We study attempts to dynamically update DNS records for private (RFC1918) addresses, by analyzing the frequency spectrum of updates observed at an authoritative name- server for these addresses. Using a discrete autocorrelation algorithm we found that updates series have periods of 60 or 75 minutes, which we identied as default settings of out- of-the-box Microsoft Windows 2000 and XP DNS software.

We use the BIND logs of attempted DNS updates to RFC1918 zones. The logs were collected at the blackhole server (prisoner.iana.org) located in topological proximity of the Palo Alto instance of F-root DNS server.

We installed several versions of Widows 2000 and Windows XP (desctop and server editions) including original release, Service Pack (SP) 1 and SP 2 and confirmed in laboratory setting that the default behavior of Windows is to send dynamic DNS updates with the periods that we identified by spectral analysis of BIND logs.

Using a combination of spectroscopy and laboratory experiment we prove that the majority of DNS updates to RFC1918 zones (i.e. attempts to associate names with private addresses like 192.168.1.1) at public blackhole DNS servers are originated by the Windows 200 and XP DNS software.

The paper expands the results of Evi Nemeth published in N.Brownlee, kc claffy, and E.Nemeth. DNS Measurements at a Root Server. Globecom, 2001.

In terms of methods, it develops the network spectroscopy approach advocated in: A.Broido, R.King, E.Nemeth, kc claffy "Radon spectroscopy of inter-packet delay", IEEE High Speed Networking (HSN) Workshop, Sna Francisco, March 2003.

The RFC1918 private addresses are defined in: Y.Rekhter, B.Moskovitz, D.Carrenberg, G.J.de Groot, K.Lear. RFC 1918 - Address Allocation for Private Internets.

Full version of this paper: A.Broido, E.Nemeth, and kc claffy, "Spectroscopy of Private DNS Update Sources", Proceedings of the Workshop on Internet Applications (WIAPP), San Jose, June 2003.