What ITHI Can Tell Us About Resolver Concentration
In July 2020, we published a blog in which we presented one of ICANN’s research initiatives – the Identifier Technology Health Indicators (ITHI) – describing why it is important for the Internet ecosystem and why we are keen to welcome more participants and to collect more data. The traffic patterns and trends that we identify will help all those who operate key parts of the Domain Name System (DNS) to do a better job and maintain the Internet’s resilience.
To make it easier to understand how ITHI can be useful for the DNS operations community, we would like to share some results from the initiative. We start with an overview of what ITHI revealed about resolver concentration.
To understand what resolver concentration is we need to be reminded of what a DNS resolver is and its role. At a basic level, it converts domain names into IP addresses. Every time you connect to a website using a domain name, your device needs to convert that website’s domain name into a unique IP address to be able to reach it. Your request is sent to one or more DNS resolvers. Those resolvers query other DNS servers to obtain the correct address that is then sent back to you as a response to your request.
The DNS resolver is a service usually provided by your Internet service provider (ISP) as an integral component of your Internet service. This is often the default mode of operation, through which DNS queries from your devices are directed to the DNS resolvers operated by your ISP.
There are, however, alternatives. These are the so-called “open DNS resolvers,” which are operated independently of any ISP. Some of these have been operating for many years, such as the OpenDNS service, now owned and operated by Cisco and called Cisco Umbrella, or Google’s Public DNS service on the IP address 220.127.116.11.
Others are more recent such as the open DNS services operated by Cloudflare and Quad9. You can configure your device to use one of these public resolvers rather than your ISP’s resolver.
Changing the resolvers that you use on your device is typically a simple configuration change on the device itself. You can also make a change on your network’s access gateway to change the resolver on every device on your network. Some ISPs also have, for various reasons, decided to configure their ISP DNS resolution service to use the services of an open DNS resolver.
All of these behaviors might lead to so-called “resolver concentration,” because more and more resolution of end-user DNS queries are performed by only a few actors.
There have been many discussions over the past two years on these topics within the ICANN community and, in April 2020, ICANN’s Office of the Chief Technology Officer (OCTO) published a paper on Local and Internet Policy Implications of Encrypted DNS. You may be familiar with the terms DoH (DNS over HTTPS, see RFC8484) and DoT (DNS over TLS, see RFC7858), referring to methods for encrypting and authenticating DNS traffic.
Among the unanswered questions was the issue of whether deploying such encryption methods would lead to further concentration of the market of DNS resolvers.
To measure this concentration, we need to observe the volume of DNS queries and the number of resolvers used. Our team decided to augment the ITHI project with a new measurement of DNS resolver concentration. Unlike measurements done in partnership with top-level domain (TLD) operators or large ISPs, this measurement was done in collaboration with the Asia Pacific Network Information Centre (APNIC), the regional Internet address registry for the Asia-Pacific region.
Measuring queries turned out to be trickier than anticipated, as we realized that people sometimes use more than one resolver when making queries, leading to potentially duplicate queries through different resolvers. We defined a number of metrics to look at the problem from different angles; and in the end, we decided to consider only the first query made by each user, matching each user to the first DNS resolver that is processing the user’s DNS query on their behalf. We then sort this DNS resolver list by the count of users that each resolver is serving, and go down this list to see how many resolvers it takes to see queries from 50 percent of all Internet users. We also count how many resolvers it takes to reach 90 percent of all users.
These measurements started in October 2019, and the results to date are described below.
As of October 2020, it takes 212 resolvers to see 50 percent of all Internet users. It takes 2149 resolvers to see 90 percent of them. These numbers have been relatively stable over the last twelve months. To provide some context, there are millions of resolvers around the world.
For community members concerned that a possible concentration might be taking place, it is worth keeping an eye on the evolution of these numbers.
Resolver concentration by itself may not have a direct impact on the Internet’s resilience, but it is an important factor to consider, and ICANN is producing observable data to further study this issue.
We still need your help! If you operate a large DNS recursive resolver or operate a top-level domain, we ask for your support in partnering with us to provide data that make measurements to further enhance the usefulness of the ITHI initiative for the Internet community. Please, remember that the data contribution that we are asking for are anonymized, summarized, and contain no personally identifiable information.
Finally, we would also like to express our gratitude to APNIC and underline how crucial its role was in making this endeavor possible.
More data on various ITHI measurements can be found at https://ithi.research.icann.org.
Should you like to find out more about ITHI and how you can participate, please contact Gabriella Schittek email@example.com or Alain Durand firstname.lastname@example.org, who will be pleased to help you further.