skip to main content
research-article

Resolvers Revealed: Characterizing DNS Resolvers and their Clients

Published:01 July 2013Publication History
Skip Abstract Section

Abstract

The Domain Name System (DNS) allows clients to use resolvers, sometimes called caches, to query a set of authoritative servers to translate host names into IP addresses. Prior work has proposed using the interaction between these DNS resolvers and the authoritative servers as an access control mechanism. However, while prior work has examined the DNS from many angles, the resolver component has received little scrutiny. Essential factors for using a resolver in an access control system, such as whether a resolver is part of an ISP’s infrastructure or running on an end-user’s system, have not been examined. In this study, we examine DNS resolver behavior and usage, from query patterns and reactions to nonstandard responses to passive association techniques to pair resolvers with their client hosts. In doing so, we discover evidence of security protocol support, misconfigured resolvers, techniques to fingerprint resolvers, and features for detecting automated clients. These measurements can influence the implementation and design of these resolvers and DNS-based access control systems.

References

  1. Ager, B., Muhlbauer, W., Smaragdakis, G., and Uhlig, S. 2010. Comparing dns resolvers in the wild. In Proceedings of the ACM Internet Measurement Conference. Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. Arends, R., Austein, R., Larson, M., Massey, D., and Rose, S. 2005. Protocol modifications for the dns security extensions. IETF rfc 4035. http://tools.ietf.org/html/rfc4035.Google ScholarGoogle Scholar
  3. ARIN. 2010. ASN listing. https://www.arin.net/.Google ScholarGoogle Scholar
  4. Choi, H., Lee, H., Lee, H., and Kim, H. 2007. Botnet detection by monitoring group activities in dns traffic. In Proceedings of the IEEE International Conference on Computer and Information Technology. 715--720. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. Cohen, E. and Kaplan, H. 2003. Proactive caching of dns records: Addressing a performance bottleneck. Comput. Netw. 41, 6, 707--726. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. Dagon, D., Provos, N., Lee, C., and Lee, W. 2008. Corrupted dns resolution paths: The rise of a malicious resolution authority. In Proceedings of the Network and Distributed System Security Symposium.Google ScholarGoogle Scholar
  7. Dietrich, C. J., Rossow, C., Freiling, F. C., Bos, H., Van Steen, M., and Pohlmann, N. 2011. On botnets that use dns for command and control. In Proceedings of the 7th European Conference on Computer Network Defense (EC2ND’11). Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. Google. 2011. Google public dns. http://code.google.com/speed/public-dns/.Google ScholarGoogle Scholar
  9. Grier, C., Ballard, L., Caballero, J., Chachra, N., Dietrich, C. J., Levchenko, K., Mavrommatis, P., Mccoy, D., Nappa, A., Pitsillidis, A., et al. 2012. Manufacturing compromise: The emergence of exploit-as-a-service. In Proceedings of the ACM Conference on Computer and Communications Security. ACM Press, New York, 821--832. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. Jung, J., Sit, E., Balakrishnan, H., and Morris, R. 2002. DNS performance and the effectiveness of caching. IEEE/ACM Trans. Netw. 10, 5, 589--603. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. Kalafut, A., Shue, C., and Gupta, M. 2011. Touring dns open houses for trends and configurations. IEEE/ACM Trans. Netw. 19, 6, 1666--1675. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. Mao, Z. M., Cranor, C. D., Douglis, F., Rabinovich, M., Spatscheck, O., and Wang, J. 2002. A precise and efficient evaluation of the proximity between web clients and their local dns servers. In Proceedings of the General Track of the Annual Conference at the USENIX Annual Technical Conference. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. Mockapetris, P. 1987. Domain implementation and specification. IETF rfc 1035. http://tools.ietf.org/html/rfc1035. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. Oberheide, J., Karir, M., and Mao, Z. 2007. Characterizing dark dns behavior. In Proceedings of the 4th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. 140--156. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. OpenDNS. 2011. OpenDNS. http://www.opendns.com/.Google ScholarGoogle Scholar
  16. Pappas, V., Wessels, D., Massey, D., Lu, S., Terzis, A., and Zhang, L. 2009. Impact of configuration errors on dns robustness. IEEE J. Select. Areas Comm. 27, 3, 275--290. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. Ramachandran, A. and Feamster, N. 2006. Understanding the network-level behavior of spammers. In Proceedings of the Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications. ACM Press, New York, 291--302. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. Shue, C., Kalafut, A., and Gupta, M. 2007. The web is smaller than it seems. In Proceedings of the ACM Internet Measurement Conference. Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. Shue, C. A., Kalafut, A. J., Allman, M., and Taylor, C. R. 2012. On building inexpensive network capabilities. ACM SIGCOMM Comput. Comm. Rev. 42, 2, 72--79. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. Sisson, G. 2010. DNS survey: October 2010. Tech. rep., The Measurement Factory. http://dns.measurement-factory.com/surveys/201010/.Google ScholarGoogle Scholar
  21. Spamhaus Project. 2010a. Exploits block list (xbl). http://www.spamhaus.org/xbl/index.lasso.Google ScholarGoogle Scholar
  22. Spamhaus Project. 2010b. Spamhaus block list (SBL). http://www.spamhaus.org/sbl/index.lasso.Google ScholarGoogle Scholar
  23. University of Oregon Advanced Network Technology Center. 2010. Route views project. http://www.routeviews.org/.Google ScholarGoogle Scholar
  24. Vixie, P. 1999. Extension mechanisms for dns (edns0). IETF rfc 2671. http://www.ietf.org/rfc/rfc2671.txt. Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. Von Ahn, L., Blum, M., Hopper, N., and Langford, J. 2003. Captcha: Using hard ai problems for security. In Proceedings of the 22nd International Conference on Theory and Applications of Cryptographic (EUROCRYPT’03). 646--646. Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. Zdrnja, B., Brownlee, N., and Wessels, D. 2007. Passive monitoring of dns anomalies. In Detection of Intrusions and Malware, and Vulnerability Assessment. Springer, 129--139. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Resolvers Revealed: Characterizing DNS Resolvers and their Clients

    Recommendations

    Comments

    Login options

    Check if you have access through your login credentials or your institution to get full access on this article.

    Sign in

    Full Access

    • Published in

      cover image ACM Transactions on Internet Technology
      ACM Transactions on Internet Technology  Volume 12, Issue 4
      July 2013
      64 pages
      ISSN:1533-5399
      EISSN:1557-6051
      DOI:10.1145/2499926
      Issue’s Table of Contents

      Copyright © 2013 ACM

      Publisher

      Association for Computing Machinery

      New York, NY, United States

      Publication History

      • Published: 1 July 2013
      • Accepted: 1 May 2013
      • Revised: 1 February 2013
      • Received: 1 March 2012
      Published in toit Volume 12, Issue 4

      Permissions

      Request permissions about this article.

      Request Permissions

      Check for updates

      Qualifiers

      • research-article
      • Research
      • Refereed

    PDF Format

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader
    About Cookies On This Site

    We use cookies to ensure that we give you the best experience on our website.

    Learn more

    Got it!