REN-ISAC DNS over TCP survey

In April of this year I conducted an informal two-question survey aimed at the general membership population of the REN-ISAC community. The intent was to gather personal positions and associated member institution stances on DNS over TCP (i.e. should it be filtered, restricted, or unfettered). I was interested in gathering Internet community perceptions after a recently submitted Internet-Draft on DNS Transport over TCP was adopted by the IETF dnsop working group. REN-ISAC participants are generally well regarded, having both a breadth of knowledge and above average technical expertise. I had hoped the results would demonstrate the “best case” representation of any organized security community. By best case, I mean those who realize the pitfalls of filtering or restricting DNS over TCP traffic, and who would generally accept that it ought to be allowed unfettered.

The survey was conducted online, solicited through an email link that reached all subscribed members, of which there were approximately 1700 at the time. The survey link was available for approximately one week. A little over 60 people responded, for a return rate of approximately 3.5%.

There were only two survey questions, both with three answer choices each. Only one answer per question was allowed. The questions and their respective answer choices are shown below. Following each answer choice in bold are the representative tallies of the voting results.

Question I: Which statement most closely reflects your current thinking on the role, use, and handling of DNS over TCP traffic on the Internet?

  1. It should be blocked everywhere / it is unnecessary or unwanted. [6%]
  2. It should be restricted in use to DNS zone transfers between authorized hosts only (i.e. masters and slaves). [38%]
  3. It should be allowed wherever DNS communications are permitted. [56%]

Question II: Which statement most closely reflects how your institution treats DNS over TCP traffic?

  1. It is allowed wherever DNS communications are permitted. [79%]
  2. It is restricted in use to DNS zone transfers between authorized hosts only (i.e. masters and slaves). [18%]
  3. It is blocked everywhere / it is unnecessary or unwanted. [3%]

The results weren’t too surprising, at least not to me. If I were to have guessed ahead of time, I might have overestimated the population of those who have a desire to block DNS over TCP everywhere. Perhaps the results reflect a bias of the the research and education (R&E) community, which historically leans toward the less restrictive.

It is worth pointing out the difference in answers between the two questions. What the institution does and what the person answering prefers shows that a significant number of respondents would be more restrictive than what occurs in practice. This difference is likely attributable in part to the type of respondent polled. REN-ISAC members are primarily information security staff. Security personnel probably tend to skew towards a default deny stance more than their colleagues in other departments.

If I could affect any sort of change in attitude and practice, it would be to enlighten those who mistakenly believe DNS over TCP is only ever used for zone transfers or to convince those who might limit DNS over TCP for any reason to reconsider. With any luck, the IETF document I’m working on well help do just that.