10 PDNSs 10 Colors: A Measurement Study of Protective DNS

Abstract

When Protective DNS (PDNS) detects a malicious attempt to resolve a domain name, it blocks the connection to the malicious domain by rewriting the DNS record. PDNS protects a user from a malicious domain; thus, it has been promoted in recent years. However, it is unclear to users which domains can be blocked, and unclear to providers how to implement and operate PDNS. To address the ambiguity of PDNS, we conducted a survey regarding its blocking coverage, lifecycle, blocking of popular domains, and usability. Our investigation revealed that the blocking rate varies widely among PDNSs, with some having a maximum of approximately 55.32% while others have a blocking rate of less than 1%. We also explored the lifecycle of each PDNS through continuous observations over a 32-day period and found that approximately 80% of all PDNSs blocked malicious domains on the same day that the domain was listed on the blocklist. Furthermore, we found that up to 84.54% of the blocked malicious domains were unblocked over time, and the number of days until unblocking ranged from 3.20 to 9.34 days. In addition, we evaluated the false block rate for each PDNS for popular domains and the usability of each PDNS's services. Finally, we provide recommendations for both PDNS users and providers based on the results of the investigation and analysis.