Root/gTLD RTTs from Three Sites

Nevil Brownlee, CAIDA | The University of Auckland

IEPG, San Francisco, March 2003

  1. Overview
    • Earlier DNS RTT Work
    • Problem: when interesting events happened, we only saw them from one site
    • Now we have three sites, UC San Diego, CU Boulder, U Auckland
    • Data collected since mid-Jan 03, we're starting to analyse it

  2. Do we see correlations between the sites?
    • Well, in general, no
      • We often see odd things happen on one or two sites
      • We don't often see things happen on all sites at the same time
      • G root looks overloaded from all sites on weekdays
    • But in nine weeks of data, we've seen
      • One blip for B root
      • One blip each for B, C, D and G gTLD
      • Two weeks of small daily spikes for H gTLD

  3. Typical RTT plots: H gTLD for week starting 15 Mar 03

    • Several sections of missing data (meter /data collection failures)
    • Some behaviour common to all gTLDs at cu (local link congestion)
    • Little steps on one or two sites+gTLDs, e.g. D step on ua and ucsd

  4. Correlation: H gTLD, five weekdays, 17-20 Feb 03

    • Arrows show events, once each day, observed at all three sites
    • traceroute for the sites:
          cu -      cwnet       - sprintlink - Amsterdam - h gtld
          ucsd - calren - qwest - sprintlink - Amsterdam - h gtld
          ua - clear - alternet - sprintlink - Amsterdam - h gtld
    • Last 10 hops are common (the trans-Atlantic/European hops),
      correlated spikes occured at gTLD or in the common hops
    • Other uncorrelated changes, e.g. steps for Boulder, Auckland,
      happened closer to the observing site
    • Congestion at Boulder is local to their access link, it appeared for
      all the roots and gTLDs

  5. Correlations: D gTLD Thu 13 Feb 03

    • traceroute for the sites:
          cu -        att       - qwest - d gtld
          ucsd -     calren     - qwest - d gtld
          ua - clear - alternet - qwest - d gtld
    • Last 5 hops are common (from svlcore-01 in qwest),
      correlated steps occured at gTLD or in the common hops

  7. Correlations: C gTLD Wed 12 Feb 03

    • traceroute for the sites:
          cu -           att             - atdn - c gtld
          ucsd - calren - qwest - level3 - atdn - c gtld
          ua - clear - alternet - level3 - atdn - c gtld
    • ucsd and ua share much of the path (from Los Angeles via level3)
    • But cu takes a completely different path -
      only its last hop is the same as for ucsd and ua
    • Correlated steps occured at gTLD or in the common last hop

  8. Conclusion

    • Over nine weeks of data, we see few correlated events.
      The root and gTLD servers (and the paths to them) are working well
    • We do see some correlated events, these can occur for paths
      with many or few hops in common
      - caution, the traceroutes were made on 13 Mar 03, long after the events
    • We have a long-term project to do better analysis,
      its goal is to provide daily reports of `interesting' behaviour
    • Until we have more sites, with different paths to the roots/gTLDs,
      we can't say the events happen at the servers
    • We need NeTraMet meters at more observing sites. Please see > Setting up a NeTraMet meter
      for more information