93% of authoritative DNS servers for .CA domains failed to answer a query at least once during a six month research study

93 percent of authoritative DNS servers for .CA domains failed to answer a query once in a six month period.

In a recent study by the team here at CIRA, 93 percent of authoritative DNS servers for .CA domains failed to answer a query once in a six month period. The goal of the DNS server is to provide the directions that translate simple words like www.cira.ca into IP addresses that computers understand, like 192.228.29.1. Servers then deliver content according to the Internet’s phone book, the Domain Name System (DNS).

If you are a DNS expert you know that the Internet has been specifically-designed to take care of a situation where this function fails. There is redundancy built into the system, ensuring that even poorly configured DNS architectures don’t cause serious issues. However, this doesn’t mean that we can’t and shouldn’t do better. 

About the DNS Research Project

Jacob Zack, CIRA’s DNS expert, set-up ten testing servers across Canada with the task of querying the 119,443 authoritative servers used by .CA websites. The test ran every day for six months and found that only 7% of authoritative servers had a 100% success rate.  

Is this cause for alarm?  In our opinion it is, because if you care about your online presence then you should care that all of your systems are running at top performance. Some may argue that the DNS is fast and has built-in redundancy. Some may say that most business users can feel pretty confident that a failed DNS query isn’t likely to mean that their next sale (i.e. a $400,000 new home mortgage, $40,000 sale in hardware, or $400 flower order) will be lost to a competitor. But core infrastructure like the authoritative DNS is critical to your web presence and it needs more attention by IT managers. 

With respect to redundancy, on the Internet answers to queries start at recursive name servers and they (typically) live in ISPs to answer those questions. It is only if these recursive name servers don’t have the answer that the request is routed to the authoritative name server. The authoritative name server is run by the website owner or by someone on their behalf (like a hosting operator). In theory, the majority of recursive servers have the answer to the question in their cache most of the time (we won’t explain TTL in this article) then even if the authoritative server is temporarily down a customer can find your site.

Additionally, you are running two or more authoritative name servers. In the best case scenario they are also on their own networks (rather than being on the same network as the application and web servers). 

What are organizations doing wrong with their DNS?

There could be many reasons that an authoritative server didn’t answer. It would be something as serious as a DDoS attack or something more mundane like an outage by an IT department to conduct simple software or hardware maintenance.  However, there are some scenarios where there could be a problem, such as:

• If the organization only runs one piece of hardware for their name server(s)
• If the organization keeps both authoritative servers on the same network and that network goes down
• If the Internet is broken (i.e. a problem with the ISP the customer is using)

The question is whether all this built-in redundancy should absolve the IT department from responsibility for maintaining a proper DNS configuration? Certainly not. For instance, CIRA has researched the DNS in several public sectors, including municipalities, healthcare, law enforcement and universities and found generally that in excess of 90% of the institutions are not using the absolute best external DNS possible. Problems we found include:

• Old or outdated DNS software that could be easily exploited
• No redundancy in name servers
• Name servers on the same network
• Website owners relying on best-effort services from a hosting company
• Reliance on older unicast technology
• Name servers not physically close to the customers that are being served

With more and more services being delivered online it is clear that the DNS is becoming the Achilles heel of the Internet. We encourage every IT manager to take time to investigate their DNS for configuration errors.

CIRA also recommends that you take the time to investigate a truly redundant, fast and secure secondary anycast DNS service for your authoritative DNS. It will make your websites on online services perform better. Consider putting the responsibility for authoritative hardware and software maintenance on an expert organization, and contribute to a better Internet for all of us.