Abstract
The Domain Name System (DNS) is a critical part of network and Internet infrastructure; DNS lookups precede almost any user request. DNS lookups may contain private information about the sites and services a user contacts, which has spawned efforts to protect privacy of users, such as transport encryption through DNS-over-TLS or DNS-over-HTTPS.
In this work, we provide a first look on the resolver-side technique of query name minimization (qmin), which was standardized in March 2016 as RFC 7816. qmin aims to only send minimal information to authoritative name servers, reducing the number of servers that full DNS query names are exposed to. Using passive and active measurements, we show a slow but steady adoption of qmin on the Internet, with a surprising variety in implementations of the standard. Using controlled experiments in a test-bed, we validate lookup behavior of various resolvers, and quantify that qmin both increases the number of DNS lookups by up to 26%, and also leads to up to 5% more failed lookups. We conclude our work with a discussion of qmin’s risks and benefits, and give advice for future use.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
We turn DNSSEC validation off to achieve comparable behavior (validating DNSSEC requires more queries to be sent); we also note that the combination of qmin and DNSSEC may induce further complexities beyond the scope of this work.
References
RIPE Atlas measurement for a.b.qnamemin-test.internet.nlTXT (2017). https://atlas.ripe.net/measurements/8310250/
RIPE Atlas measurement for o-o.myaddr.l.google.comTXT (2017). https://atlas.ripe.net/measurements/8310237/
RIPE Atlas measurement for ripe-hackathon6.nlnetlabs.nlAAAA (2017). https://atlas.ripe.net/measurements/8310366/
RIPE Atlas measurement for ripe-hackathon6.nlnetlabs.nlAAAA. Ripe MSM IDs: 16428213, 16428214, 16428215, 16428216, 16428217, 16428218, 16428219, 16428220, 16428221, 16428222 (2017)
RIPE Atlas measurement for whoami.akamai.netA (2017). https://atlas.ripe.net/measurements/8310245/
Bortzmeyer, S.: DNS privacy considerations. RFC 7626 (Informational), August 2015. https://www.rfc-editor.org/rfc/rfc7626.txt
Bortzmeyer, S.: DNS query name minimisation to improve privacy. RFC 7816 (Experimental), March 2016. https://www.rfc-editor.org/rfc/rfc7816.txt
Bortzmeyer, S., Huque, S.: NXDOMAIN: there really is nothing underneath. RFC 8020 (Proposed Standard), November 2016. https://www.rfc-editor.org/rfc/rfc8020.txt
Bortzmeyer, S.: PowerDNS - add qname minimisation (2015). https://github.com/PowerDNS/pdns/issues/2311
Castro, S., Wessels, D., Fomenkov, M., Claffy, K.: A day at the root of the internet. ACM SIGCOMM Comput. Commun. Rev. 38(5), 41–46 (2008)
Cisco: Cisco Umbrella Top 1M List, September 14–30 2018. https://s3-us-west-1.amazonaws.com/umbrella-static/index.html
Cooper, A., et al.: Privacy Considerations for Internet Protocols. RFC 6973, July 2013. https://rfc-editor.org/rfc/rfc6973.txt
CZ.NIC: Knot resolver 1.0.0 released (2016). https://www.knot-resolver.cz/2016-05-30-knot-resolver-1.0.0.html
Dittrich, D., Kenneally, E., et al.: The Menlo Report: Ethical Principles Guiding Information and Communication Technology Research. US Department of Homeland Security (2012)
DNS OARC: Day In The Life of the Internet (2017 and 2018). https://www.dns-oarc.net/oarc/data/ditl
Dolmans, R.: QNAME Minimization in Unbound, RIPE 72 (2016). https://ripe72.ripe.net/wp-content/uploads/presentations/120-unbound_qnamemin_ripe72.pdf
Durumeric, Z., Wustrow, E., Halderman, J.A.: ZMap: fast internet-wide scanning and its security applications. In: USENIX Security (2013)
Fujiwara, K., Kato, A., Kumari, W.: Aggressive Use of DNSSEC-Validated Cache. RFC 8198 (Proposed Standard), July 2017. https://www.rfc-editor.org/rfc/rfc8198.txt
Hardaker, W.: Analyzing and mitigating privacy with the DNS root service. In: NDSS: DNS Privacy Workshop, 2018 (2018)
Hoffman, P.E., McManus, P.: DNS queries over HTTPS (DoH). RFC 8484, October 2018. https://rfc-editor.org/rfc/rfc8484.txt
Hu, Z., Zhu, L., Heidemann, J., Mankin, A., Wessels, D., Hoffman, P.E.: Specification for DNS over transport layer security (TLS). RFC 7858, May 2016. https://rfc-editor.org/rfc/rfc7858.txt
Imana, B., Korolova, A., Heidemann, J.: Enumerating privacy leaks in DNS data collected above the recursive. In: NDSS: DNS Privacy Workshop, 2018. San Diego, California, USA, Feburary 2018. https://www.isi.edu/%7ejohnh/PAPERS/Imana18a.html
ISC: Release notes for bind version 9.13.2 (2018). https://ftp.isc.org/isc/bind9/9.13.2/RELEASE-NOTES-bind-9.13.2.txt
Mockapetris, P.: Domain names - concepts and facilities. RFC 1034, November 1987. https://rfc-editor.org/rfc/rfc1034.txt
NLnet Labs: Nlnet labs: Unbound chanelog (2018). https://nlnetlabs.nl/svn/unbound/tags/release-1.8.0/doc/Changelog
Pappas, V., Wessels, D., Massey, D., Lu, S., Terzis, A., Zhang, L.: Impact of configuration errors on DNS robustness. IEEE J. Sel. Areas Commun. 27(3), 275–290 (2009)
Partridge, C., Allman, M.: Ethical considerations in network measurement papers. Commun. ACM 59, 58–64 (2016)
Rose, S., Larson, M., Massey, D., Austein, R., Arends, R.: DNS security introduction and requirements. RFC 4033, March 2005. https://rfc-editor.org/rfc/rfc4033.txt
Rose, S., Larson, M., Massey, D., Austein, R., Arends, R.: Protocol modifications for the DNS security extensions. RFC 4035, March 2005. https://rfc-editor.org/rfc/rfc4035.txt
Rose, S., Larson, M., Massey, D., Austein, R., Arends, R.: Resource records for the DNS security extensions. RFC 4034, March 2005. https://rfc-editor.org/rfc/rfc4034.txt
Scheitle, Q., et al.: A long way to the top: significance, structure, and stability of internet top lists. In: IMC 2018, Boston, USA. arXiv:1805.11506 November 2018
Schmitt, P., Edmundson, A., Feamster, N.: Oblivious DNS: practical privacy for DNS queries. arXiv:1806.00276 (2018)
de Vries, W.B., Scheitle, Q., Müller, M., Toorop, W., Dolmans, R., van Rijswijk-Deij, R.: Datasets and Scripts (2019). https://www.simpleweb.org/wiki/index.php/Traces#A_First_Look_at_QNAME_Minimization_in_the_Domain_Name_System
Wang, Z.: Understanding the performance and challenges of DNS query name minimization. In: 17th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/12th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE), pp. 1115–1120. IEEE (2018)
Wullink, M., Moura, G.C., Müller, M., Hesselman, C.: ENTRADA: a high-performance network traffic data streaming warehouse. In: 2016 IEEE/IFIP Network Operations and Management Symposium (NOMS), pp. 913–918. IEEE (2016)
Acknowledgements
This work was partially funded by the German Federal Ministry of Education and Research under project X-Check (grant 16KIS0530). Partial funding was also supplied by SURFnet Research on Networks.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
de Vries, W.B., Scheitle, Q., Müller, M., Toorop, W., Dolmans, R., van Rijswijk-Deij, R. (2019). A First Look at QNAME Minimization in the Domain Name System. In: Choffnes, D., Barcellos, M. (eds) Passive and Active Measurement. PAM 2019. Lecture Notes in Computer Science(), vol 11419. Springer, Cham. https://doi.org/10.1007/978-3-030-15986-3_10
Download citation
DOI: https://doi.org/10.1007/978-3-030-15986-3_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-15985-6
Online ISBN: 978-3-030-15986-3
eBook Packages: Computer ScienceComputer Science (R0)