E-gov DNS: is there enough redundancy?
We examined the resilience and redundancy of the digital government domains of the Netherlands, Sweden, Switzerland and the United States
Electronic government (e-gov) services enable citizens and residents to interact with their governments digitally, via the internet. The DNS, which maps domain names to internet addresses, underpins e-gov. Together with colleagues at the University of Twente and The National Cyber Security Center of the Netherlands, we have recently published a peer-reviewed study comparing the resiliency and redundancy of e-gov domains of 4 countries – The Netherlands, Sweden, Switzerland and the United States.
E-gov adoption has grown steadily and has been recently accelerated by the COVID-19 pandemic. E-gov reduces costs, provides faster services, and makes access easier for people with disabilities and mobility challenges. The figure below shows a subset of e-gov services provided by the Delft municipality in the Netherlands: you can make appointments, register your address, schedule marriage or partnership services, and more.
E-gov services are provided over the internet, and the DNS is one the internet's core services. Therefore, if the DNS fails, domains can become unreachable, jeopardising governments' ability to deliver services to citizens.
Just recently, several state government websites in the United States were victims of a DDoS attack, becoming unreachable.
Given such risks, it is of paramount importance that the DNS services of e-gov domains are properly configured with maximum levels of redundancy to withstand disruption or stress. Getting that configuration right is not always easy; the DNS has many moving parts, and some are complex and or difficult to configure.
So we set out to assess the DNS configurations of e-gov domains, in whether they provide enough redundancy at different layers.
Datasets
It turns out it is hard to obtain a list of e-gov domains per country: many countries use their own ccTLDs for e-gov domains, but there is no public list of e-gov domains that governments provide.
What we did instead was to use 4 different countries from which we could obtain data: our contacts in the Netherlands, Sweden and Switzerland have provided us with curated lists, while the United States' .gov domain names are publicly available. The table below shows the number of domain names (second-level domains, such as example.nl) we identified for each country, and the countries' populations.
Results: DNS providers
The first metric we looked at was the number of distinct DNS providers e-gov domain names have. For example, in the figure below, example.nl has 2 NS records, each with its own IP address, which are announced by 2 different Autonomous Systems (ASes), so we say it has 2 DNS providers.
We see that roughly 40% of the NL, SE, and CH e-gov domain names have a single DNS provider (over IPv4). For the US, we see 82% of e-gov domains have a single provider.
One could argue that this is a bogus metric – if you host everything on a cloud provider, it ought to be OK. Well, clouds also occasionally fail, as AWS and Dyn have shown. And not even Amazon.com uses AWS for DNS; they rely on 2 external DNS providers. While we cannot speak for them, we suspect that is for the same reason: redundancy.
DNS market is highly local
So who are those DNS providers? The table below shows the results. It turns out that DNS services are heavily localised – local companies dominate the market. We believe this is because of the freedom of choice that local governments have in choosing DNS and hosting services; they may choose their traditional local companies.
Results: number of routing prefixes.
If the DNS servers of an e-gov domain name share the same routing prefixes, it means they are announced from the same location(s), and are not therefore topologically diverse. It creates a false sense of redundancy, given they share large parts of their networking infrastructure. An attack against servers with the relevant prefixes could compromise the reachability of the e-gov domain names.
We therefore determined the number of prefixes per domain name, as shown in the figure below: the number of BGP prefixes found in routing tables matching the IP addresses of the e-gov DNS servers. We used CAIDA's IP to prefix datasets.
We see that roughly a third of the Swiss e-gov domain names are announced by a single prefix, while the figure for each of the other countries was less than 20%. Reliance on a single prefix creates unnecessary risk, and we recommend that the operators of the domains in question diversify their networks to increase their resilience and minimise the chances of collateral damage.
Results: number of TLDs
The next metric we measured was the number of top-level domains (such as .nl and .com) that each e-gov domain has for its DNS servers. For example, in the figure below, we see that there are 2 TLDs (.nl and .com) for this domain. If one of those TLDs were to become unreachable for some reason, resolvers would still be able to reach the other TLD's authoritative servers and ultimately retrieve the DNS records for their e-gov domain.
We obtained the following results: in last place, we have Switzerland, with more than 90% of the Swiss e-gov domains having their authoritative servers under a single TLD – .ch, Switzerland's ccTLD. In third place we have the United States, with 83% of its domains depending on a single TLD (.com). Sweden ranks second with 60% of its e-gov domains depending on a single TLD (.se), and the Netherlands fares better, albeit with a still considerable 40% of e-gov DNS servers depending on single TLD (.nl).
Why so much dependency?
We believe that the reason for the results is that many of the websites belong to local governments, and they may typically use whatever DNS services their registrars provide. As such, they are at the mercy of the policy decisions taken by their registrars: if a registrar has a diverse set of TLDs, the local governments in question automatically benefit from it. An option would be to adopt a second DNS provider that employs different TLDs.
Results: anycast adoption
IP anycast is a technique that allows the same IP prefix to be announced from multiple locations. Traditionally, IP prefixes were announced from a single physical location. With anycast, you can announce the same prefix from multiple locations worldwide, as illustrated in the figure below.
In this way, traffic is distributed across the anycast locations, making it harder to mount an effective DDoS attack against an anycast network – some sites may remain up while others may remain active, delivering services. We have investigated how anycast reacts to DDoS attacks, and we have presented considerations for anycast operators in an informational RFC.
If we look at the level of anycast adoption for e-gov domains, we see that it's quite low in the European countries – Switzerland has fewer than 3% of its e-gov domains having at least one anycast server. The United States performs better, with over 55% of its e-gov domains on anycast services. The Netherlands has around 20%, while Sweden has 12%.
As with TLD usage, the explanation has to do with operational decisions taken by the registrars and DNS providers chosen by the e-gov domain name operators. The situation could be improved by deploying secondary anycast providers.
Wrapping up
E-gov domains play a crucial role in many countries. We have measured 4 countries, and have shown that their e-gov DNS services can still be improved and be made more resilient by adding extra redundancy in terms of DNS providers, routing prefixes and TLDs, and by adopting IP anycast.
If you'd like to know more about this topic, see our peer-reviewed paper with all the experimental details and extra results, and our RIPE86 meeting presentation.
