Taking another look at query name minimization in the DNS

What is qmin?

The recursive DNS resolver is responsible for querying the DNS name servers for the resource record requested by the DNS stub resolver. If you would like to visit the website at www.kau.se, the stub resolver, e.g. on your mobile phone, first sends the query to the recursive DNS resolver. Then, the recursive resolver has to first query one of the root servers, then one of the TLD servers of .se, and so on until it reaches the authoritative zone of kau.se where the resource record can be retrieved. Originally, and as shown in the figure below, a resolver would have sent the whole query name of www.kau.se to each of the authoritative name servers. However, this is often technically unnecessary. More problematically, in some cases sensitive information in the domain name could leak to third parties.

Figure 1: Normal DNS flow.

RFC 9156 describes the process of reducing the amount of information sent in a DNS query to the minimum required for the resolution of the query. This helps to reduce the amount of data transmitted over the network, improve privacy and reduce the potential for eavesdropping. It involves removing unnecessary labels from the domain name being queried and using the minimum number of DNS queries needed to resolve the domain name. The figure below show how the previous lookup would look with qmin enabled.

Figure 2: A minimizing resolver.

The measurements

De Vries et al. already studied the deployment of query name minimization in 2018, but a lot has changed since: an updated version of query name minimization was published in 2021, modifying the original specifications, and more resolver software has now enabled query name minimization by default.

The objective of our study was to measure the adoption of qmin over a longer period and in more detail. For this reason, we employed active and passive measurements.

Active measurements

The aim of the active measurements was to track the trend of qmin adoption over time and to understand the characteristics of the resolvers that have adopted qmin. We analyzed data collected by NLnet Labs using RIPE Atlas probes, made available on DNSThought. We also assessed open resolvers from a list generated by scanning the IPv4 address space for servers operating on UDP port 53. That aim of that was to classify open resolvers and improve the accuracy of classification in the passive measurements.

The active measurement methods were improved from the previous study by De Vries et al. We used three geographical locations for the measurements on open resolvers, queried each open resolver 100 times, and set up a new domain using a wildcard label to mitigate cached delegations. The enhancements to the measurement methods allowed us to observe additional information when classifying the resolvers, namely "conflicting resolvers" which sometimes minimize the queries but not always. We discuss the phenomenon of conflicting resolvers in more detail in the paper.

Passive measurements

The passive measurements presented the evolution of qmin from the study by De Vries to October 2022 on a larger scale, using data collected from the root servers and the .nl ccTLD. The methodology was improved to provide deeper insight into qmin adoption, including who is leading and who is lagging, as well as discovering occasional information leakage from qmin-enabled resolvers.

We classified queries as minimized when they contained one label at the root and two at .nl. In contrast to earlier work, to avoid overestimation, we filtered out queries from Google's Chrome browser relating to non-existent single-label domain names. That was done by only taking queries to existing domain names into account.

Controlled experiments

The objective of the controlled experiments was to examine the performance of popular open-source resolvers (Bind, Unbound, Knot Resolver, and PowerDNS) when handling minimized queries. We used the Cisco Umbrella Top 1M list of the most popular queries based on passive DNS usage and the results were compared with those of the previous study by De Vries et al. The resolvers were configured to have the same cache size and with DNSSEC turned off. The study looked at both relaxed and strict modes of enabling qmin and compared the results with those of the previous study.

Qmin adoption further on the rise

https://images.ctfassets.net/yj8364fopk6s/HXIOgSETcseK3L2uH7Izr/e988768c6330c41ad3e1780935f9dcd7/Active_measurements_by_NLnet_Labs_with_Ripe_Atlas_Probes.png

The results of the study show that the adoption of qmin has increased significantly since 2018. The active measurements (see figure above) show that the adoption increased from 2.5k resolvers used by RIPE Atlas probes in 2018 to 14k in 2022, and from 18k open resolvers categorized as qmin-enabled in 2018 to 80k in 2022. Although the results from RIPE Atlas probes may not be representative of the average resolver on the Internet, the growth in qmin adoption is still a positive trend for Internet privacy.

As we show in the figure below, the passive measurements on root and TLD name servers also reveal an increase in adoption from 0.6% in 2018 to 2.5% on one root server and from 35.5% in 2019 to 57.3% on the .nl TLD servers. Almost 30% of resolvers located in the Netherlands have enabled qmin. Those resolvers are responsible for roughly 40% of all queries from this country. By comparison, only around 20% of resolvers located in the US have enabled qmin.

https://images.ctfassets.net/yj8364fopk6s/68pJgWrBiViaxuuBDrzWUb/28c48e387b2a869953f594bb0130350b/Passive_measurements_on_root_and_TLD_name_servers.png

Finally, the controlled experiments also showed a trend towards higher numbers of packets used by resolvers and lower error rates in the DNS queries.

Corner cases

The client-side active measurements on DNSThought only measured qmin at the fourth-level domain. The results indicate that the number of resolvers minimizing queries at lower levels (e.g. TLD and root) could be even higher. We also found that Google Public DNS resolvers, which have been minimizing queries since 2020, were classified as not qmin-enabled in the active measurements on open resolvers using a separate domain. Further, queries using different domains showed that the Google Public DNS resolvers were consistently responding differently based on the domain. Below, we show the results of the different tests.

$ dig @8.8.8.8 a.b.qnamemin-test.nlnetlabs.nl TXT +short
"NO - QNAME minimisation is NOT enabled on your resolver :("

$ dig @8.8.8.8 a.b.qnamemin-test.internet.nl TXT +short
"HOORAY - QNAME minimisation is enabled on your resolver :)!"

It turned out that Google only supports qmin up to TLD level. We could not recognize this in our tests. However, Google modified their behavior for other test domain names to take credit for minimizing root and TLD level queries.

The lack of data minimization within an authoritative DNS zone is not as serious as full query name disclosure at the root and TLD level. To address that problem, we propose using the Public Suffix List (PSL) with one additional label (PSL+1) to set the depth limit for qmin. PSL is a list of TLDs that are used to restrict cookie setting. It is maintained by Mozilla and contains effective TLDs such as ".com" and ".net", as well as multi-label TLDs like ".ac.uk" and ".co.jp". We propose that PSL could be used as a reference for determining the depth limit for qmin by identifying the authoritative DNS zones and determining when to stop minimizing queries.

Conclusion

In conclusion, the study showed that the adoption of qmin has increased significantly since its introduction, which is a positive sign for privacy in the DNS. The study also highlighted the need to strike a balance between performance and privacy, and proposed the Public Suffix List to set the depth limit for minimizing labels. This study serves as an important step towards understanding the adoption and impact of qmin in the DNS and can inform future improvements in privacy and security for the DNS infrastructure.