DNS HTTPS Measurement

About this paper

Exploring the Ecosystem of DNS HTTPS Resource Records: An End-to-End Perspective Hongying Dong*, Yizhe Zhang*, Hyeonmin Lee*, Shumon Huque†, and Yixin Sun* *University of Virginia, †Salesforce This paper has been published at IMC 2024. Summary In this research, we investigated the adoption and management of DNS HTTPS records on both the server side (i.e., domains) and client side (i.e., web browsers). Specifically, we found that over 20% of Tranco’s top 1 million domains had DNS HTTPS records between May 2023 and March 2024, and major browsers utilize these records when establishing connections.

[Artifact] Server-side DNS HTTPS dataset

We provide DNS HTTPS record datasets collected through daily scans of the Tranco top 1 million domains. Specifically, we offer the following resources: Dataset: Our parsed dataset includes DNS HTTPS, A, AAAA, NS, SOA records, and RRSIG of HTTPS records (where available) for the Tranco top 1 million domains, collected daily from our measurement server. This dataset will be updated monthly. Details about the dataset can be found in the Dataset section below.

Contact

If you have any questions regarding this paper, please feel free to contact us Hongying Dong, PhD Candidate, University of Virginia Yizhe Zhang, PhD Candidate, University of Virginia Hyeonmin Lee, Postdoc, University of Virginia Yixin Sun, Assistant Professor, University of Virginia

About this paper

Exploring the Ecosystem of DNS HTTPS Resource Records: An End-to-End Perspective

Hongying Dong*, Yizhe Zhang*, Hyeonmin Lee*, Shumon Huque, and Yixin Sun*
*University of Virginia, Salesforce

This paper has been published at IMC 2024.

Summary

In this research, we investigated the adoption and management of DNS HTTPS records on both the server side (i.e., domains) and client side (i.e., web browsers). Specifically, we found that over 20% of Tranco’s top 1 million domains had DNS HTTPS records between May 2023 and March 2024, and major browsers utilize these records when establishing connections. Despite this growing adoption, our findings highlight challenges such as the proper maintenance of DNS HTTPS records and browser connection failures caused by misconfigurations.

Key findings

  1. DNS HTTPS records deployment: Despite its recent standardization, over 20% of Tranco top 1M domains have DNS HTTPS records.

    Figure: Percentages of apex/www domains that publish HTTPS records. Vertical dashed line (on August 1st, 2023) denotes the source change of the Tranco list.

    Figure: Percentages of apex/www domains that publish HTTPS records. Vertical dashed line (on August 1st, 2023) denotes the source change of the Tranco list.

    We also discovered that a significant contributing factor is Cloudflare’s default DNS HTTPS configuration, which accounts for over 70% of the domains with HTTPS records.

  2. ECH deployemnt for DNS HTTPS supporting domains: Prior to October 5th, 2023, 70% of apex domains with HTTPS records supported ECH, with over 99% relying on Cloudflare name servers. However, after that date, ECH support dropped to 0% due to Cloudflare disabling the feature for its domains. Furthermore, Our observations show that domains maintain their ECH configurations for an average of 1.26 hours, implying key rotations every one to two hours. This frequent rotation can increase the risk of key inconsistency due to the complexity of managing ECH keys alongside DNS caches.

    Figure: Percentage of domains based on the average duration of their ECH configuration (in HTTPS records).

    Figure: Percentage of domains based on the average duration of their ECH configuration (in HTTPS records).

  3. DNSSEC-signed DNS HTTPS records: The ratio of signed HTTPS records shows a decreasing trend.

    Figure: Percentages of HTTPS records with RRSIG (solid line), RRSIG and AD bit (dashed line). Here, AD bit is Authenticated Data bit, which indicates that DNS HTTPS record has valid DNSSEC chain.

    Figure: Percentages of HTTPS records with RRSIG (solid line), RRSIG and AD bit (dashed line). Here, AD bit is Authenticated Data bit, which indicates that DNS HTTPS record has valid DNSSEC chain.

  4. Browser support for DNS HTTPS records: We found that while major browsers (Chrome, Safari, Edge, and Firefox) query DNS HTTPS records, they often fail to properly utilize the associated HTTPS parameters.

    The HTTPS RR support in four major browsers is represented as follows: a full circle indicates full utilization of the record or parameter, a half circle suggests partial utilization with some essential functions missing, and an empty circle denotes no support for the feature.

    The HTTPS RR support in four major browsers is represented as follows: a full circle indicates full utilization of the record or parameter, a half circle suggests partial utilization with some essential functions missing, and an empty circle denotes no support for the feature.

    Additionally, although most browsers (except Safari) support ECH by default, key features are missing, such as in Split Mode, where all three browsers fail to establish a connection. This lack of support can significantly disrupt servers with ECH configurations.