FIRST DNS over TCP survey

I recently repeated the DNS over TCP survey given to the REN-ISAC community with the FIRST community. FIRST membership is largely made up of incident response teams from around the globe. All types of industry sectors are represented within FIRST such as national CSIRTs, banks, governments, and software vendors. I thought it might be interesting to repeat the survey with a security community where there may be some, but relatively little overlap in membership. I expected FIRST survey respondents to express a greater desire to block or restrict DNS over TCP traffic than their REN-ISAC counterparts. The evidence failed to support that belief.

A new online survey was sent in an email link to all members of each FIRST team. The survey link was available for approximately one week. A little over 60 people responded.

Since email to each team is sent to a team email alias, administered locally and independently by each team, we have no way of knowing exactly how many people received the survey. However, we can make an educated guess. The number of respondents to the FIRST survey was nearly the same as the REN-ISAC survey. Therefore it stands to reason that the total population of the two groups is within the same order of magnitude.

There were only two survey questions, both with three answer choices each. Only one answer per question was allowed. The questions and their respective answer choices are shown below. Following each answer choice in bold are the representative tallies of the voting results.

Question I: Which statement most closely reflects your current thinking on the role, use, and handling of DNS over TCP traffic on the Internet?

  1. It should be blocked everywhere / it is unnecessary or unwanted. [5%]
  2. It should be restricted in use to DNS zone transfers between authorized hosts only (i.e. masters and slaves). [34%]
  3. It should be allowed wherever DNS communications are permitted. [61%]

Question II: Which statement most closely reflects how your institution treats DNS over TCP traffic?

  1. It is allowed wherever DNS communications are permitted. [74%]
  2. It is restricted in use to DNS zone transfers between authorized hosts only (i.e. masters and slaves). [18%]
  3. It is blocked everywhere / it is unnecessary or unwanted. [8%]

Compared to the REN-ISAC results, respondents were roughly of the same mindset, if not slightly more permissive in their thinking about the issue, but FIRST member organizations appear to be slightly more restrictive in practice with DNS over TCP traffic on their networks.

Between the two surveys we find a significant portion, but seemingly not a majority, of security practitioners feel some DNS over TCP restrictions are desirable. However, what is done in practice on real networks we are told is much more permissive in comparison.

As a reminder and to reiterate even more briefly here than before, the Internet-Draft on DNS Transport over TCP aims to encourage the practice of permitting DNS messages to be carried over TCP.

I have at least one more community made up of a vastly different population of users than either REN-ISAC and FIRST I’d like to survey. Another useful activity would be active DNS over TCP measurement queries to a large and varied set of name servers, as well as from a large and varied set of origin networks. If and when I get around to conducting those surveys, you’ll read about the results in future blog posts here.