Do DNS operators want to deploy DNS Privacy?

By on 11 Jun 2018

Category: Tech matters

Tags: , , ,

Blog home

The IETF standards community regards the possibility of pervasive monitoring as an attack on the Internet and there is a strong consensus among IETF participants that we must protect Internet users’ privacy.

We were wondering whether the people who are operating DNS services were feeling a similar sense of urgency and if they had any significant concerns about obstacles to deployment.

From 25 March to 4 May 2018 we ran a survey, advertised via social media and ISC’s Software Downloads page, asking whether people running DNS systems were interested in deploying DNS privacy and what concerns they had.

Here are the results of that survey.

Who responded?

We advertised on social media but then worried that most of these respondents might be specifically interested in privacy, so we added a survey invite on ISC’s Software Downloads page to get participation from people who might not follow ISC on social media. There was no ‘prize’ offered for completing the survey and no recognition, so the only likely motivation was wanting to help us out.

We got 195 responses in total:

  • 126 were from various social media platforms (we posted on Twitter, ISC’s LinkedIn page and a couple of LinkedIn groups, and ISC’s Facebook page).
  • 64 were people who clicked the link on ISC’s Downloads page.
  •  5 people responded to a solicitation sent to the RIPE DNS working group mailing list.

With an open survey like this, there is no real way to ensure that the respondents are representative of the overall operator population. We asked only the minimum of demographic questions to keep the survey very short, to maximize completion of the survey. We did not collect any personally-identifying information. (It’s a privacy survey!)

What is your primary involvement with the Internet infrastructure? (pick one answer)

Answer choicePercentage of total respondents
Individual consumer, Internet user23%
Internet Service Provider (access + services)18%
Educational organization12%
In the business of creating products that leverage the Internet10%
Internet-enabled business9%
Enterprise (not primarily dependent on the Internet)8%
Hosted (cloud) services provider5%
Government office3%
Other*11%

*We asked those who selected ‘Other’ what their role was, and the responses mostly indicated an individual contributor, rather than service operator role. Responses included: consultant, hobbyist, small business, Internet engineer, and registrar.

50 economies represented

Although the largest number of responses came from the United States, 50 economies were represented, including economies in South America, the Middle East, the Caribbean and Africa. Participation was relatively weaker across Asia, outside of China.

Findings

  • 70% said that end-user privacy concerns are very or extremely important factors in decisions about what products or services are offered, and how those services work.
  • Over half of all respondents said privacy concerns had ALREADY impacted the products and services they used in their organization, and between 30 – 40% cited various restrictions on data use because of privacy concerns. Many respondents commented that they already have restrictions imposed by HIPPA (Health Information Privacy Protection Act) or PCI (Payment Card … something) implying that this is just another compliance requirement.
  • 50% see a very or extremely useful marketing benefit for their company if they can make end-user privacy claims about their products or services.
  • 11% of respondents have already deployed Qualified Name (QNAME) minimization. 34% said they would like to or plan to implement QNAME minimization. 19% said they did not want to implement QNAME minimization and the rest were not sure. When we eliminated the responses from Individuals and the ‘Other roles’ category, QNAME minimization was even more popular, with 9% already implemented and 43% planning to implement.
  • When asked whether QNAME minimization is required under GDPR, 29% thought it might be, and an exactly equal number of people thought it wasn’t. The rest weren’t sure.
  • 50% of all respondents are very or extremely interested in offering encrypted DNS services.
  • Respondents rated various suggested ‘obstacles’ to deploying encrypted DNS services. The most often cited significant obstacles were: (1) availability of the features in the products and services they use; and (2) lack of time and resources to develop and deploy the service. The DNS developer community can add the features, of course, but we have to be aware that for operators, one of their top concerns is not having the time to deploy them.
  • Despite the obstacles to deploying a full DNS privacy service, 70% of respondents would not recommend or select a public hosted DNS privacy service like 1.1.1.1 or 9.9.9.9 for their users. We can speculate as to why that might be, but we did not ask why in this survey. The respondents who appear to be individual contributors (Individual and ‘Other roles’) were more accepting of the hosted DNS privacy services than those who apparently operate services for others.

See a read-only view of results on Survey Monkey.

Conclusions

If we develop QNAME minimization in BIND, we can expect that approximately half our users are open to deploying it. That seems like a good level of commitment for a feature that isn’t even developed yet. [QNAME minimization is currently in development in BIND. Unbound has already released support for this feature.]

Since some respondents are already using QNAME minimization, we can infer that not all respondents are BIND users. As one respondent pointed out to us, DNSdist has QNAME minimization but the PowerDNS Recursor does not.

Interest in QNAME minimization was somewhat lower among individual contributors than service operators. The reason for this is not obvious from this survey.

For privacy advocates, the fact that 50% see a marketing benefit in touting privacy protections is an opportunity. Perhaps we need a ‘DNS Privacy Compliant’ sticker for services?

We might have received more useful insights if we had qualified respondents more, selecting only those running recursive services, and asking how many end users their services supported. Since DNS privacy really only applies to recursive services, the authoritative operators and registrars who answered the survey may have been confused about how to answer and may have obscured the trends among resolver operators.

There was no consensus about what GDPR might mean for DNS operators.

See the DNS Privacy Project website to find out more about what DNS privacy means.

I am willing to share the whole data set with anyone – there is no personally-identifying information in it. If you would like the data dump, please email me at vicky at isc dot org.

Original post appeared on isc.org/blogs

Vicky Risk is Product Manager for ISC’s open source software and Director of Marketing.

Rate this article

The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.

Leave a Reply

Your email address will not be published. Required fields are marked *

Top