RFC1918 Analysis

CAIDA researchers Andre Broido and Hao Shang (both now at Google) analyzed the properties and sources of spurious RFC1918 updates^* that are directed toward the root name servers, and captured by a specially created protective system of name servers known as AS112.

* - RFC1918, or private addresses, are intended strictly for use inside local area networks and should never leak to the Internet at large.

We first looked at the magnitude of these updates on two independent AS112 servers. We then analyzed which operating systems are responsible for these updates by using three levels of signature techniques: DNS payload at the Application layer, passive OS fingerprinting at the Transport layer, and IP TTL statistics at the Network layer.

We found that various flavors of Microsoft Windows™ operating systems account for 96-98% of the spurious update packets. While newer versions of Windows OSes are more stringent in sending private DNS updates, we did not observe an overall decreasing trend due to this evolution. Users, software vendors, and system administrators can take steps to reduce this RFC1918 traffic. However, since most end users are unlikely to interfere with vendor default settings, it should be the responsibility of software vendors and system administrators to take positive action to prevent this pollution.

A paper describing our measurement, operating system profiling methodology, and results has been published in CCR. We also provide a web page with instructions to end users on how to disable dynamic DNS updates on Microsoft Windows systems.