The following papers have been peer reviewed and published in conference proceedings or journals:
Previous research has shown that most of the DNS queries reaching the root of the hierarchy are bogus. This behavior derives from two constraints on the system: (1) queries that cannot be satisfied locally percolate up to the root of the DNS; (2) some caching nameservers are behind packet filters or firewalls that allow outgoing queries but block incoming replies. These resolvers assume the network failure is temporary and retransmit their queries, often aggressively.
Given that the global DNS system, especially at the higher root and top-levels, experiences significant query loads, we seek to answer the following questions: (1) How does the choice of DNS caching software for local resolvers affect query load at the higher levels? (2) How do DNS caching implementations spread the query load among a set of higher level DNS servers?
With the assistance of one root server operator, we took a 24-hour trace of queries arriving at one of the thirteen root servers. In this paper we analyze these data and use a simple model of the DNS to classify each query into one of nine categories. We find that, by far, most of the queries are repeats and that only a small percentage are legitimate.
The following presentations have been given at conferences and other meetings:
A talk given at RIPE 53. We discuss a number of known problems with the Domain Name System. Some have been known for a long time, while others are more recent. Problems are categorized as issues in the protocol, implementation mistakes, operational choices, and registries/registrars poilicies.
A talk given at NANOG 36. We report on our efforts to discover DNS cache poisoners. After scanning more than 6,000,000 hostnames, we found about 300 sources of poison.
Slides for an informal talk given at the 5th CAIDA/WIDE workshop. A handful of interesting cases of root-server abuse, and what happens when we try to track down responsible parties.
Slides for the DNS Pollution talk at the 2004 SIGCOMM Workshop on Network Troubleshooting.
We use simulations based on DNS software implementations (BIND8, BIND9, windows*, djpdns) to enhance our understanding of the client-side of DNS transactions. Our lab setup models the typical DNS architecture with root, TLD, SLD, and caching nameservers. We replay a large trace file with different caching software and different network environments. The results advance our understanding of nameserver selection algorithms and the level of DNS traffic injected into the Internet for a given client-side workload.
CAIDA is continuing efforts to analyze DNS root server performance. We are characterizing DNS clients that send large numbers of queries to root servers. Analysis of trace data from the two F root servers shows a number of interesting things. Most of the high-rate queries exhibit the strange behavior of only using 25% of the query ID range. A number of sources also transmit each query two or three times. We also notice hourly spikes in the number of clients contacting the root servers. The talk will include results of analyses of which applications/configurations are broken, and how to fix or upgrade them.
The following pages document a few individual case studies in trying to stop DNS server abuses:
© 2016 The Measurement Factory.