Table 5: Name servers for zones in Dataset II that permitted TCP-based DNS transactions.

8 DNSSEC

2010 has been a significant year for DNSSEC. On July 15th, the root zone was signed, removingone of the most significant barriers to broad DNSSEC deployment. However other obstaclesremain:

• The .com and .net zones are not yet signed.6

• Few registrars support DNSSEC.

• Few resolvers have DNSSEC validation enabled.

• The tools for managing signed zones are basic and typically entail a steep learning curve.

Consequently DNSSEC deployment is still extremely limited.

In Dataset II we found 243 DNSSEC-signed zones.7 Based on this figure, we estimate that 24,300(0.022%) zones are signed in the .com, .org, and .net zones. Put differently, that is onein every 4,619 zones. While this is still a very small proportion, it represents a more than fourfoldincrease over last year’s figure of 0.005%.

TLDProportion ofSigned Zones

.com 0.020%

.net 0.023%

.org 0.040%

Table 6: DNSSEC-signed zones, by TLD.

Table 6 shows the proportion of signed zones by TLD. .org has double the proportion of signedzones that .com does. The .org zone was signed last year, which may account for some of itscomparatively greater popularity.

6VeriSign has announced that the .net zone will be signed in December and the .com zone will be signed inMarch, 2011.

7Four additional zones were found to contain DNSKEY RRs but were unsigned.

16

8.1 KSKs

Table 7 shows the distribution of key signing keys (KSKs) found for each signed zone. Note thatno zones have pre-published KSKs.

Count Percent

No KSK (ZSKs only) 1 0.4%One KSK 242 99.6%

Table 7: KSKs per zone.

8.2 ZSKs

Table 8 shows the distribution of the number of zone signing keys (ZSKs) found for each zone.Last year more than half of signed zones had only one ZSK; this year the opposite is true.

Count Percent

One ZSK 76 31.3%Two ZSKs 167 68.7%

Table 8: ZSKs per zone.

17

8 DNSSEC 8.3 Signature Validity Periods

8.3 Signature Validity Periods

Figure 13 shows the distribution of the signature validity periods found for the signed zones.Fractional values are typically indicative of zones employing online re-signing.

0

50

100

150

200

6.58 7.13 23.20 28 30 30.04 31 90.04 356

Zon

es

Signature Validity Period (days)

1(0.4%)

7(2.9%)

1(0.4%)

1(0.4%)

65(26.7%)

1(0.4%)

163(67.1%)

3(1.2%)

1(0.4%)

Figure 13: Signature validity periods.

18

8.4 KSK Properties

Figure 14 shows the distribution of KSK algorithms, key sizes, and exponent sizes. It is interestingto note that while nearly half of the signed TLDs (as well as the root zone) use RSA-SHA-256 or RSA-SHA-512, not a single zone in the sample used them. RSASHA1 offers more thanadequate security for the foreseeable future, but zone managers deploying DNSSEC for the firsttime may wish to use RSA-SHA-256 or RSA-SHA-512 to avoid the inconvenience of a possiblefuture algorithm rollover.

0

100

200

300

DSA RSASHA1 RSASHA1-NSEC3-SHA1

Zon

es

KSK Algorithm

5(2.0%)

240(96.8%)

3(1.2%)

0

100

200

300

1024 1280 2048 2432 4096

Zon

es

KSK Key Size (bits)

53(21.9%) 3

(1.2%)

179(74.0%)

3(1.2%)

4(1.7%)

0

100

200

300

3 octets 4 octets 5 octets

Zon

es

KSK Exponent Size

238(98.3%)

3(1.2%)

1(0.4%)

Figure 14: KSK properties.

19

8 DNSSEC 8.4 KSK Properties

All keys with three-octet exponent lengths had an exponent value of 65,537, or 10001hex (Fermatnumber F4). The keys with five-octet exponent lengths had an exponent value of 4,294,967,297,or 100000001hex (Fermat number F5). The keys with four-octet exponent lengths appeared tohave exponents of random values that were, curiously, non-prime (with one exception).

20

8.5 ZSK Properties

Figure 15 shows the distribution of ZSK algorithms, key sizes, and exponent sizes.

0

100

200

300

RSAMD5 DSA RSASHA1 RSASHA1-NSEC3-SHA1

Zon

es

ZSK Algorithm

1(0.4%)

3(1.2%)

236(97.1%)

3(1.2%)

0

100

200

300

512 768 1024 1280 2432 4096

Zon

es

ZSK Key Size (bits)

1(0.4%)

1(0.4%)

231(95.1%)

3(1.2%)

3(1.2%)

4(1.6%)

0

100

200

300

3 octets 4 octets 5 octets

Zon

es

ZSK Exponent Size

239(98.4%)

3(1.2%)

1(0.4%)

Figure 15: ZSK properties.

21

8 DNSSEC 8.6 NSEC3

8.6 NSEC3

0

100

200

300

NSEC NSEC3

Zon

es

241(99.2%)

2(0.8%)

Figure 16: Zones using NSEC vs NSEC3.

Figure 16 shows the number of zones using NSEC3. Note that this is not the same as the numberof zones with RSA-SHA1-NSEC3 KSKs, as one of the three zones with an RSA-SHA1-NSEC3KSK is signed using NSEC RRs. Last year five out of 167 signed zones used NSEC3. While thesample size of signed zones is too small to draw any conclusions, it is possible that the use ofNSEC3 in non-registry-class zones is dwindling.

8.7 DNSSEC Validation

0

100

200

300

Validated Expired Failed

Zon

es

187(77.0%)

54(22.2%)

2(0.8%)

Figure 17: Validation statistics.

Figure 17 shows the validation status for the DNSSEC signed zones. Expired zones are zonesthat failed validation but were found to validate if the validator ignored the requirement for thecurrent time to be within the validity period specified in the RRSIG RRs.

Figure 18 shows the number of zones that validated against 1) the KSK within the zone itself,2) the root zone trust anchor, and 3) ISC’s DLV registry trust anchor. Of the TLDs included inthis survey, only .org is signed, so only zones under the .org zone can be validated against the

22

0

100

200

300

Zone Key Root Key ISC DLV

Zon

es

187(93.5%)

9(4.5%)

4(2.0%)

Figure 18: Trust anchors used.

root zone trust anchor. Of the 34 signed zones in the .org zone, only nine had DS RRs in theparent zone; all of these zones validated against the root zone trust anchor. Four zones had DLVRRs in ISC’s DLV Registry; all of these zones validated against the ISC DLV trust anchor. Ofthe two .org zones in the DLV registry, only one had a DS RR in the parent zone. No zone witheither a DS RR in the parent or a DLV RR in the DLV registry failed to validate.

Exp

ired

Sig

ned

Zon

es

Months Since Expiration

0%

20%

40%

60%

80%

100%

0 3 6 9 12 15 18 21

Figure 19: “Staleness” of expired zones (cumulative distribution).

Figure 19 shows the cumulative distribution of elapsed times for each expired zone since thatzone expired. Some of these may be abandoned DNSSEC experiments that were never revertedto unsigned. Others may be attributable to zone managers who are unaware of the requirementto periodically re-sign the zone.

23

9 EDNS

9 EDNS

We tested name servers in both data sets for EDNS support. EDNS is a prerequisite for DNSSEC,as replies containing DNSSEC metadata can easily exceed the legacy DNS message size of 512octets. In order to properly support DNSSEC, a name server must not only have EDNS0 enabled,but it must have a payload size of at least 1,220 octets.

0

100

200

300

400

1280 1460 4000 4096 OtherSize

Unsup-ported

Noreply

Nam

e S

erve

rs(t

hous

ands

)

EDNS0 Payload Size (octets)

28,390(3.7%)

33,998(4.4%)

119,534(15.4%)

322,145(41.4%)

2,819(0.4%)

205,664(26.4%)

65,130(8.4%)

Figure 20: EDNS support – Dataset I.

0

20

40

60

80

100

120

1280 4096 Other Size Unsupported No reply

Nam

e S

erve

rs(t

hous

ands

)

EDNS0 Payload Size (octets)

12,783(6.7%)

105,148(54.9%)

1,028(0.5%)

17,715(9.2%)

54,932(28.7%)

Figure 21: EDNS support – Dataset II.

Figures 20 and 21 show the EDNS payload sizes for the name servers in Dataset I and Dataset IIrespectively. By far the most popular payload size is 4096 octets.

24

10 IPv6

We recorded the number of zones with at least one name server with an IPv6 address. VeriSignbegan accepting AAAA glue records for publication in the .com and .net zones in 2002, and PIRbegan accepting them for the .org zone in 2008. However, domain name registrars have beenslow to extend their systems to accommodate these records. Therefore this statistic should notbe interpreted as a meaningful indicator of the deployment of IPv6 in the global DNS.

TLD Count Percent

.com 10,762 1.2%

.net 2,053 1.5%

.org 1,532 1.8%Total 14,347 1.3%

Table 9: Zones with name servers with AAAA RRs.

Table 9 shows the number zones with name servers that have AAAA RRs. The total of 1.3% is asignificant increase over last year’s figure of 0.7%.

11 SPF and Sender ID

Sender Policy Framework (SPF) and Sender ID are anti-forgery techniques by which organizationscan list valid sources of email (e.g., IP addresses and host names) sent from their domain. Theyare described in RFCs 4408 and 4406.[8][9] To enable SPF authorization, an organization publishesan SPF record in their zone, either as an SPF (Type 99) resource record or as a TXT record. Mailtransfer agents may then look up SPF information when receiving email messages. Sender ID issimilar but, unlike SPF, has no assigned resource record type.

Count Percent

Zones with SPF records (total) 178,785 15.9%— TXT RRs 178,732 15.9%

— SPF RRs 4,557 0.4%

Zones with Sender ID records 771 0.01%

Table 10: Zones with SPF/Sender ID records.

Table 10 shows the number of zones in Dataset II that were found to contain SPF or Sender IDrecords.

25

13 DNS WILDCARDS

12 DKIM

DKIM is an anti-forgery technique by which organizations can sign mail to be validated againstpublic keys published in their zone. It is described in RFC 4871.[10] To enable DKIM validation,an organization publishes one or more DKIM records as TXT records under the sub-domaindomainkey in the desired zone, e.g., key1. domainkey.example.com. Unlike SPF and SenderID, DKIM records cannot be looked up directly without knowing – or attempting to guess – thekey names; however, the presence of the subdomain domainkey in a zone suggests that DKIM isconfigured.

Count Percent

Zones with DKIM subdomains 27,820 2.5%

Table 11: Zones with DKIM subdomains.

Table 11 shows the number of zones in Dataset II that appeared to contain DKIM subdomains.

13 DNS Wildcards

Many administrators put DNS wildcards in their zones. Typical uses include receiving email formultiple subdomains and as a catch-all for misdirected connections. Wildcards are frequentlyfound in the zones of “parked” domains to maximize the clickthrough rate to advertisers.

Count Percent

Zones with DNS wildcard records 470,197 41.9%

Table 12: Zones with DNS wildcard records.

Table 12 shows the number of zones in Dataset II that appeared to contain DNS wildcards for atleast one RR type.

26

14 SOA Values

We checked to see how many zones had SOA values within the ranges advised by RFC 1912 andother recommendations.[11]

14.1 SOA Refresh

RFC 1912 suggests that the SOA Refresh value should be at least 1200 (20 minutes) and no largerthan 43200 (12 hours); however RIPE-203 recommends a value of 86400 (24 hours).[12] Figure 22shows the distribution of refresh values. 97.6% of zones have Refresh values in the recommendedrange if both recommendations are taken together.

Zon

es

SOA Refresh Value (seconds)

0%

20%

40%

60%

80%

100%

0

108

00

216

00

324

00

432

00

540

00

648

00

756

00

864

00

972

00

108

000

118

800

129

600

Recommended values

Figure 22: SOA Refresh values (cumulative distribution).

14.2 SOA Retry

RFC 1912 suggests that the SOA Retry value should typically be less than the Refresh value.Table 13 shows the distribution of Retry values relative to Refresh values.

Count Percent

Retry ≤ Refresh 947,539 98.7%Retry > Refresh 12,419 1.3%

Table 13: Retry values relative to Refresh.

27

14 SOA VALUES 14.3 SOA Expire

14.3 SOA Expire

RFC 1912 suggests that the SOA Expire value should be at least 1209600 (two weeks) and nolarger than 2419200 (four weeks). RIPE-203 recommends a value of 3600000 (1000 hours, or 41days). Figure 23 shows the distribution of expire values.

Zon

es

SOA Expire Value (seconds)

0%

20%

40%

60%

80%

100%

0

6048

00

1209

600

1814

400

2419

200

3024

000

3628

800

4233

600

4838

400

5443

200

6048

000

6652

800

7257

600

Recommendedvalues

Figure 23: SOA Expire values (cumulative distribution).

Only 18.2% of zones in Dataset II have Expire values in the recommended range. In fact, mostzones have an Expire value of 604800 (one week). This potentially puts them at greater riskof becoming unavailable during an extended outage. It should be noted that the Internet haschanged considerably since these recommendations were made. It is rarer to find zones whosename servers are managed by separate entities. Consequently this value is less important than itonce was. Nevertheless, the recommendations are still valid.

14.4 SOA Minimum

RFC 2308 advises that the SOA Minimum value (the TTL to be used for negative responses)works well when it is between 3600 (one hour) and 10800 (three hours).[13] This recommendationsupersedes those in RFC 1912 and RIPE-203, which were written when the Minimum value haddifferent (now deprecated) semantics. Figure 24 shows the distribution of Minimum values.

Surprisingly, only 22% of zones have Minimum values in the recommended range. Nearly 50%have a value of 86400 (one day). This is likely because many administrators are unaware of thechange in semantics introduced by RFC 2308. However, common name server implementationsusually enforce a negative caching limit of three hours or less, which mitigates the deleteriouseffects of large Minimum values.

28

Zon

es

SOA Minimum Value (seconds)

0%

20%

40%

60%

80%

100%

0

108

00

216

00

324

00

432

00

540

00

648

00

756

00

864

00

972

00

Recommended values

Figure 24: SOA Minimum values (cumulative distribution).

14.5 SOA Serial Number

Non-matching serial numbers on different authoritative servers for a zone may indicate a config-uration problem.

Count Percent

Serial numbers match 959,069 98.5%Serial numbers DO NOT match 14,240 1.5%

Table 14: Zones with non-matching SOA serial numbers.

Table 14 shows the distribution of zones with matching and non-matching serial numbers. Notethat these results include only zones that responded with at least one valid SOA record.

15 Matching of Authoritative NS Records

We tested to see whether delegation NS records (in the parent zone) match the authoritative NSrecords (in the child zone). We distinguish between “match”, “not match”, and the case wherethe supposedly authoritative name servers (learned from the parent zone) did not return any NSrecords for the zone. Table 15 shows the results. The number of mismatches was down slightlyfrom last year’s figure of 7.9%.

29

18 TOPOLOGICAL DISPERSION OF NAME SERVERS

Count Percent

Zones whose NS record match 567,732 50.7%Zones whose NS record are mismatched 81,518 7.3%Zones with no authoritative name server 470,969 42.0%

Table 15: Agreement between delegation and authoritative data.

16 Name Server Lameness

We tested for lameness by sending an SOA query for the zone to each authoritative name server.If the response’s RCODE was anything other than zero (NOERROR), we surmised that the nameserver was lame. Table 16 shows the number of zones with at least one lame name server.

Count Percent

Not Lame 939,435 91.6%Lame 86,193 8.4%

Table 16: Name server lameness.

Note that an unresolvable name server was not considered to be a lame server. In other words, ifa zone had three name servers and we were unable to obtain an IP address for one of them, thezone was not considered to have a lame server provided that the other two name servers were notlame.

17 Matching of TTLs Across NS Records

RFC 1033 notes that all RRs with the same name, class, and type should have the same TTLvalue.[14] When the authoritative name servers for a zone have different TTLs, it is possiblefor name resolution to fail, particularly if the NS RRs with the longest TTLs are for lame orunreachable name servers. Table 17 shows the number of zones whose NS RRs all have the sameTTLs vs the number that didn’t.

Count Percent

Zones w/ same TTLs for all NS RRs 647,782 98.83%Zones w/ NS RRs with differing TTLs 1,129 0.17%

Table 17: TTL mismatches.

18 Topological Dispersion of Name Servers

RFC 2182 advises that “secondary servers must be placed at both topologically and geographicallydispersed locations on the Internet, to minimize the likelihood of a single failure disabling all ofthem.”[15]

30

While we do not test for geographic diversity, we can evaluate the topological aspects of a zone’sname servers. Topological proximity often belies geographic proximity: when two name serversare in the same /24 subnet, they are usually also geographically close to each other. Occasionally,anycast and other routing techniques make geographically distant hosts appear as if they are onthe same subnet, but this is atypical.

0

10

20

30

40

50

60

/32/31

/30/29

/28/27

/27/25

/24/23

/22/21

/20/19

/18/17

/160%

2%

4%

6%

8%

Zon

es (

thou

sand

s)

CIDR Mask

0%

2%

4%

6%

8%

Figure 25: Topological dispersion of name servers – Dataset II.

Figure 25 shows the number of zones having all their authoritative name servers within a givenCIDR-sized subnet.

Zon

es

CIDR Mask

0%

20%

40%

60%

80%

100%

/32/31

/30/29

/28/27

/27/25

/24/23

/22/21

/20/19

/18/17

/16/15

/14/13

/12/11

/10/9

/8/7

/6/5

/4/3

/2/1

/0

Figure 26: Topological dispersion of name servers – Dataset II (cumulative distribution).

Figure 26 shows the cumulative distribution of zones having all their authoritative name serverswithin a given CIDR-sized subnet. 19.5% of zones have name servers that are wholly containedwithin the same /24 subnet, which is particularly undesirable.

31

19 AUTONOMOUS SYSTEM DIVERSITY OF NAME SERVERS

19 Autonomous System Diversity of Name Servers

BGP routing interruptions, while infrequent, are one of the more common causes of transientunreachability between two hosts. To ensure maximum reachability, a zone’s name servers shouldbe split across at least two Autonomous Systems (ASes).

To determine the AS of each name server in Dataset I, we used a copy of the CAIDA RouteviewsPrefix to AS Mappings Dataset (pfx2as).[16] We then noted the number of distinct ASes used bythe authoritative name servers for each zone.

0

200

400

600

800

1 2 3 4 5 6 7 8 9 unknown

Zon

es (

thou

sand

s)

Number of Autonomous Systems

738,027(73.0%)

233,592(23.1%)

33,984(3.4%)

4,638(0.5%)

1,180(0.1%)

77(<0.1%)

129(<0.1%)

5(<0.1%)

5(<0.1%)

31(<0.1%)

Figure 27: Number of zones having all of their authoritative name servers within a given numberof Autonomous Systems.

Figure 27 shows the number of zones having all of their authoritative name servers within thegiven number of Autonomous Systems. Over 72% of zones have all of their name serversin one AS only. If a routing issue arises between the AS containing the zone’s name serversand another AS, hosts in the other AS will be unable to resolve the domain. Most Internet usersexperience this type of interruption on occasion, usually without knowing the cause.

Note that in a small number of cases, all of the name servers for a zone are in a single AS thatachieves sufficient resilience via IPv4 anycast routing.[17]

32

20 0x20 Behavior

One proposal for improving the resilience of DNS resolvers against forgery involves utilizing thehigh bit of the alphabetical characters in the QNAME as additional entropy in DNS transactions.[18]This proposal is generally referred to as 0x20.8 This technique requires that name servers preservethe case of characters in the QNAME in the Question section of a DNS reply.

20.1 0x20 Behavior in Dataset I

We sent a query for A.rOOT-SerVeRs.NEt to each responding host in Dataset I to see whetherthe case was preserved in the reply. Figure 28 shows the results. “Other” means the name serverreturned a reply that contained a DNS header only, e.g., REFUSED or SERVFAIL. The 0x20behavior could not be determined for these hosts as no Question section was present in the reply.

The large number of timeouts is likely due to the test for 0x20 behavior being run a week afterthe initial probes to establish Dataset I. As many name servers in Dataset I have ephemeralIP addresses, these timeouts probably reflect IP address changes during the interim rather thanfailure to reply to queries with mixed-case QNAMEs.

0

100

200

300

400

500

600

0x20-Ready 0x20-Unready Other Timeout

Nam

e S

erve

rs (

thou

sand

s) 461,079(59.3%)

23,213(3.0%)

2,226(0.3%)

291,162(37.4%)

Figure 28: 0x20-ready name servers – Dataset I.

Figure 29 shows the distribution of server versions that did not support 0x20 in Dataset I. Note thatthe implementation labeled “unknown” was reported by fpdns to be VeriSign ATLAS; howevernearly all of these hosts have version.bind values that suggest that they are older versions ofBIND 9. These hosts were concentrated in a relatively small number of networks, and may bepatched versions of BIND, or some variant of BIND. Alternatively, they may be proxies that aredowncasing QNAMEs before (or even after) they reach a BIND server.

80x20 refers to the position of the bit that differentiates uppercase from lowercase characters in ASCII.

33

20 0X20 BEHAVIOR 20.1 0x20 Behavior in Dataset I

0

2

4

6

8

10

12

14

16

18

Mik

rotik

dsl/c

able

unkn

own

(fpd

ns s

ays

Ver

iSig

nA

TLA

S)

robt

ex V

ikin

gD

NS

mod

ule

shee

rdns

JHS

OF

Tsi

mpl

eD

NS

plu

s

(oth

er)

(tim

e ou

t)

(no

mat

ch)

Nam

e S

erve

rs (

thou

sand

s) 14,720(63.4%)

3,324(14.3%) 2,445

(10.5%)267

(1.2%)36

(0.2%)

189(0.8%)

91(0.4%)

2,141(9.2%)

Figure 29: Distribution of name server software versions that are not 0x20-ready – Dataset I.

34

20.2 0x20 Behavior in Dataset II

For each name server in Dataset II, we sent a query for the SOA RR of a zone for which it wasauthoritative. For a QNAME containing n letters, we set ⌊n/2⌋ random letters to uppercase andleft the remaining letters as lowercase .

Figure 30 shows the results. Again, “Other” means the name server returned a reply that containeda DNS header only.

0

20

40

60

80

100

120

140

160

0x20-Ready 0x20-Unready Other Timeout

Nam

e S

erve

rs (

thou

sand

s) 124,657(91.0%)

263(0.2%)

5,074(5.1%)

7,035(3.7%)

Figure 30: 0x20-ready name servers – Dataset II.

Figure 31 shows the distribution of server versions that did not support 0x20 in Dataset II. It isremarkable that only two identifiable implementations were found not to support 0x20 in DatasetII.

0

50

100

150

JHSOFTsimple DNS plus

Mikrotik-dsl cable (timeout) (no match)

Nam

e S

erve

rs

118(45.2%)

5(1.9%)

44(16.9%)

94(36.0%)

Figure 31: Distribution of name server software versions that are not 0x20-ready – Dataset II.

35

21 GEOGRAPHIC LOCATION

21 Geographic Location

We used a recent copy of the MaxMind GeoIP Country geolocation database to determine thelocation (by country) of the name servers in both datasets.[19] We then compared these with theaddress space in use by each country (via the Routeviews and GeoIP datasets) to estimate thename server density for each country.

21.1 Name Server Location

Figure 32 shows the distribution of the top 60 countries with responding name servers fromDataset I.

0

20

40

60

80

100

120

140

160

Uni

ted

Sta

tes

Chi

naS

pain

Sou

th K

orea

Fra

nce

Bra

zil

Tur

key

Japa

nG

erm

any

Italy

Uni

ted

Kin

gdom

Cze

ch R

epub

licR

ussi

an F

eder

atio

nN

ethe

rland

sD

enm

ark

Tai

wan

Arg

entin

aC

anad

aP

olan

dT

haila

ndP

eru

Aus

tral

iaS

audi

Ara

bia

Por

tuga

lC

hile

Sw

itzer

land

Sw

eden

Indi

aB

ulga

riaU

krai

neV

ietn

amR

oman

iaM

alay

sia

Nor

way

Hun

gary

Hon

g K

ong

Indo

nesi

aA

ustr

iaU

nite

d A

rab

Em

irate

sS

outh

Afr

ica

Phi

lippi

nes

Col

ombi

aC

roat

iaF

inla

ndB

elgi

umE

gypt

Gre

ece

Pak

ista

nN

ew Z

eala

ndS

lova

kia

Iran

Isra

elIr

elan

dS

inga

pore

Geo

rgia

Mex

ico

Ser

bia

Latv

iaD

omin

ican

Rep

ublic

Bol

ivia

Oth

er

0%

5%

10%

15%

20%

Nam

e S

erve

rs (

thou

sand

s)

Figure 32: Geographic location of name servers – Dataset I.

36

Figure 33 shows the distribution of the top 60 countries with responding name servers fromDataset II. Note that this plot has a broken y-axis, and that the number of name servers in theUnited States is actually more than ten times the number in the United Kingdom or Germany,the next closest countries.

1

2

3

4

5

6

7

74

75

76

Uni

ted

Sta

tes

Uni

ted

Kin

gdom

Ger

man

yC

anad

aN

ethe

rland

sF

ranc

eT

urke

yS

pain

Japa

nIta

lyA

ustr

alia

Sou

th K

orea

Chi

naR

ussi

an F

eder

atio

nT

haila

ndS

witz

erla

ndH

ong

Kon

gB

razi

lS

wed

enP

olan

dM

alay

sia

Aus

tria

Ukr

aine

Bel

gium

Arg

entin

aB

ulga

riaC

zech

Rep

ublic

Hun

gary

Sin

gapo

reP

ortu

gal

Fin

land

Indi

aN

orw

ayIn

done

sia

Den

mar

kT

aiw

anR

oman

iaIs

rael

Irel

and

New

Zea

land

Slo

veni

aS

outh

Afr

ica

Vie

tnam Iran

Mex

ico

Chi

leG

reec

eS

lova

kia

Col

ombi

aLa

tvia

Pan

ama

Est

onia

Ven

ezue

laS

erbi

aC

roat

iaLi

thua

nia

Mor

occo

Phi

lippi

nes

Cyp

rus

Luxe

mbo

urg

Oth

er

1%

2%

3%

4%

5%

54%

55%

Nam

e S

erve

rs (

thou

sand

s)

United States: 75,815 (55.5%)

1%

2%

3%

4%

5%

54%

55%

Figure 33: Geographic location of name servers – Dataset II.

37

21 GEOGRAPHIC LOCATION 21.2 Name Server Density

21.2 Name Server Density

Figure 34 shows the estimated density for the top 60 countries (by name server count in Dataset I)with respect to their allocated and routed address space. There were countries with greaterdensities than those shown here; however, in most cases this was due to a country with very fewservers having proportionately even less allocated address space. It therefore made sense to focuson the countries with the most name servers.

0%

1%

2%

3%

4%

5%

6%

7%

Per

uS

pain

Tur

key

Cze

ch R

epub

licS

audi

Ara

bia

Bol

ivia

Bul

garia

Dom

inic

an R

epub

licG

eorg

iaC

roat

iaD

enm

ark

Chi

leA

rgen

tina

Fra

nce

Por

tuga

lT

haila

ndU

nite

d A

rab

Em

irate

sB

razi

lH

unga

ryM

alay

sia

Sou

th K

orea

Ukr

aine

Slo

vaki

aP

akis

tan

Vie

tnam

Latv

iaR

ussi

an F

eder

atio

nP

olan

dP

hilip

pine

sN

ethe

rland

sIn

done

sia

Chi

naR

oman

iaS

erbi

aIta

lyIr

anS

witz

erla

ndC

olom

bia

Tai

wan

Hon

g K

ong

Indi

aG

reec

eE

gypt

New

Zea

land

Uni

ted

Kin

gdom

Oth

erA

ustr

iaN

orw

ayS

wed

enS

inga

pore

Can

ada

Ger

man

yU

nite

d S

tate

sB

elgi

umA

ustr

alia

Isra

elIr

elan

dJa

pan

Sou

th A

fric

aF

inla

ndM

exic

o

Est

imat

ed N

ame

Ser

ver

Den

sity

Figure 34: Density of name servers by country – Dataset I.

38

Figure 35 shows the estimated density for the top 60 countries (by name server count in DatasetII) with respect to their allocated and routed address space.

0.0%

0.5%

1.0%

1.5%

2.0%

2.5%

3.0%

Tur

key

Tha

iland

Spa

inB

ulga

riaS

love

nia

Can

ada

Net

herla

nds

Cyp

rus

Sin

gapo

reM

alay

sia

Hun

gary

Hon

g K

ong

Uni

ted

Kin

gdom

Uni

ted

Sta

tes

Fra

nce

Por

tuga

lU

krai

neIr

anC

zech

Rep

ublic

Mor

occo

Indo

nesi

aE

ston

iaG

erm

any

Sw

itzer

land

Luxe

mbo

urg

Aus

tria

Latv

iaP

anam

aA

rgen

tina

Bel

gium

Isra

elA

ustr

alia

Italy

New

Zea

land

Irel

and

Slo

vaki

aR

oman

iaP

olan

dC

roat

iaS

erbi

aF

inla

ndS

wed

enR

ussi

an F

eder

atio

nLi

thua

nia

Den

mar

kC

hile

Nor

way

Indi

aB

razi

lG

reec

eV

ietn

amJa

pan

Ven

ezue

laO

ther

Col

ombi

aS

outh

Afr

ica

Sou

th K

orea

Phi

lippi

nes

Tai

wan

Mex

ico

Chi

na

Est

imat

ed N

ame

Ser

ver

Den

sity

Figure 35: Density of name servers by country – Dataset II.

39

REFERENCES REFERENCES

References

[1] University of Oregon Route Views Project. http://www.routeviews.org/

[2] fpdns. http://code.google.com/p/fpdns/

[3] Scalzo, F., Recent DNS Reflector Attacks From the Victim and the Reflector POV, presentedat NANOG 37, May, 2006. http://www.nanog.org/meetings/nanog37/presentations/

frank-scalzo.pdf

[4] Bellis, R., DNS Proxy Implementation Guidelines, RFC 5625, BCP 152, August 2009. http://tools.ietf.org/html/rfc5625

[5] Damas, J. and F. Neves, Preventing Use of Recursive Nameservers in Reflector Attacks ,RFC 5358, BCP 140, October 2008. http://tools.ietf.org/html/rfc5358

[6] Laurie, B., Is Your DNS Really Safe?, July 2008. http://www.links.org/?p=352

[7] Internet Systems Consortium, DNS Cache Poisoning Issue (“Kaminsky bug”) (ISC Advisory),July 2008. http://www.isc.org/software/bind/advisories/cve-2008-1447

[8] Wong, M., and W. Schlitt, Sender Policy Framework (SPF) for Authorizing Use of Domainsin E-Mail, Version 1, RFC 4408, April 2006. http://tools.ietf.org/html/rfc4408

[9] Lyon, J., and M. Wong, Sender ID: Authenticating E-Mail, RFC 4406, April 2006. http://tools.ietf.org/html/rfc4406

[10] Allman, E., et al., DomainKeys Identified Mail (DKIM) Signatures, RFC 4871, May 2007.http://tools.ietf.org/html/rfc4871

[11] Barr, D., Common DNS Operational and Configuration Errors, RFC 1912, February 1996.http://tools.ietf.org/html/rfc1912

[12] Koch, P., Recommendations for DNS SOA Values, ripe-203, June 1999. http://www.ripe.net/docs/dns-soa.html

[13] Andrews, M., Negative Caching of DNS Queries (DNS NCACHE), RFC 2308, March 1998.http://tools.ietf.org/html/rfc2308

[14] Lottor, M., Domain Administrators Operations Guide, RFC 1033, March 1987. http://tools.ietf.org/html/rfc1033

[15] Elz, R., et al., Selection and Operation of Secondary DNS Servers, RFC 2182, July 1997.http://tools.ietf.org/html/rfc2182

[16] CAIDA Routeviews Prefix to AS mappings Dataset. http://www.caida.org/data/routing/routeviews-prefix2as.xml

[17] Abley, J. and K. Lindqvist, Operation of Anycast Services, RFC 4786, BCP 126, Decem-ber 2006. http://tools.ietf.org/html/rfc4786

[18] Vixie, P., and D. Dagon, Use of Bit 0x20 in DNS Labels to Improve Transaction Identity, Workin Progress, March 2008. http://tools.ietf.org/html/draft-vixie-dnsext-dns0x20-00

[19] MaxMind GeoIP Country Database. http://www.maxmind.com/app/country

40