The true effect of corona on the DNS
By the CENTR Secretariat - In recent weeks we’ve seen a range of press articles, security blogposts and public statements addressing real or perceived issues with network capacity and the domain name system (DNS) in particular. These range from concerns about the resilience of the DNS with questions on the impact of the number of registrations to news indicating that a tidal wave of fraud and abuse is hitting the world.
CENTR has looked into this and would like to respond to these discussions with concrete facts and data. We have found that the COVID-19 pandemic has had no significant impact on the DNS, either in terms of registrations or in levels of abuse detected.
COVID-19 related domain registrations
CENTR has studied a large sample of domain names across a group of 12 ccTLDs to estimate the extent to which the COVID-19 pandemic has had any impact. Domains were analysed for the period of January to March 2020 and restricted to domains which included any of the following terms: covid, corona or virus. A total of 6,164 registrations included these terms and most of them were registered during the second half of March 2020.
To put this number into perspective, in the same group of ccTLDs, a total of 751,000 new domains were registered in the same three-month period. This means that domains with a covid-related term (using one of the three terms) represent 0.8% of all new registrations in this period.
As part of its analysis, CENTR also ran a scan over all impacted domains to assess their technical status and understand how, if at all, they were being used. From the scan, the results show that 26% (or 1,637 domains) are estimated to have functioning web content. The rest are either parked, have an ‘under-construction’ notification, do not resolve or display other forms of technical error.
Several domains are common to multiple ccTLDs, and below is a list of the top 10, with covid19 being the most common.
How does the DNS hold up under pressure?
The DNS is a decentralised system that is built to withstand heavy workloads, and its underlying technical components have been refined and optimised for almost half a century. This causes the DNS to be very resilient against high traffic loads. While many CENTR members have reported higher traffic than usual (more individual requests) or requests from different sources (e.g. from residential providers rather than workplaces or school providers), this traffic increase is not outside the current capacity of the European ccTLD infrastructure.
Every time a user enters a domain name or sends an email, the DNS system needs to translate that name into an IP address. Therefore, any significant increase in internet activity means more traffic for the DNS.
However, the DNS relies on a system of caching (data stored at different network levels to increase response times) and this means that the load on the top-level DNS servers does not increase proportionally.
Additionally the DNS has more than 20 years of experience in dealing with DDoS attacks. These attacks typically generate demand levels that are many times higher than the number of queries we see today.
Finally, the operators of the national top-level domains (also called ccTLD registries) have deployed anycast networks. These anycast networks offer an additional level of protection against attacks or high levels of DNS queries.
With the amount of server capacity that ccTLD registries have deployed to handle traffic, even a tenfold increase would still leave them with high margins of reserve capacity.
Several of our members have published query statistics which illustrates this. In the example below, the Dutch operator reports an increase in traffic of around 25% only.
How are registries responding?
As the operators of top-level domains are technical operators that do not have control over the content of websites, they rely on close cooperation with public authorities in responding to COVID-19 related abuse. In estimating the real harm and risk to the public, only competent public authorities can assess whether the activity on the website is illegal or not and have the mandate to act accordingly.
Due to the exceptional circumstances during the pandemic, some of the operators have implemented a few extra procedural steps to the registration process in order to make sure that the legitimate use of domain names continues. Governments and public authorities are registering COVID-19 related domain names to inform the public about the pandemic, while private entities and individuals are relying on domain names to engage with their communities.
A recent CENTR survey shows that 80% of the respondents are scanning the newly-registered domains for terms such as covid, corona or virus. Roughly half of this 80% verifies the registration data of COVID-19 related domains more closely than with other newly-registered domains as a response to the pandemic, and filters out the ones registered in bad faith.
Additionally, about half of the respondents share lists of newly-registered domain names with national authorities or national CERTs.
When it comes to actual abuse associated with newly-registered COVID-19 related domain names, the number of reported cases remains marginally low across European ccTLDs.
Preliminary results from the Abusive Registrations Data Exchange (ARDE) group
In February 2020, a group of CENTR members began coordinating information-sharing in relation to domains that are registered for abusive purposes. The goal of this group is to find out whether the same or similar domain names are being registered to be used in an abusive activity such as fraud or phishing with different registries at the same time. Fortunately, these members report that cases of abuse associated with COVID-19-related domains remain low and they have confirmed that the majority of covid-19-related domain names are not being used.
Based on a wide range of data sets and metrics, it can be concluded that the COVID-19 pandemic has had no significant impact on the DNS. Users are continuing to register domains as expected, registrations of domain names continue to trend up with an average growth of around 2%, the load on the infrastructure is well within the capacity range at around 10% and abuse levels are at the same, low levels as before the pandemic.