back to article Two thirds of DNS queries for IPv6 hosts sent to Chinese resolvers fail, researchers find

China's DNS resolvers fail two thirds of the time when handling queries for IPv6 addresses, and botch one in eight queries for IPv4, according to a group of Chinese academics. As explained in a paper titled "A deep dive into DNS behavior and query failures" and summarized in a blog post at APNIC (the Asia Pacific's regional …

  1. fajensen

    Maybe the redirect into the Chinese security services just needs a bigger pipe?

    1. Pascal Monett Silver badge

      Maybe don't depend on China for security ?

      1. Ken Hagan Gold badge

        Or, if you are trying to protect yourself from China, don't use IPv4. We may finally have found the killer application for IPv6. :)

      2. fajensen

        I think, in China, having you data oficially vetted is not only the kind of offer that you can't refuse but also a proposition that the clients must support with visible enthusiasm.

  2. Alex Brett

    What does failed mean?

    How are they defining fail - e.g. any hostname that only has an IPv4 address, the AAAA query (which any IPv6 enabled client will typically send first) will fail, and the client will then fall back to an A query for a v4 address - is that counted in their statistics, as if so then it's just modelling the IPv6 takeup rather than any issues with the resolution infrastructure etc...

    1. Ken Hagan Gold badge

      Re: What does failed mean?

      The linked blog post suggests that they've filtered those out. As you imply, it would hardly be worth reporting otherwise.

      It also mentions the PTR queries have a failure rate that it almost as bad. Apparently quite a lot of DNS is a bit crap.

    2. Nanashi

      Re: What does failed mean?

      as if so then it's just modelling the IPv6 takeup rather than any issues with the resolution infrastructure etc...

      I wondered that too, and that seems to be exactly what they're doing:

      For each response, we extract the requested domain (the QNAME) from the Question portion, and check if the response contains a valid answer (e.g. for an A query, at least one RR in the response is an A record of the requested domain). In this paper, we are interested in failures caused by DNS infrastructures instead of NXDOMAINs (e.g. typos). However, we do not have the response code (e.g. ’NOERROR’, ’NXDOMAIN’ or other status) in our dataset.
      If they don't have the error code, they have no way to distinguish between the query failing or it successfully returning zero results, and they're counting both as a failure. And worse:
      Moreover, our dataset does not allow us to inspect failed queries that did not trigger a response (e.g. due to packet loss).
      ...which means they can't even detect most actual failures. They do try to accommodate NXDOMAIN, by filtering out domains that never returned an A or AAAA record, but they don't do any per-record-type filtering:
      When limiting to domains whose query frequency exceeds 100, only 7.8% of domains have a success rate exceeding 95% [for AAAA queries], while about 60% of domains have never been successfully resolved. Again, given that we only include domains that have been successfully resolved (considering all query types), this suggests that there are infrastructural limitations in how DNS supports IPv6.
      There's no way their results support that. "Hostnames can have A records without having AAAA records" isn't an infrastructural limitation in IPv6 support in DNS.

      They also say this:

      the failure rate for AAAA queries is as high as 64.2%, almost 3 times of that in 2012 [8].
      I checked that reference (https://dl.acm.org/doi/pdf/10.1145/2486001.2486018) and their results are 78% of domains returning NOERROR (successfully returning zero or more results). In other words, the large number of domains that have an A record and no AAAA record are counted as successful by that paper but as failed by this paper, making the numbers incomparable, but they go ahead and compare them anyway.

      Either they didn't realize what they were doing there, or they were aiming for a clickbaity paper. Either way, it's not a good sign.

  3. Anonymous Coward
    Anonymous Coward

    A cynic would suggest...

    ...that all the tested servers are delayed by checking on a back end government "these are banned" server.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like