Global DNS Traffic Report: What we found in 7.54 trillion DNS queries

As the connective tissue that links users to online applications, services, and content, NS1 has a unique vantage point on the daily operations of the internet. Recently, we decided to look a little deeper into the data flowing through NS1’s servers to see what we could learn. Using a 90-day pull of data from late 2022, we examined over 7.54 trillion queries and 15.1 trillion packets to produce the Global DNS Traffic Report.

The report is overflowing with useful information. As a teaser, here are some of our top takeaways:

Beware of abnormal NXDOMAIN response levels

Some amount of NXDOMAIN traffic is to be expected. But how much is “normal?” We found that NXDOMAIN responses in the 3-4% range are typical for most large enterprises.

When the percentage of NXDOMAIN responses climbs above single digits, something’s clearly wrong. We found that some outliers have an NXDOMAIN response rate as high as 60%! While the reasons for these high error rates vary, we found that more often than not, misconfigured Microsoft Active Directory clients are to blame. These misconfigurations can result in inadvertent exposure of internal domains to the internet - a major security risk which can be diagnosed through an analysis of NXDOMAIN traffic.

New HTTPS record type is a hit

In May, the IETF formally approved the new HTTPS record type (not to be confused with https in a browser) as a solution to the pernicious “CNAME-at-apex” challenge.

Our dataset shows that the new record type is a big hit, in part from wide scale adoption in browsers and support from authoritative DNS providers like NS1. After just a few months of use, we found that HTTPS records already account for nearly 10% of DNS queries to NS1.

Public resolvers dominate the internet

When we looked at the sources of recursive traffic to NS1’s infrastructure, we found that it was dominated by public resolvers. (Google alone accounts for more than 30% of recursive traffic.) This surprised us a little - we expected to see more traffic resolving through ISPs.

Cross-referencing the resolver data with geographical information, we found that traffic from smaller countries is often directed to Google and other public resolvers by default. This likely accounts for the smaller percentage of ISP traffic overall - many smaller ISPs find it more convenient and secure to simply lean on Google’s massive footprint rather than create it on their own.

Infrastructure providers are a constraint on IPv6 and DNSSEC adoption

IPv6 and DNSSEC are the broccoli of the internet. Everyone knows they’re beneficial. Everyone knows that they really should be part of a normal routine. Yet few actually go the extra mile to really incorporate them into standard practice.

We found that the IPv6 network layer is only used around 30% of the time. The issue appears to be resolvers (including some of the big public ones mentioned above) which default to IPv4.

Similarly, we found that only 14% of queries hitting NS1’s infrastructure utilized DNSSEC signing. Only 5% of queries that came in from Google’s resolver services were from a zone that had DNSSEC turned on.

Insights galore in the full report

Check out the full Global DNS Traffic Report for more details on these takeaways, plus patterns of usage for ECS, UDP/TCP, esoteric response codes, and much more.