APNIC Labs enters into a Research Agreement with Cloudflare

APNIC Labs is partnering with Cloudflare for a joint research project relating to the operation of the DNS. I’d like to explain our motivation in entering into this research project, explain what we hope to be able to achieve with this work, and describe briefly how we intend to handle the data that will be generated from this research activity.

The joint research project involves the operation of an open public DNS resolution service using IPv4 address prefixes that the APNIC Address Policy SIG has set aside for research purposes. This project will provide APNIC Labs with unique opportunity to gain some valuable insight into the query behaviour of the DNS in today’s Internet and will allow us to further our existing research activities in looking at the DNS.

Why is a Regional Internet Registry that looks after IP addresses interested in research into the behaviour of the DNS? At APNIC Labs we are deeply interested in the behaviours of underlying infrastructure elements of the Internet, and of course, that includes consideration of DNS names as well as the use of IP Addresses.

We believe that names and addresses are critically intertwined on today’s Internet. It has been more than six years since the onset of IPv4 address exhaustion in the address registries, and while there is been visible movement in the uptake of IPv6, IPv4 still remains the mainstay of today’s Internet. The result has been increased use in the level of address sharing to bridge across this address shortfall. Sharing of server-side addresses is now commonplace, and this practice relies on the integrity of the name space to create a consistent network service. We are now critically reliant on the integrity of the DNS, yet the details of the way it operates still remains largely opaque.

We are aware that the DNS has been used to generate malicious denial of service attacks, and we are keen to understand if there are simple and widely deployable measures that can be taken to mitigate such attacks. The DNS relies on caching to operate efficiently and quickly, but we are still unsure as to how well caching actually performs. We are also unclear how much of the DNS is related to end user or application requirements for name resolution, and how much is related to the DNS chattering to itself. Are we constructing a DNS to meet the performance expectations of end users, or one that is sized to a completely different set of requirements? We are keen to investigate these and other related questions about the operation of the DNS.

APNIC will use two IPv4 address prefixes for this joint research program, 1.0.0.0/24 and 1.1.1.0/24. These are address prefixes that the Regional Address Policy community have assigned to APNIC for research use. They were originally configured as dark traffic addresses, and the profile of unsolicited traffic directed at these prefixes was investigated some years ago with the support of Google.

In setting up this joint research program, APNIC is acutely aware of the sensitivity of DNS query data. We are committed to treat all data with due care and attention to personal privacy and wish to minimise the potential problems of data leaks. We will be destroying all “raw” DNS data as soon as we have performed statistical analysis on the data flow. We will not be compiling any form of profiles of activity that could be used to identify individuals, and we will ensure that any retained processed data is sufficiently generic that it will not be susceptible to efforts to reconstruct individual profiles. Furthermore, the access to the primary data feed will be strictly limited to the researchers in APNIC Labs, and we will naturally abide by APNIC’s non-disclosure policies.

This joint project has an initial period of five years and may be renewed. Upon the expiration of the initial period, or at any time thereafter, APNIC shall consider a request by Cloudflare for a permanent allocation of these IPv4 addresses to Cloudflare. APNIC undertakes to refer any such request to the regional Address Policy Special Interest Group as a matter of a change to the current research use designation of these IPv4 addresses, and APNIC shall be bound to the outcomes of this policy group.

We feel that this DNS research program will allow us to improve our level of engagement in DNS research, and make some useful contributions to our overall level of understanding about the operation of the essential name and address infrastructure of the Internet.