It's nice to see a country as large as Brazil having 24% of its domains with DNSSEC records (973k out of 3.9m domains). I expected it to be close to zero.
This is very interesting work. I wish there was an easy way to see DNSSEC statistics for each ccTLD side-by-side with the fingerprint report.
brazil is the only country other than US that understood internet control.
they have their own, centralized registrar, and they use proper tlds such as gov, jus (justice) etc with their own tls system (which sometimes update faster than browsers can keep up so you have to add root signatures manually to your systems)
I was actually surprised when Kaspersky announced NIC.br was compromised and many banking sites where hijacked.
If I remember correctly, they (NIC.br) identified a vulnerability but then denied Kaspersky claims.
Seems odd that their tests have a drastically different number of probes from different source countries. total_probes ought to be exactly the same from every source, for a more rigorous experiment.
It sounds like they used all the probes available. Many of the countries simply have very few RIPE Atlas probes available; I don't think it's reasonable to only select 5 probes from the US, because that's how many are installed in Vietnam; if you did, you're unlikely to pick any of the probes that showed this behavior.
Instead, it's better to report the total and suspicious numbers, and take the percentages with a grain of salt on low total probes.
If anyone is interested expanding the research in countries with low RIPE Atlas coverage, we can provide free research access to our Probe API which has over 10x more probes than Atlas. More here> http://probeapi.speedchecker.xyz/
I thought the point was that they queried many available DNS servers, not that they did so from as many different locations as possible. Even if they only have a dozen sources in a given country, can't they still query all the DNS servers they know of from there?
> We used all RIPE Atlas probes (~9000 probes) to send DNS queries to 8.8.8.8. Each probe issued several queries, a single query covered one of the features described above (e.g. DNSSEC validation, IPv6 only-domain reachability, NXDOMAIN redirection, …).
My understanding was that they did the same queries from as many network locations as possible, and looked for unexpected results.
Querying more known public dns IPs would provide better confidence that a given probe was attached to a network that hijacked DNS, but still wouldn't tell you very much about the internet in a country with a low probe count.
If I remember correctly, when submitting jobs to run on the network, N numbers of nodes are selected randomly.
RIPE has the biggest concentration of probes in the EU and then US[1].
This is very interesting work. I wish there was an easy way to see DNSSEC statistics for each ccTLD side-by-side with the fingerprint report.