Abstract
The Domain Name System (DNS) allows clients to use resolvers, sometimes called caches, to query a set of authoritative servers to translate host names into IP addresses. Prior work has proposed using the interaction between these DNS resolvers and the authoritative servers as an access control mechanism. However, while prior work has examined the DNS from many angles, the resolver component has received little scrutiny. Essential factors for using a resolver in an access control system, such as whether a resolver is part of an ISP’s infrastructure or running on an end-user’s system, have not been examined. In this study, we examine DNS resolver behavior and usage, from query patterns and reactions to nonstandard responses to passive association techniques to pair resolvers with their client hosts. In doing so, we discover evidence of security protocol support, misconfigured resolvers, techniques to fingerprint resolvers, and features for detecting automated clients. These measurements can influence the implementation and design of these resolvers and DNS-based access control systems.
- Ager, B., Muhlbauer, W., Smaragdakis, G., and Uhlig, S. 2010. Comparing dns resolvers in the wild. In Proceedings of the ACM Internet Measurement Conference. Google Scholar
Digital Library
- Arends, R., Austein, R., Larson, M., Massey, D., and Rose, S. 2005. Protocol modifications for the dns security extensions. IETF rfc 4035. http://tools.ietf.org/html/rfc4035.Google Scholar
- ARIN. 2010. ASN listing. https://www.arin.net/.Google Scholar
- Choi, H., Lee, H., Lee, H., and Kim, H. 2007. Botnet detection by monitoring group activities in dns traffic. In Proceedings of the IEEE International Conference on Computer and Information Technology. 715--720. Google Scholar
Digital Library
- Cohen, E. and Kaplan, H. 2003. Proactive caching of dns records: Addressing a performance bottleneck. Comput. Netw. 41, 6, 707--726. Google Scholar
Digital Library
- Dagon, D., Provos, N., Lee, C., and Lee, W. 2008. Corrupted dns resolution paths: The rise of a malicious resolution authority. In Proceedings of the Network and Distributed System Security Symposium.Google Scholar
- Dietrich, C. J., Rossow, C., Freiling, F. C., Bos, H., Van Steen, M., and Pohlmann, N. 2011. On botnets that use dns for command and control. In Proceedings of the 7th European Conference on Computer Network Defense (EC2ND’11). Google Scholar
Digital Library
- Google. 2011. Google public dns. http://code.google.com/speed/public-dns/.Google Scholar
- Grier, C., Ballard, L., Caballero, J., Chachra, N., Dietrich, C. J., Levchenko, K., Mavrommatis, P., Mccoy, D., Nappa, A., Pitsillidis, A., et al. 2012. Manufacturing compromise: The emergence of exploit-as-a-service. In Proceedings of the ACM Conference on Computer and Communications Security. ACM Press, New York, 821--832. Google Scholar
Digital Library
- Jung, J., Sit, E., Balakrishnan, H., and Morris, R. 2002. DNS performance and the effectiveness of caching. IEEE/ACM Trans. Netw. 10, 5, 589--603. Google Scholar
Digital Library
- Kalafut, A., Shue, C., and Gupta, M. 2011. Touring dns open houses for trends and configurations. IEEE/ACM Trans. Netw. 19, 6, 1666--1675. Google Scholar
Digital Library
- Mao, Z. M., Cranor, C. D., Douglis, F., Rabinovich, M., Spatscheck, O., and Wang, J. 2002. A precise and efficient evaluation of the proximity between web clients and their local dns servers. In Proceedings of the General Track of the Annual Conference at the USENIX Annual Technical Conference. Google Scholar
Digital Library
- Mockapetris, P. 1987. Domain implementation and specification. IETF rfc 1035. http://tools.ietf.org/html/rfc1035. Google Scholar
Digital Library
- Oberheide, J., Karir, M., and Mao, Z. 2007. Characterizing dark dns behavior. In Proceedings of the 4th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. 140--156. Google Scholar
Digital Library
- OpenDNS. 2011. OpenDNS. http://www.opendns.com/.Google Scholar
- Pappas, V., Wessels, D., Massey, D., Lu, S., Terzis, A., and Zhang, L. 2009. Impact of configuration errors on dns robustness. IEEE J. Select. Areas Comm. 27, 3, 275--290. Google Scholar
Digital Library
- Ramachandran, A. and Feamster, N. 2006. Understanding the network-level behavior of spammers. In Proceedings of the Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications. ACM Press, New York, 291--302. Google Scholar
Digital Library
- Shue, C., Kalafut, A., and Gupta, M. 2007. The web is smaller than it seems. In Proceedings of the ACM Internet Measurement Conference. Google Scholar
Digital Library
- Shue, C. A., Kalafut, A. J., Allman, M., and Taylor, C. R. 2012. On building inexpensive network capabilities. ACM SIGCOMM Comput. Comm. Rev. 42, 2, 72--79. Google Scholar
Digital Library
- Sisson, G. 2010. DNS survey: October 2010. Tech. rep., The Measurement Factory. http://dns.measurement-factory.com/surveys/201010/.Google Scholar
- Spamhaus Project. 2010a. Exploits block list (xbl). http://www.spamhaus.org/xbl/index.lasso.Google Scholar
- Spamhaus Project. 2010b. Spamhaus block list (SBL). http://www.spamhaus.org/sbl/index.lasso.Google Scholar
- University of Oregon Advanced Network Technology Center. 2010. Route views project. http://www.routeviews.org/.Google Scholar
- Vixie, P. 1999. Extension mechanisms for dns (edns0). IETF rfc 2671. http://www.ietf.org/rfc/rfc2671.txt. Google Scholar
Digital Library
- Von Ahn, L., Blum, M., Hopper, N., and Langford, J. 2003. Captcha: Using hard ai problems for security. In Proceedings of the 22nd International Conference on Theory and Applications of Cryptographic (EUROCRYPT’03). 646--646. Google Scholar
Digital Library
- Zdrnja, B., Brownlee, N., and Wessels, D. 2007. Passive monitoring of dns anomalies. In Detection of Intrusions and Malware, and Vulnerability Assessment. Springer, 129--139. Google Scholar
Digital Library
Index Terms
Resolvers Revealed: Characterizing DNS Resolvers and their Clients
Recommendations
Comparing DNS resolvers in the wild
IMC '10: Proceedings of the 10th ACM SIGCOMM conference on Internet measurementThe Domain Name System (DNS) is a fundamental building block of the Internet. Today, the performance of more and more applications depend not only on the responsiveness of DNS, but also the exact answer returned by the queried DNS resolver, e.g., for ...
Pollution resilience for DNS resolvers
ICC'09: Proceedings of the 2009 IEEE international conference on CommunicationsThe DNS is a cornerstone of the Internet. Unfortunately, no matter how securely an organization provisions and guards its own DNS infrastructure, it is at the mercy of others' provisioning when it comes to resolutions its resolvers perform on behalf of ...
Authority server selection in DNS caching resolvers
Operators of high-profile DNS zones utilize multiple authority servers for performance and robustness. We conducted a series of trace-driven measurements to understand how current caching resolver implementations distribute queries among a set of ...






Comments