The Domain Name System (DNS) is the critical Internet infrastructure responsible for translating domain names to IP addresses. The DNS resolver, which performs tasks such as caching, forwarding, and querying authoritative name servers on behalf of clients, serves a key role within this system. However, DNS resolvers also introduce several security and privacy concerns as a machine-in-the-middle between client queries and name server responses. In this study, we examine DNS resolvers used by clients in the Nordic and Baltic countries, conducting active measurements to assess the adoption of security and privacy features. We utilize the RIPE Atlas network of volunteer-run probes for our measurements in July 2025 and analyze 1066 unique probe-resolver pairs. We reveal that 92% supported IPv6, 87% were validating DNSSEC, 70% implemented QNAME Minimization, 83% avoided using EDNS Client Subnet, and 78% returned minimal responses to the client. We categorize the resolvers based on their network proximity to the client, allowing for more in-depth analysis. We find that private, within-AS, and public (outside-AS) resolvers show varying levels of feature adoption across these categories. We compare the Nordic and Baltic countries against each other focusing on preconfigured resolvers in the same AS as the probe (typically operated by ISPs). Norway has the highest adoption of IPv6 support and minimal responses, Denmark has a 100% adoption of DNSSEC, Estonia has the highest adoption of QNAME Minimization, and all countries avoid using the EDNS Client Subnet. We also identify strong adoption correlations between data minimization features, such as QNAME Minimization and minimal responses, as well as a relationship between DNSSEC and IPv6 support.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Privacy and Security of DNS Resolvers Used in the Nordics and Baltics

  • Jonathan Magnusson

摘要

The Domain Name System (DNS) is the critical Internet infrastructure responsible for translating domain names to IP addresses. The DNS resolver, which performs tasks such as caching, forwarding, and querying authoritative name servers on behalf of clients, serves a key role within this system. However, DNS resolvers also introduce several security and privacy concerns as a machine-in-the-middle between client queries and name server responses. In this study, we examine DNS resolvers used by clients in the Nordic and Baltic countries, conducting active measurements to assess the adoption of security and privacy features. We utilize the RIPE Atlas network of volunteer-run probes for our measurements in July 2025 and analyze 1066 unique probe-resolver pairs. We reveal that 92% supported IPv6, 87% were validating DNSSEC, 70% implemented QNAME Minimization, 83% avoided using EDNS Client Subnet, and 78% returned minimal responses to the client. We categorize the resolvers based on their network proximity to the client, allowing for more in-depth analysis. We find that private, within-AS, and public (outside-AS) resolvers show varying levels of feature adoption across these categories. We compare the Nordic and Baltic countries against each other focusing on preconfigured resolvers in the same AS as the probe (typically operated by ISPs). Norway has the highest adoption of IPv6 support and minimal responses, Denmark has a 100% adoption of DNSSEC, Estonia has the highest adoption of QNAME Minimization, and all countries avoid using the EDNS Client Subnet. We also identify strong adoption correlations between data minimization features, such as QNAME Minimization and minimal responses, as well as a relationship between DNSSEC and IPv6 support.