I was recently asked if OARC had any data on the percentage of DNS queries with bad or disabled UDP checksums. After a few days of crunching through the
DITL 2009 data, I have the following results:
| Data Provider | Matched | Mismatch | Disabled |
|---|
| afilias | 99.02 | 0.85 | 0.12 |
| apnic | 99.89 | 0.01 | 0.10 |
| arin | 99.92 | 0.02 | 0.07 |
| arl | 99.28 | 0.62 | 0.10 |
| as112-gf | 99.91 | 0.00 | 0.09 |
| cogent | 52.30 | 47.66 | 0.04 |
| cznic | 73.50 | 26.40 | 0.10 |
| icann | 99.52 | 0.36 | 0.12 |
| iis | 97.58 | 2.36 | 0.06 |
| isc | 96.73 | 3.14 | 0.13 |
| lacnic | 99.79 | 0.01 | 0.19 |
| namex | 100.00 | 0.00 | 0.00 |
| nasa | 99.34 | 0.57 | 0.09 |
| nethelp | 99.90 | 0.06 | 0.05 |
| niccl | 53.94 | 46.01 | 0.04 |
| nixcz | 99.82 | 0.18 | 0.00 |
| nominet | 99.80 | 0.04 | 0.15 |
| pktpush | 69.29 | 26.04 | 4.67 |
| regbr | 98.30 | 1.48 | 0.22 |
| ripe | 98.81 | 1.07 | 0.12 |
| switch | 99.91 | 0.01 | 0.08 |
| tix-or-tz | 100.00 | 0.00 | 0.00 |
| uninett | 99.91 | 0.01 | 0.08 |
| verisign | 99.03 | 0.92 | 0.05 |
| wide | 99.58 | 0.36 | 0.06 |
Obviously, its interesting that most of the traces show 99% matching checksums, but a few have close to 25% or 50% with mismatches. I'm likely to suspect some kind of "middle boxes" (load balancers?) at play here, but have not yet investigated further.
Update
Mauricio from
NIC Chile reports that most of their bad UDP checksums are from replies they send out. They have some Dell hardware running Linux. The Linux installation doesn't support certain NIC hardware features, such as checksum calculations. Hardware checksumming can be disabled with this command:
# ethtool --offload ethXX tx off
