Ongoing Research: DNS Monitoring and Protection

The main function of the Domain Name System (DNS) is to provide translation between Internet hostnames and IP addresses. Therefore, the DNS is a critical infrastructure service whose efficiency and robustness are crucial for the operation of the Internet. Despite the essential nature of the DNS, long-term research and analysis in support of its performance, stability, and security is extremely sparse. Our goal is to enable DNS research pertinent to real Internet problems by supplying the research community with the best available, operationally relevant and methodologically sound, measurement data. In addition, the tools, models, and analysis methodologies developed in the course of this project will contribute to ensuring the vitality and integrity of the DNS as it faces relentless growth of the Internet user population worldwide.

CAIDA activities in the area of the DNS research currently are sponsored by the NSF grant SCI-0427144 "Improving the Integrity of Domain Name System (DNS) Monitoring and Protection". Research topics are:

• Analysis of DNS Root Server Traffic
• DNS Surveys
• Collaboration with NIC Chile and the .CL ccTLD Domain
• Anycast Modeling
• Analysis of RFC1918 Traffic
• DNS Measurement Software

---

Analysis of DNS Root Server Traffic

DNS root servers are at the top of the DNS hierarchy. To characterize their workload and performance, we have undertaken the coordination of large-scale data collection events when participating operators captured concurrent traces from a large number of root server anycast instances. We conduct this work in collaboration with ISC and OARC.

As of July 2008, there are three global DNS data sets, obtained in January of 2006 and 2007 and March 2008. We published the results of analysis of the first set. Analysis of the second and third data set are in progress. For each data set, we also develop Influence Maps of DNS anycast servers that visualize the geographic distribution of DNS clients for each anycast instance.

We summarized our experience with large-scale simultaneous data collections in a set of recommendations intended to optimize collection strategies and to increase the research potential of future global multi-site coordinated data measurements.

More information about analysis of DNS root server traffic

More information about Influence maps of DNS anycast servers.

A Comparison of Traffic from the DNS Root Nameservers as Measured in DITL 2006 and 2007

DNS Surveys

One method of measuring the stability, validity and reliability of the Domain Name System (DNS) is to employ survey techniques to query the name servers for analysis and reporting. CAIDA employs several surveys to help us identify invalid data, analyze security issues, and determine the most commonly used software.

Has your DNS server received a probe from a CAIDA host? Find out more about CAIDA's Open Resolver Survey.

More information about DNS surveys.

Collaboration with NIC Chile and the .CL ccTLD Domain

We are studying the Chilean DNS data characterizing the .CL ccTLD domain in collaboration with NIC Chile. Our efforts include: 1) Analysis and indexing of daily packet traces captured on three anycast and one unicast name servers located in Chile. NIC Chile collected the traces daily at 12:10 pm local time from January 2005 till March 2007. Each 10-minute trace contains IPV4 traffic only and includes queries and responses with full payload; 2) anycast switching experiments conducted on the Chilean .CL ccTLD anycast infrastructure; and 3) DNS workload capture and visualization. Analysis of these data and indexing them in DatCat are in progress.

During the period of this collaboration, we hope to conduct further analysis including usage and query rate trends, geographical and topological distribution of clients, and emerging traffic including EDNS0 support, DNSSEC related queries, Microsoft Active Directory SRV queries, IPv6-related queries and IDN.

Anycast Modeling

In collaboration with CAIDA, Prof. George Riley and his student Sunitha Beeram from Georgia Tech University are conducting simulations of DNS anycasting methods. As of May 2006, they run experiments using a 44 node topology with 34 clients and 10 anycast server nodes. Simulations played out three different scenarios: no failures, a single link failure, and prefix withdrawal.

Initial results show that, in the link down case, the distribution of requests among server nodes changes rather insignificantly: the clients can still reach the same servers through other links. In the explicit prefix withdrawal case, the network quickly converges to a new state since the simulated graph is small and strongly connected. The requests are re-distributed to other nodes with only one flip for affected clients.

Future work will include adding scenarios for multiple network failures, modeling both global and local server nodes, and expansion to a larger, more realistic topology (using CAIDA AS-level graphs).

RFC1918 Analysis

To service intra-enterprise networks that do not directly connect to the Internet, RFC 1918 establishes guidelines for address allocation for private internets. Unfortunately, some operating systems do not behave as expected and traffic that should stay within local area networks leaks onto the Internet at large.

CAIDA researchers analyzed the properties and sources of spurious RFC1918 updates^* that are directed toward the root name servers, and captured by a specially created protective system of name servers known as AS112.

More information about RFC1918 analysis.

DNS Measurement Software

1. DSC - DNS Statistics Collector
   

   DSC is CAIDA's flagship software for DNS measurements. It provides an open-source system for collecting and exploring statistics from busy DNS servers. Duane Wessels and The Measurement Factory developed the DSC software. Currently three root servers and a few smaller operators use the DSC software to monitor the state of their systems.

   We highly encourage operators to deploy DSC. You can run the DSC application directly on a DNS node or it can run on a standalone system configured to "capture" (e.g., using libpcap) bi-directional traffic for a DNS node. Below, we present examples that highlight DSC's capabilities.

   • 7-day delayed feed of F-root DNS statistics
   • Duane Wessels analyzed data collected using DSC at the F root name server in Palo Alto for cases of DNS abuse:
     • Case Study 03/07/05: attempt to identify abusers at register.com
     • Case Study 01/25/05: a misconfigured resolv.conf file causes queries with a lot of TLDs appended
     • Case Study 01/18/04: a single /24 network sends about 1700 queries/second averaged over 17 hours


2. NeTraMet traffic monitor

   NeTraMet is a user-configurable traffic monitor implementing the RTFM architecture for Traffic Flow Measurement (RFC2722). A user sets a certain 'ruleset' that specifies which packet attributes the NeTraMet should look for in the bi-directional traffic. Only matching packets are then counted. This software developed by Nevil Brownlee (U. of Auckland, New Zealand) previous of this project is now in maintenance mode.

   An example of NeTraMet usage by CAIDA is ongoing (since January 2002) monitoring of the root and gTLD DNS servers performance. The meters are installed at the following strategic locations: University of California San Diego, University of Auckland (New Zealand), University of Colorado in Boulder, and Keio University (Tokyo and Fujisawa, Japan). The monitor rulesets specify to capture DNS request packets sent to root and gTLD servers and their corresponding response packets. The round trip time for DNS requests/responses, the percentage of unanswered requests, and the number of identified DNS request/response pairs represent a directly observable measure of macroscopic Internet performance since the DNS response times are directly influenced by macroscopic Internet events such as congestion and routing changes. We have accumulated a long-term archive of these data and are working on indexing them in the DatCat.

   • DNS performance plots
   • NeTraMet ruleset used for the DNS data collection

   CAIDA would like to deploy meters in more sites. If you are interested in hosting a NeTraMet meter, please see Setting up a NeTraMet meter: background and requirements for more details.

---

Datasets

We strongly encourage those with access to infrastructure to capture and document datasets to help preserve and promote scientifically rigorous, reproducible research. We encourage anyone who collects data to list the data in DatCat, the Internet Measurement Data Catalog. For specific recommendations on what type of metadata to include, refer to CAIDA's web page on How to Document a Data Collection.

Our data collection efforts support the scientific Internet research community in the process of validating their models, simulations, or theories. The following DNS related CAIDA datasets are available for researchers.

• OARC DNS root traces January 10-11, 2006
• A Day In The Life of the Internet: A Summary of the January 9-10, 2007 Collection Event
• The most recent report showing the number of open DNS resolvers for each Autonomous System number as well as daily archives.
• DNS root/gTLD RTT Dataset
• A Day In The Life of the Internet: A Summary of the March 18-19, 2008 Collection Event

---

Publications

• Papers
• Presentations

---

Collection Events

March 18-19 2008 Collection Event

In the first quarter of 2008, CAIDA and the DNS Operations, Analysis, and Research Center (OARC) conducted a third DITL collection event. Our third event again targeted a 48-hour collection period. The 9th CAIDA-WIDE Workshop was held to coordinate the event. An overview slideset, "Day In The Life of the Internet 2008 Data Collection Event", is made available for review. A summary of the March 18-19, 2008 Collection Event is available also.

A list of questions has been compiled regarding the DITL 2008 Data Collection Event: What Researchers Would Like to Learn from the DITL Project: The Top Questions and Data Types.

January 9-10, 2007 Collection Event

On January 9-10, 2007, CAIDA and the DNS Operations, Analysis, and Research Center (OARC) coordinated 48-hour DITL collection event. A summary of the January 9-10, 2007 Collection Event is available, as well as a CAIDA Blog Commentary, "Following Up On 'A Day in the Life of the Internet' Challenge".