Measurement for encrypted open resolvers: Applications and security

Encrypted DNS has been proposed to mitigate the vulnerability of traditional DNS to surveillance and tampering. Some encrypted DNS protocols, like DNS over HTTPS (DoH) and DNS over TLS (DoT), have been promoted by the community and supported by the industry. However, although encrypted DNS are proposed to protect users’ privacy and security, the security of their application in practice is still unknown. In this study, we focus on DoH and DoT to study the application and security of encrypted DNS from the perspective of open resolvers. We first propose a novel encrypted open resolvers discovery method. It enables us to implement a comprehensive discovery of encrypted open resolvers across the IPv4 network. Furthermore, we conduct security measurements on encrypted open resolvers for the recursive and iterative resolution they perform. In our measurements, we conduct the most comprehensive discovery to date and detect 5.7k open DoH resolvers and 9.6k open DoT resolvers in the IPv4 network. Moreover, we have observed several security issues of the encrypted open resolvers. For example, we find 10.2% of the open DoH resolvers and 60.7% of the open DoT resolvers use invalid certificates; 19.2% of the DNSSEC-supporting open DoH resolvers do not actually implement DNSSEC validation in resolution, including those from famous providers Facebook and Alidns. Our research reveals pervasive misconfigurations of the encrypted open resolvers in the wild. We recommend that resolver administrators need carefully check and maintain the DNS security configurations on their encrypted resolvers.