Maybe the redirect into the Chinese security services just needs a bigger pipe?
China's DNS resolvers fail two thirds of the time when handling queries for IPv6 addresses, and botch one in eight queries for IPv4, according to a group of Chinese academics. As explained in a paper titled "A deep dive into DNS behavior and query failures" and summarized in a blog post at APNIC (the Asia Pacific's regional …
Thursday 18th August 2022 12:19 GMT Alex Brett
What does failed mean?
How are they defining fail - e.g. any hostname that only has an IPv4 address, the AAAA query (which any IPv6 enabled client will typically send first) will fail, and the client will then fall back to an A query for a v4 address - is that counted in their statistics, as if so then it's just modelling the IPv6 takeup rather than any issues with the resolution infrastructure etc...
Thursday 18th August 2022 18:41 GMT Ken Hagan
Thursday 18th August 2022 19:10 GMT Nanashi
Re: What does failed mean?
as if so then it's just modelling the IPv6 takeup rather than any issues with the resolution infrastructure etc...
I wondered that too, and that seems to be exactly what they're doing:
For each response, we extract the requested domain (the QNAME) from the Question portion, and check if the response contains a valid answer (e.g. for an A query, at least one RR in the response is an A record of the requested domain). In this paper, we are interested in failures caused by DNS infrastructures instead of NXDOMAINs (e.g. typos). However, we do not have the response code (e.g. ’NOERROR’, ’NXDOMAIN’ or other status) in our dataset.If they don't have the error code, they have no way to distinguish between the query failing or it successfully returning zero results, and they're counting both as a failure. And worse:
Moreover, our dataset does not allow us to inspect failed queries that did not trigger a response (e.g. due to packet loss)....which means they can't even detect most actual failures. They do try to accommodate NXDOMAIN, by filtering out domains that never returned an A or AAAA record, but they don't do any per-record-type filtering:
When limiting to domains whose query frequency exceeds 100, only 7.8% of domains have a success rate exceeding 95% [for AAAA queries], while about 60% of domains have never been successfully resolved. Again, given that we only include domains that have been successfully resolved (considering all query types), this suggests that there are infrastructural limitations in how DNS supports IPv6.There's no way their results support that. "Hostnames can have A records without having AAAA records" isn't an infrastructural limitation in IPv6 support in DNS.
They also say this:
the failure rate for AAAA queries is as high as 64.2%, almost 3 times of that in 2012 .I checked that reference (https://dl.acm.org/doi/pdf/10.1145/2486001.2486018) and their results are 78% of domains returning NOERROR (successfully returning zero or more results). In other words, the large number of domains that have an A record and no AAAA record are counted as successful by that paper but as failed by this paper, making the numbers incomparable, but they go ahead and compare them anyway.
Either they didn't realize what they were doing there, or they were aiming for a clickbaity paper. Either way, it's not a good sign.