Do DNS Operators Want to Deploy DNS Privacy?

The IETF standards community regards the possibility of pervasive monitoring as an attack on the Internet and there is strong consensus among IETF participants that we must protect Internet users’ privacy.

We were wondering whether the people who are operating DNS services were feeling a similar sense of urgency, and if they had any significant concerns about obstacles to deployment.

From March 25 – May 4, 2018, we ran a survey, advertised via social media and ISC’s Software Downloads page, asking whether people running DNS systems were interested in deploying DNS privacy, and what concerns they had.

Here are the results of that survey.

Screenshot of ISC tweet with survey results

Who Responded?

We advertised on social media, but then worried that most of those respondents might be specifically interested in privacy, so we added a survey invite on ISC’s Software Downloads page to get participation from people who might not follow ISC on social media. There was no “prize” offered for completing the survey and no recognition, so the only likely motivation was wanting to help us out.

We got 195 responses in total.

  • 126 were from various social media (we posted on Twitter, ISC’s LinkedIn page and a couple of LinkedIn groups, and ISC’s Facebook page).
  • We got 64 responses from people who clicked the link on ISC’s Downloads page.
  • Another 5 people responded to a solicitation sent to the RIPE DNS working group mailing list.

With an open survey like this, there is no real way to ensure that the respondents are representative of the overall operator population. We asked only the minimum of demographic questions to keep the survey very short, to maximize completion of the survey. We did not collect any personally-identifying information. (It’s a privacy survey!)

What is your primary involvement with the Internet Infrastructure? (pick one answer)
Answer choice Percentage of total respondents
Individual consumer, Internet user

23%
Internet Service Provider (access + services)

18%

Educational organization

12%

In the business of creating products that leverage the Internet

10%

Internet-enabled business

9%

Enterprise (not primarily dependent on the Internet)

8%

Hosted (cloud) services provider

5%

Government office

3%
Other* 11%

We asked those who selected “Other” what their role was, and the responses mostly indicated an individual contributor, rather than service operator role. Responses included: consultant, hobbyist, small business, Internet engineer, registrar.


50 Countries represented

Although the largest number of responses came from the United States, 50 countries were represented, including countries in South America, the Middle East, the Caribbean, and Africa. Participation was relatively weaker across Asia, outside of China.

Pie chart of countries that responded to ISC's survey, led by the US, Germany, and the UK

Findings

  • 70% said that end-user privacy concerns are a very or extremely important factor in decisions about what products or services are offered, and how those services work.
  • Over half of all respondents said privacy concerns had ALREADY impacted the products and services they used in their organization, and between 30 – 40% cited various restrictions on data use because of privacy concerns. Many respondents commented that they already have restrictions imposed by HIPAA (Health Insurance Portability and Accountability Act) or PCI (Payment Card … something), implying that this is just another compliance requirement.
  • 50% see a very or extremely useful marketing benefit for their company, if they can make end-user privacy claims about their products or services.
  • 11% of respondents have already deployed QNAME minimization. 34% said they would like to or plan to implement QNAME minimization. 19% said they did not want to implement QNAME minimization and the rest were not sure. When we eliminated the responses from Individuals and the “Other roles” category, QNAME minimization was even more popular, with 9% already implemented and 43% planning to implement.
  • When asked whether QNAME minimization is required under GDPR, 29% thought it might be, and an exactly equal number of people thought it wasn’t. The rest weren’t sure.
  • 50% of all respondents are very or extremely interested in offering encrypted DNS services.
  • Respondents rated various suggested “obstacles” to deploying encrypted DNS services. The most often cited significant obstacles were (1) availability of the features in the products and services they use and (2) lack of time and resources to develop and deploy the service. The DNS developer community can add the features, of course, but we have to be aware that for operators, one of their top concerns is not having the time to deploy them.
  • Despite the obstacles to deploying a full DNS privacy service, 70% of respondents would not recommend or select a public hosted DNS privacy service like 1.1.1.1 or 9.9.9.9 for their users. We can speculate as to why that might be, but we did not ask why in this survey. The respondents who appear to be individual contributors (Individual and Other roles) were more accepting of the hosted DNS privacy services than those who apparently operate services for others.

For a read-only view of the charts on Survey Monkey, click here.

Conclusions

If we develop QNAME minimization in BIND, we can expect that approximately half our users are open to deploying it. That seems like a good level of commitment for a feature that isn’t even developed yet. (QNAME minimization is currently in development in BIND. Unbound has already released support for this feature.) Since some respondents are already using QNAME minimization, we can infer that not all respondents are BIND users. As one respondent pointed out to us, DNSdist has QNAME minimization but the PowerDNS Recursor does not.

Interest in QNAME minimization was somewhat lower among individual contributors than service operators. The reason for this is not obvious from this survey.

For privacy advocates, the fact that 50% see a marketing benefit in touting privacy protections is an opportunity. Perhaps we need a “DNS Privacy Compliant” sticker for services?

We might have gotten more useful insights if we had qualified respondents more, selecting only those running recursive services, and asking how many end users their services supported. Since DNS Privacy really only applies to recursive services, the authoritative operators and registrars who answered the survey may have been confused about how to answer and may have obscured the trends among resolver operators.

There was no consensus about what GDPR might mean for DNS operators.

To find out more about what DNS Privacy means, we recommend the website for the DNS Privacy Project.


I am willing to share the whole data set with anyone – there is no personally-identifying information in it. If you would like the data dump, please email me at vicky at isc dot org.

Recent Posts

What's New from ISC