
Measuring open DNS resolver use - xuande
https://blog.apnic.net/2019/09/23/dns-resolver-centrality/
======
mike_d
Folks here might be interested in my own (more tl;dr) survey of public
resolver usage:
[https://twitter.com/mikedamm/status/1136409254305263616?s=20](https://twitter.com/mikedamm/status/1136409254305263616?s=20)

~~~
troquerre
Do you know how Cloudflare picked up so much market share even with 8.8.8.8
around?

~~~
ssvss
Google doesn’t promote 8.8.x.x lately, so when there were some sites being
blocked by Indian ISPs, I saw cloudflare DNS being recommended. Also I believe
cloudflare doesn’t implement ban-lists provided by Indian courts. I have
noticed sites blocked in google dns, working with cloudflare dns.

~~~
jackcodes
To extend this, I’ve never seen google promote 8.8 publicly. All
recommendations I’ve seen have been from other users or forum members. It
maybe that Google’s trust isn’t what it once was, causing a reduction in
recommendation.

------
3xblah
How about measuring zone file access programs?

How many users utilise the full number of existing domain names in the world
today?

How many names do users realistically need to access in a lifetime?

What if we exclude ad servers and other domains that exist solely for
marketing?

It depends on the user, but in some cases the majority of their _non-
commercial_ web^1 use can be accomplished without ever making remote DNS
queries; the IP addresses can be stored and used on a long-term basis. That is
because a user may only visit the same small number of websites. The foregoing
is of course only an opinion based on testing conducted by yours truly. Every
user is different.

Try measuring how many times the _non-commercial_ websites you visit change IP
addresses in a year.

You might find that DNS resolution is like that "definition of insanity" meme:
making the same query day after day, expecting a different answer.

1 It makes a difference whether or not a user is using the web to make
purchases. For making purchases online, DNS resolution is almost always
required. Domains and IP addresses in that context are constantly changing. Go
figure. OTOH, if you are visiting a website such as news.ycombinator.com on a
frequent basis, is it really necessary to look up the IP address for
news.ycombinator.com every time you visit the website? I have used the same IP
address for years at a time.

------
amalcon
I've worked on software that attempts to estimate the end-user demand
represented by a given resolver. Most of the specifics are covered by NDA, but
suffice to say that it's surprisingly difficult to do accurately. There is a
_lot_ of non-standard behavior in various resolver software, some of it
avoidable, some of it not.

This trick of altering the hostname of a subresource to identify the client is
a thing I long wished we could do, but sadly we didn't have enough control of
the content to do that.

------
kijin
What this data shows is that concerns about centralization, especially in
relation to DoH, are overblown. Only 1.15% of users in this dataset are using
Cloudflare DNS, and APNIC is in a region riddled with government censorship
and crappy ISPs -- two major incentives for people to try alternative
resolvers. Without such incentives, nobody would even bother to change their
devices' DNS settings.

I'm in a country with both of these problems, so every machine I set up gets
Cloudflare as the primary resolver with Google as the secondary. Fix these
problems first, and I won't have to do this anymore. Centralization? I dunno.
Taking control of DNS away from my state and ISP would actually count as
decentralization in my book.

~~~
troquerre
Agree that shifting control from your state and ISP are beneficial, but
centralizing DNS to one or two for-profit providers in the process is less
than ideal IMO. I'm working on a project that's aiming to make DNS fully
decentralized and wrote an explainer article in case you're interested
[https://www.namebase.io/blog/meet-handshake-
decentralizing-d...](https://www.namebase.io/blog/meet-handshake-
decentralizing-dns-to-improve-the-security-of-the-internet/)

If it's not too revealing, can you share what country you're in?

~~~
kijin
Sure, even more decentralization would be good. Nevertheless, I think the
usual concerns about Cloudflare are massively overblown and misses a crucial
role that they're playing in the fight against censorship and surveillance.

Cloudflare is the first well-known provider that decided to support a working
protocol for encrypted DNS. DoH might not be the best possible protocol, but
it's shipping now and others are not. (DNSCrypt is also shipping, but it has
the weird property of speaking something that isn't HTTPS on port 443. That's
too easy to censor.) There will be healthy competition if other people would
please stop arguing and start shipping, too.

I'm in South Korea. The censorship regime here is more prudish than draconian,
and I'm not in any danger of prosecution for criticizing it. The way it is
implemented is extremely crappy, though. On top of DNS-based censorship, ISPs
are doing DPI on TLS handshakes to sniff hostnames in the SNI extension. Lots
of techies here are very interested in new technologies showcased by
Cloudflare. That includes not only DoH but also their proposal to use keys
stored in DNS to close the SNI loophole. Once again, what works in this
situation is not a novel, theoretically perfect protocol but one that ships
now and blends into the petabytes of HTTPS traffic that Cloudflare handles
every day.

------
PaulHoule
I think DNS-over-HTTPS is a much bigger cause for concern.

~~~
cracker_jacks
What is the cause for concern? I am trying to understand why DNS-over-HTTPS
could be a bad thing from the user end.

~~~
robertcope
It makes it very hard to control your network. I have a DNS setup at home that
I want all my equipment using. It blocks ads and other sites I don't want
accessed. With DoH, I can't really be sure that browsers, devices, etc aren't
using an alternative DNS system.

~~~
LinuxBender
You could null route or firewall all the open resolvers, or at least the most
common ones.

If your router is linux, that might look like

    
    
        /sbin/ip route add blackhole 9.9.9.9 2>/dev/null
        /sbin/ip route add blackhole 1.1.1.1 2>/dev/null
        /sbin/ip route add blackhole 1.0.0.1 2>/dev/null
        /sbin/ip route add blackhole 8.8.8.8 2>/dev/null
        /sbin/ip route add blackhole 8.8.4.4 2>/dev/null
    

I'm probably leaving many of them off. There is probably a RBL for those by
now. Here is one [1] and here is a list of them. [2]

[1] - [https://github.com/bambenek/block-
doh](https://github.com/bambenek/block-doh)

[2] - [https://github.com/curl/curl/wiki/DNS-over-
HTTPS](https://github.com/curl/curl/wiki/DNS-over-HTTPS)

------
gerdesj
The argument is well known: the intertubes promises much equanimity but
capitalism and stuff.

OK I am being a bit cruel but this _is_ what we have. If you don't own up to
intending to cuddle up to Amazon, Google, Apple, Microsoft in the next 30s
then you are probably a liar or a bit deluded.

Thing is, I'm a bit of a fan of capitalism but perhaps some sort of light
touch regulation is needed in the Wild West. A bloke with a big old star on
the chest might be nice.

~~~
pnako
It's probably even worse than what you describe. You'll be cuddling up to the
Amazon, Google, Apple, Microsoft of whichever global power you're closest to.

I'm in Australia, so I don't know if in twenty years I'll still be connected
to Westnet or Sinonet. I'll probably buy a black market connection to Westnet
from a guy with a mohawk and implants in his head.

~~~
troquerre
Agreed. The world is trending towards an internet that's split up between the
different countries. There are some technologies that can counter that (ie
check my bio) but it'll be an uphill battle imo.

