The state of DNS security records 2017

DNS security deploymentThese days there are quite a few security initiatives that depends upon DNS, and to keep those secure you need to implement DNSSEC. Many people across the board from Google, to security advisory firms are encouraging the uptake of these initiatives many of which are getting quite long in the tooth (SPF is over a decade old). However, I’ve for a long time thought that many of these “enhancements” are far from trivial to implement, if you’re a small operator it’s a lot of work for small gains, and if your large then unless you can automate it it’s just not viable. Looking at implementing many of these enhancements myself, and the work involved I started wondering what deployment looked like amongst other people, so I thought I’d do a quick survey and on the whole it’s not a pretty sight. From my far from scientific survey the only thing with more than 50% deployment is SPF, which is the easiest to implement as long as you’re not thorough and is largely worthless without DMARC ( an article for another day )*. For my survey I thought I’d look at the Alexa top 50, the top 100 domain registrars, the hot 500 security firms, all of the ICANN accredited registrars as well as a bunch of DNS hosting providers ( Neustar, Verisign CSC, DYN and their ilk), DNS vendors ( InfoBlox, Efficient IP, ISC etc) and a random selection of bad guys. Now obviously this isn’t a scientific sample and the groups vary massively in size, but with the exception of my bad guys list, if these organizations can’t implement what we’re told is best practice what hope do the rest of us have?

The things I checked for were IPv6, SPF, DKIM, DMARC, DNSSEC and CAA. I didn’t validate how sensible the published records were just that they existed. In the case of DKIM as the actual record can’t be determined I looked for an NXDOMAIN response on _domainkey., to indicate no selector record existed if I got anything other than NXDOMAIN then I can deduce that there is a selector record published. Like I say a bit rough and ready but enough to get a bit of an over view of what’s going on. I’m not going to publish my domain lists as I don’t want to get into legal trouble for impugning someones reputation, nor do my results say anything about the quality of the security of any given company, I was just trying to get a feel for how well these various initiatives have been picked up. If you want to run the same tests against your own or other domains I put together a quick and dirty tool. I don’t count IPv6 presence for or against security that ‘s more just for interest as it’s been a “should implement” for many years now. Before we look at the results my data set sizes are as follows:

  • Alexa – 50
  • Bad guys – 900
  • Commercial DNS hosting – 27
  • ICANN accredited registrars – 1149
  • Top 100 Registrars – 100
  • Security hot 500 – 497 ( I couldn’t determine domains for all of them)
  • DNS application/appliance vendors 15 ( It’s not a big field)

Like I say not exactly scientific but a decent enough starting point, 2,736 domains in total. 1,836 of which are legitimate and one would hope should be leading the way in implementing best practices. Sadly if they’re out best hope I’m not hopeful.

Looking at what percentage of each of those groups has what implemented it’s not a cheery sight, and in some instances the bad guys aren’t far behind ( and I suspect my bad guys list is probably under reporting ).
Deployment by group

As you can see with the exception of SPF the uptake across the board isn’t good. The uptake of any of these technologies amongst ICANN accredited registrars is frankly frightening. If the ICANN registrars can’t implement DNSSEC and the other technologies what hope do the rest of us have? Further as the security of our domains depends ultimately on our registrars the headline isn’t good, as it seems that our registrars are probably the weakest link.

The high deployment of SPF did give me hope at least people are locking down where their mail can originate from. Sadly I then looked at what actual SPF policies were deployed and it’s not pretty. Predictably the Alexa top 50 manage to get over 70% with a “-all” policy following them just over 50% of ICANN accredited registrars are prepared to say where their mail originates from.

SPF policies

For the rest it’s not reassuring and it’s worth noting that almost 40% of the malevolent domains I checked have some sort of SPF record published. But maybe all will be saved by DMARC because as noted previously neither DKIM nor SPF achieve much without a DMARC policy to say how much attention to pay to them. Yeah that’s really not good, on the DMARC front not a single group has over 50% publishing a “reject” policy. So at present the majority of organisations effectively have no DNS based e-mail security.
DMARC policies
Even if you assume that “quarantine” is the same as reject the best group ( the Alexa top 50 ) still doesn’t hit 70%, and the security firms and ICANN registrars really should be setting a better example.

As far as CAA records go it’s probably too early to tell, they’re easy to implement and will no doubt be a lot more popular next year. IPv6 is still only taking off very slowly, but that’s hardly news. I’d love to be told my methodology is wrong and I’m misinterpreting the results ( seriously demonstrate I’m wrong, I’ll sleep better ), but I have to wonder when our domain registrars and security firms are doing so badly what hope do the rest of us have to implement what we’re told is bet practice? This survey is also just looking at what records are published, not how sensible those records are nor how they’re monitored or enforced so the situation is probably even worse.

Traditionally one is meant to finish articles such as this with some up beat message as to the way forward – I’m not sure I have one. Only a single domain name that I checked out of almost 2,000 reputable firms actually had everything fully implemented (a gold star for the NCC Group). From a personal point of view these days I have some of my DNS hosted with my domain registrar and yet enabling DNSSEC still involves manual key rolling, there’s no small-scale cheap DMARC offering for individuals and small organisations. At the other end of the scale the problems are much the same there are partial solutions but getting DNSSEC keys updated with registrars still involves either manual or home-grown automation – which isn’t tempting when you risk taking your entire organisation off-line if you get it wrong. If the companies that sell us the services and technologies we use to implement these solutions had solved the problems and did a better job of it themselves I might be up beat but they don’t. Even the companies we pay to tell us what we should be doing and whose business it is to promote best practice ( I’m looking at you Deloitte, Gartner and co. ) have rarely done much more than SPF and DKIM. When the bad guys are probably doing as well if not better than most small organisations I cant help but think that we have a serious problem.

Maybe I’ll repeat my survey next year and we’ll be in a better place.

  • It has been pointed out to me that there is value to publishing DMARC records without specifying either reporting address which would lower the barrier to implementation, but from a corporate point of view not really the best practice.

  • Update: the DKIM numbers may well be on the low side as the DKIM keys do not technically have to be in the same domain as is being examined, when that’s the case there’s no way of checking for them and generally speaking I wouldn’t expect that to be the case. Also if they don’t match then the DKIM record would fail alignment.

** Update 2: As lists of bad guys are these days commercial products I’m not in a position to say much about my bad guys list except it was from a live RPZ feed.

Bookmark the permalink.

Leave a Reply