Identifying DNS heavy hitters in root servers data Minas Gjoka CAIDA University of California, Irvine
Jan 17, 2016
Identifying DNS heavy hitters in root servers
dataMinas Gjoka
CAIDAUniversity of California, Irvine
Motivation/Goals
Percentage of invalid traffic huge (~98%). Anycast deployment alleviates the problem at
extra cost
GoalsCharacterize the sources of invalid traffic. Identify solutions that could reduce traffic in
the components of the DNS architecture
Misconfiguration
ZoneLevel
NetworkLevel
LocalDNS
Implementation Errors
DNS Cache Resolvers
DNS Stub Resolvers
Malicious Activity
Attacks Fast Flux
Other
Monitors ProbersIPv6
DeploymentReconnaissance
Categorization of generated invalid traffic
Results and work in-progress
Blacklists Interarrival time Behavioral analysis Future work
Blacklists & DNS traffic
Do prefixes/ASes which contain the IPs listed in DNSRBLs contribute unwanted DNS traffic also?MisconfigurationMalicious activity
Historical data from blacklists
Spamhaus* XBL – IPs of hijacked PCs infected by illegal 3rd party
exploits SBL - IPs of spam sources and spam operations PBL - IP space assigned to broadband/ADSL customers.
UCEProtect* IPs of spam sources
DShield* Firewall logs – top 10000 IPs
* made available to us by Athina Markopoulou
Testing for correlation
Rank BGP prefixes/ASes. IPs present in blacklist IPs or aggregated queries from DNS DITL
data Increasing IP address space order.
Spamhaus XBL Ranked by IPs in blacklist
Spamhaus XBLRanked by DNS queries to Roots
DNS Roots vs Spamhaus XBLCumulative Fraction of IPs
What about the other blacklists?
Spam – Spamhaus SBL/UCEProtectsimilar output in BGP prefix/AS aggregation
level
Trying out other aggregation levels also.
Another use of DNSRBL
Spamhaus PBL contains IP ranges assigned to Broadband/ADSL customers.Participating ISPsSpamhaus seeded with NJABL/dynablock zone
DNS clients sending requests to the root 10%-44% belong to the PBL advertised ranges
Up to 44% of the sources are Broadband/ADSL customers
Characteristics of invalid queries
Identical, repeated and referral-not-cached invalid queries constitute 73% in DITL 2008.
Calculate interarrival time for the same
query (domain name, type, class) received.
Interarrival timeIdentical/Repeated/Referral-not-Cached
Requested zone namesAggregated
a.b.c.d.e.com.
c.d.e.com.
Aggregation Example
Top-10 most requested
Requested Query Name Percentage
com 19.66
net 17.26
dynamic.163data.com.cn 3.68
165.222.in-addr.arpa 3.67
240.124.in-addr.arpa 1.95
org 1.56
de 1.38
edu 1.38
ru 1.10
. 0.89
Why?
Possible explanations:
• Aggressive requerying for delegation information
• Ingress filtering
• Poorly configured or maintained zones
Behavior of DNS Resolvers
Wessels et al : Measurements and Laboratory simulations of the upper DNS Hierarchy Tested effect of network delay/loss to the root servers
Extend the tested configurations
Simulation setup
Windows2K/2003
BIND 4/8/9DJBDNS
PowerDNS
MaraDNS
Root
TLD SLD
Unbound
DNS Client
Behavior of DNS Resolvers (2)
Goals Quantify the load of tested misconfigurations to the root server Characterize a well-behaved DNS resolver Patterns of misbehaving DNS resolvers
Plans to test: Other plausible network configurations Zone configurations
Lame Delegation Negative caching
Configurations at resolvers/cachers and zones Local DNS configurations Additional configurations from RFC 4697 - Observed DNS Resolution
Misbehavior
Other future work
Focus on heavy hitters ( >10queries/sec)
Interarrival timePer clientPer prefix/AS
Extract patterns of invalid queries
Thank you