On 2019-10-09 8:36 a.m., Joe Abley wrote:
On 9 Oct 2019, at 09:51, David <[email protected]> wrote:
On 2019-10-09 3:28 a.m., Vladimír Čunát wrote:
On 10/9/19 8:53 AM, Xavier Beaudouin wrote:
I saw that DNS over TLS (not TCP) eg port 853/TCP is more and more used.
I expect that's due to newer Androids getting to more people? (i.e. it seems
unrelated to OP)
https://android-developers.googleblog.com/2018/04/dns-over-tls-support-in-android-p.html
Yeah we see that too but you are correct we are referring to normal plain-old
DNS over TCP. We're now at 10x the query rates compared to pre-iOS 13, which is
still not a lot but is growing each day.
Are there any obvious patterns with QNAMEs or with the servers that receive
those queries? I wonder whether there's some new query pattern that has started
triggering large responses and whether what we are seeing is iOS falling back
to TCP transport due to failures in receiving fragments. It'd be interesting to
look for other increases within the messages being exchnged over TCP, e.g. an
unusual preponderance of DO=1 or QTYPE=TLSA or something.
The queries I've seen from these are pretty basic and all fit without
needing EDNS or TCP. I'm also not entirely sure it's due to any loss
detection either, as when they do switch to doing over TCP we don't
immediately see the previous over-UDP-query again.
The observation reminds me of the iOS release that started pulling root zone DNSSEC trust
anchors from data.iana.org <http://data.iana.org/> almost a decade ago. The CDN stats
for data.iana.org <http://data.iana.org/> at the time revealed what looked initially
like a step function but in fact was a steep curve tracking iOS upgrades amongst the
iPhone-owning public. We found someone at Apple to talk to at the time to confirm that our
interpretation was correct. If iOS deployment is the curve you're seeing, then I imagine
you can expect more growth than 10x before you see a plateau.
We've been in touch with the Apple NOC and provided them captures,
hoping that they can engage the appropriate resources internally to
confirm what is going on.
Of course, many commonly-used applications tend to upgrade around an iOS upgrade. With
iOS 13 there seem to be many popular social media apps releasing versions with this
"dark mode" that I understand the youth like now.
Yeah - the spread of names is not application specific so does look like
the iOS resolver itself doing it, and not a specific application bug
(like the snapchat NTP issue a few years ago where it probed every
country code out there repeatedly).
Joe
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations