A Tree in a Tree: The Impact of IPv6 on Authoritative DNS

The Domain Name System (DNS) is a cornerstone of the Internet. It is a global database that translates domain names (such as pulse.internetsociety.org) to Internet addresses that computers use to communicate with each other. By systematically measuring the DNS, we can improve our understanding of the Internet, find vulnerabilities, and provide data for informed decision-making.

My colleagues and I at Max Planck Institute for Informatics developed yodns, a tool that allows us to collect extensive DNS data from all zones and name servers potentially involved in resolving a name at scale. We’ve used this tool to collect data from 812M domain names to assess how certain optimizations of DNS measurements can affect data completeness and results (see our paper).

In my 2025 Pulse Research Fellowship project, I want to use this measurement method to improve our understanding of DNS resilience.

One fascinating aspect will be investigating the influence of IPv6-only resolvability on DNS resilience, as previous research has shown that resolvability is often still dependent on IPv4.

Zone Dependencies

The DNS organizes names by zones. To resolve a zone, resolvers need to resolve the zones’ parent zones and (at least one of) the zones of its nameservers. This creates a network of (transitive) dependencies that can affect resolution times, redundancy, and even security, as compromised domains can affect the resolution of dependent domains. Figure 1 shows an example of such a dependency graph.

Using yodns data, we can count the number of dependencies potentially involved in resolving a zone.

In our data (Figure 2), IPv4-only and dual-stack resolvable domains show almost identical numbers of (resolvable) dependencies. However, for IPv6-only, we see slightly more dependencies, indicating that zones that are IPv6-only resolvable have slightly more dependencies than those that are only IPv4-resolvable. This effect is less pronounced for domains from the Umbrella list. Overall, we find 56.2% of 316M zones are IPv6-only resolvable.

Numerous factors determine whether a zone is resolvable in an IPv6-only scenario (that is, without using IPv4 at all). Configuring IPv6 networking on the name server and adding the corresponding AAAA records to the DNS is necessary but not enough. The (transitive) zone dependencies must also be resolvable, such that at least one IPv6-only resolution path exists.

Figure 3 shows the correlation between public suffixes, DNS providers, and IPv6-only resolvability in a heatmap. Providers are identified using name server host names, so we can see providers that use in-domain names for their servers.

The impact of individual providers is visible. For example,

• WixDNS-hosted zones are completely IPv6 unresolvable.
• DomainControl’s IPv6 resolvability is overall good, except for some European zones, most notably .fr and .it, where essentially all zones are not IPv6-resolvable due to missing IPv6 glue records for the name servers that host these domains.
• Similarly, we see the positive impact of a large Content Distribution Network (Cloudflare) on IPv6-resolvability, hosting a significant portion of domains.

Finally, we can also see the differences between countries. For example, a larger percentage of domains are IPv6-resolvable (‘other’ column) for .nl than .br, .de, .fr, .it, .ru, and .tk.

Learn More

Future work will focus on better understanding the influence of these effects on resilience.

Check out our paper, tool, and dataset if you found this post interesting.

Florian Steurer is a PhD student at the Max Planck Institute for Informatics and a 2025 Pulse Research Fellow.

The views expressed by the authors of this blog are their own and do not necessarily reflect the views of the Internet Society.

---

Photo by Alfio Cioffi via Wikimedia Commons