DNS Security Extensions (DNSSEC) provide the most effective way to fight DNS cache poisoning attacks. Yet, very few DNS resolvers perform DNSSEC validation. Identifying such systems is non-trivial and the existing methods are not suitable for Internet-scale measurements. In this paper, we propose a novel remote technique for identifying DNSSEC-validating resolvers. The proposed method consists of two steps. In the first step, we identify open resolvers by scanning 3.1 billion end hosts and request every non-forwarder to resolve one correct and seven deliberately misconfigured domains. We then build a classifier that discriminates validators from non-validators based on query patterns and DNS response codes. We find that while most open resolvers are DNSSEC-enabled, less than 18% in IPv4 (38% in IPv6) validate received responses. In the second step, we remotely identify closed non-forwarders in networks that do not have inbound Source Address Validation (SAV) in place. Using the classifier built in step one, we identify 37.4% IPv4 (42.9% IPv6) closed DNSSEC validators and cross-validate the results using RIPE Atlas probes. Finally, we show that the discovered (non)-validators actively send requests to DNS root servers, suggesting that we deal with operational recursive resolvers rather than misconfigured machines.

翻译：DNS安全扩展（DNSSEC）为抵御DNS缓存投毒攻击提供了最有效的解决方案。然而，执行DNSSEC验证的DNS解析器数量极少。识别此类系统具有较高难度，现有方法均不适用于互联网规模的测量。本文提出一种新颖的远程识别DNSSEC验证解析器的技术。该方法包含两个步骤：首先通过扫描31亿终端主机识别开放解析器，要求每个非转发器解析一个正确配置及七个故意错误配置的域名；随后基于查询模式与DNS响应码构建分类器，以区分验证器与非验证器。研究发现，虽然大多数开放解析器支持DNSSEC，但仅有不足18%的IPv4解析器（IPv6为38%）会对接收的响应执行验证。第二步针对未部署入站源地址验证（SAV）的网络，远程识别其中的封闭式非转发器。利用第一步构建的分类器，我们识别出37.4%的IPv4封闭式DNSSEC验证器（IPv6为42.9%），并通过RIPE Atlas探针交叉验证结果。最后，实验表明所发现的（非）验证器会持续向DNS根服务器发送请求，这证实我们处理的是实际运行的递归解析器，而非配置错误的设备。