Under Attack? Call (844) END.DDoS

IPv6 DNS Statistics

Recently I started collecting IPv6 DNS traffic in a passive DNS monitor. For those not familiar, passive DNS replication was pioneered by Florian Weirmer and is described as:

a technology which constructs zone replicas without cooperation from zone administrators, based on captured name server responses.

In short, you watch what recursive DNS servers get back – which contains the query, the query type, and the answers – and you can construct a historical DNS record if enough people have queried for it, or you have a wide enough view. Using data from the SIE my passive DNS replication system focuses strictly on IPv6 data, so AAAA records and the like. I’m filling a gap for myself, and digging into it a bit, too.

The data analyzed here was captured between May 20 and June 10.

One of the obvious things to do with DNS data is to look at the TLD distribution. Here we can see that just as in IPv4 space, .com dominates usage, followed by .net and .org. The appearance of .edu (US educational networks) in the top ten is a bit surprising, as is the sliver of .jp (Japan) DNS (where I would have expected more based on anecdotal reports).

TLD usage in IPv6 queries

This chart is based on only a small, short run data set but may represent the real trend out there. It will be interesting to see how this plays out. Comparing the TLD data, which would suggest that Japan or The Netherlands isn’t hosting very much, to the country code data for the IPs seen is a useful exercise. Here we can see that the US dominates hosting with Europe, along with Japan and Taiwan, rounding out the bulk of the top ten.

Countries hosting IPv6 servers

I ran the IPs through Aguri, which can be used to aggregate IPs into netblocks, to see what networks are dominating the hosting. This suggests that Google’s IPs are dominant here, which is confirmed below. A handful of blocks pop out:

::/0    2789 (0.18%/100.00%)
                ::1     28829 (1.83%)
 2000::/4       15919 (1.01%/97.99%)
   2001::/21    15989 (1.02%/6.54%)
   2001:400::/22        30551 (1.94%/5.52%)
    2001:470::/32       20630 (1.31%/2.50%)
     2001:470::/39      18770 (1.19%/1.19%)
   2001:600::/24        16930 (1.08%/1.08%)
   2001:800::/21        17667 (1.12%/1.12%)
   2001:1000::/20       20996 (1.33%/1.33%)
   2001:4000::/20       19579 (1.24%/81.55%)
    2001:4800::/25      134652 (8.55%/80.31%)
      2001:4860:8000::/43       62744 (3.99%/71.75%)
      2001:4860:8000::/44       174353 (11.08%/46.54%)
      2001:4860:8000::/45       15949 (1.01%/28.74%)
               2001:4860:8001::/120     97614 (6.20%/6.20%)
      2001:4860:8002::/47       37624 (2.39%/12.00%)
               2001:4860:8002::/120     30810 (1.96%/8.41%)
                2001:4860:8002::63      16933 (1.08%)
                2001:4860:8002::67      16933 (1.08%)
                2001:4860:8002::68      16933 (1.08%)
                2001:4860:8002::69      16933 (1.08%)
                2001:4860:8002::6a      16933 (1.08%)
                2001:4860:8002::93      16933 (1.08%)
                2001:4860:8003::63      18812 (1.20%)
               2001:4860:8007::/120     150024 (9.53%/9.53%)
               2001:4860:800a::/120     20442 (1.30%/3.89%)
                2001:4860:800a::60/125  20430 (1.30%/1.30%)
                2001:4860:800a::68/127  20430 (1.30%/1.30%)
               2001:4860:800b::/120     44425 (2.82%/2.82%)
                2001:4860:8011::63      167074 (10.61%)
                2001:4860:8011::68      167074 (10.61%)
  2002::/16     16324 (1.04%/1.04%)
 2400::/6       21536 (1.37%/1.37%)
  2a00::/15     26188 (1.66%/4.03%)
    2a00:1450::/32      18883 (1.20%/2.37%)
                2a00:1450:8002::60/124  18375 (1.17%/1.17%)


I compared this to two data sets to resolve the autonomous systems for the IPs. The first looked at all IPv6 hits (resolutions), where Google is the largest, followed by localhost (e.g. ::1) and then Hurricane Electric, a cheap tunnel broker.

IPv6 ASN use by all hits

When the data looks at unique IP endpoints and maps their ASNs, Hurricane and IP-Exchange dominate, suggesting a much broader base of IPv6 services offered and in use in the world.

IPv6 unique destination IPs by ASN

In summary, IPv6 use is growing (see some of our other blog posts on IPv6 traffic) and DNS is an interesting way to see where it’s in use. I plan on looking into the databases some more in the future looking for other interesting features. IPv6 measurements and usage are lacking, and this is a fun area to start to explore.

Many thanks to the SIE for access to the data.