More Web Proxy on the site http://driver.im/

research-article

Resolvers Revealed: Characterizing DNS Resolvers and their Clients

Authors:

Andrew J. KalafutAuthors Info & Claims

ACM Transactions on Internet Technology (TOIT), Volume 12, Issue 4

Article No.: 14, Pages 1 - 17

https://doi.org/10.1145/2499926.2499928

Published: 01 July 2013 Publication History

Abstract

The Domain Name System (DNS) allows clients to use resolvers, sometimes called caches, to query a set of authoritative servers to translate host names into IP addresses. Prior work has proposed using the interaction between these DNS resolvers and the authoritative servers as an access control mechanism. However, while prior work has examined the DNS from many angles, the resolver component has received little scrutiny. Essential factors for using a resolver in an access control system, such as whether a resolver is part of an ISP’s infrastructure or running on an end-user’s system, have not been examined. In this study, we examine DNS resolver behavior and usage, from query patterns and reactions to nonstandard responses to passive association techniques to pair resolvers with their client hosts. In doing so, we discover evidence of security protocol support, misconfigured resolvers, techniques to fingerprint resolvers, and features for detecting automated clients. These measurements can influence the implementation and design of these resolvers and DNS-based access control systems.

References

[1]

Ager, B., Muhlbauer, W., Smaragdakis, G., and Uhlig, S. 2010. Comparing dns resolvers in the wild. In Proceedings of the ACM Internet Measurement Conference.

Digital Library

[2]

Arends, R., Austein, R., Larson, M., Massey, D., and Rose, S. 2005. Protocol modifications for the dns security extensions. IETF rfc 4035. http://tools.ietf.org/html/rfc4035.

[3]

ARIN. 2010. ASN listing. https://www.arin.net/.

[4]

Choi, H., Lee, H., Lee, H., and Kim, H. 2007. Botnet detection by monitoring group activities in dns traffic. In Proceedings of the IEEE International Conference on Computer and Information Technology. 715--720.

Digital Library

[5]

Cohen, E. and Kaplan, H. 2003. Proactive caching of dns records: Addressing a performance bottleneck. Comput. Netw. 41, 6, 707--726.

Digital Library

[6]

Dagon, D., Provos, N., Lee, C., and Lee, W. 2008. Corrupted dns resolution paths: The rise of a malicious resolution authority. In Proceedings of the Network and Distributed System Security Symposium.

[7]

Dietrich, C. J., Rossow, C., Freiling, F. C., Bos, H., Van Steen, M., and Pohlmann, N. 2011. On botnets that use dns for command and control. In Proceedings of the 7th European Conference on Computer Network Defense (EC2ND’11).

Digital Library

[8]

Google. 2011. Google public dns. http://code.google.com/speed/public-dns/.

[9]

Grier, C., Ballard, L., Caballero, J., Chachra, N., Dietrich, C. J., Levchenko, K., Mavrommatis, P., Mccoy, D., Nappa, A., Pitsillidis, A., et al. 2012. Manufacturing compromise: The emergence of exploit-as-a-service. In Proceedings of the ACM Conference on Computer and Communications Security. ACM Press, New York, 821--832.

Digital Library

[10]

Jung, J., Sit, E., Balakrishnan, H., and Morris, R. 2002. DNS performance and the effectiveness of caching. IEEE/ACM Trans. Netw. 10, 5, 589--603.

Digital Library

[11]

Kalafut, A., Shue, C., and Gupta, M. 2011. Touring dns open houses for trends and configurations. IEEE/ACM Trans. Netw. 19, 6, 1666--1675.

Digital Library

[12]

Mao, Z. M., Cranor, C. D., Douglis, F., Rabinovich, M., Spatscheck, O., and Wang, J. 2002. A precise and efficient evaluation of the proximity between web clients and their local dns servers. In Proceedings of the General Track of the Annual Conference at the USENIX Annual Technical Conference.

Digital Library

[13]

Mockapetris, P. 1987. Domain implementation and specification. IETF rfc 1035. http://tools.ietf.org/html/rfc1035.

Digital Library

[14]

Oberheide, J., Karir, M., and Mao, Z. 2007. Characterizing dark dns behavior. In Proceedings of the 4th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. 140--156.

Digital Library

[15]

OpenDNS. 2011. OpenDNS. http://www.opendns.com/.

[16]

Pappas, V., Wessels, D., Massey, D., Lu, S., Terzis, A., and Zhang, L. 2009. Impact of configuration errors on dns robustness. IEEE J. Select. Areas Comm. 27, 3, 275--290.

Digital Library

[17]

Ramachandran, A. and Feamster, N. 2006. Understanding the network-level behavior of spammers. In Proceedings of the Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications. ACM Press, New York, 291--302.

Digital Library

[18]

Shue, C., Kalafut, A., and Gupta, M. 2007. The web is smaller than it seems. In Proceedings of the ACM Internet Measurement Conference.

Digital Library

[19]

Shue, C. A., Kalafut, A. J., Allman, M., and Taylor, C. R. 2012. On building inexpensive network capabilities. ACM SIGCOMM Comput. Comm. Rev. 42, 2, 72--79.

Digital Library

[20]

Sisson, G. 2010. DNS survey: October 2010. Tech. rep., The Measurement Factory. http://dns.measurement-factory.com/surveys/201010/.

[21]

Spamhaus Project. 2010a. Exploits block list (xbl). http://www.spamhaus.org/xbl/index.lasso.

[22]

Spamhaus Project. 2010b. Spamhaus block list (SBL). http://www.spamhaus.org/sbl/index.lasso.

[23]

University of Oregon Advanced Network Technology Center. 2010. Route views project. http://www.routeviews.org/.

[24]

Vixie, P. 1999. Extension mechanisms for dns (edns0). IETF rfc 2671. http://www.ietf.org/rfc/rfc2671.txt.

Digital Library

[25]

Von Ahn, L., Blum, M., Hopper, N., and Langford, J. 2003. Captcha: Using hard ai problems for security. In Proceedings of the 22nd International Conference on Theory and Applications of Cryptographic (EUROCRYPT’03). 646--646.

Digital Library

[26]

Zdrnja, B., Brownlee, N., and Wessels, D. 2007. Passive monitoring of dns anomalies. In Detection of Intrusions and Malware, and Vulnerability Assessment. Springer, 129--139.

Digital Library

Cited By

Nosyk YKorczyński MLone QSkwarek MJonglez BDuda A(2023)The Closed Resolver Project: Measuring the Deployment of Inbound Source Address ValidationIEEE/ACM Transactions on Networking10.1109/TNET.2023.325741331:6(2589-2603)Online publication date: Dec-2023
https://doi.org/10.1109/TNET.2023.3257413
Bartoli A(2023)Network architecture and ROA protection of government mail domains: A case studyComputer Communications10.1016/j.comcom.2023.02.004201(143-161)Online publication date: Mar-2023
https://doi.org/10.1016/j.comcom.2023.02.004
Affinito ABotta AVentre G(2022)Local and Public DNS Resolvers: do you trade off performance against security?2022 IFIP Networking Conference (IFIP Networking)10.23919/IFIPNetworking55013.2022.9829756(1-9)Online publication date: 13-Jun-2022
https://doi.org/10.23919/IFIPNetworking55013.2022.9829756
Show More Cited By

Index Terms

Resolvers Revealed: Characterizing DNS Resolvers and their Clients
1. Networks
  1. Network protocols

Recommendations

Comparing DNS resolvers in the wild
IMC '10: Proceedings of the 10th ACM SIGCOMM conference on Internet measurement

The Domain Name System (DNS) is a fundamental building block of the Internet. Today, the performance of more and more applications depend not only on the responsiveness of DNS, but also the exact answer returned by the queried DNS resolver, e.g., for ...
Pollution resilience for DNS resolvers
ICC'09: Proceedings of the 2009 IEEE international conference on Communications

The DNS is a cornerstone of the Internet. Unfortunately, no matter how securely an organization provisions and guards its own DNS infrastructure, it is at the mercy of others' provisioning when it comes to resolutions its resolvers perform on behalf of ...
Measurement for encrypted open resolvers: Applications and security
Abstract
Encrypted DNS has been proposed to mitigate the vulnerability of traditional DNS to surveillance and tampering. Some encrypted DNS protocols, like DNS over HTTPS (DoH) and DNS over TLS (DoT), have been promoted by the community and ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Transactions on Internet Technology

ACM Transactions on Internet Technology Volume 12, Issue 4

July 2013

64 pages

ISSN:1533-5399

EISSN:1557-6051

DOI:10.1145/2499926

Issue’s Table of Contents

Copyright © 2013 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 01 July 2013

Accepted: 01 May 2013

Revised: 01 February 2013

Received: 01 March 2012

Published in TOIT Volume 12, Issue 4

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

16
Total Citations
View Citations
598
Total Downloads

Downloads (Last 12 months)17
Downloads (Last 6 weeks)1

Reflects downloads up to 02 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Nosyk YKorczyński MLone QSkwarek MJonglez BDuda A(2023)The Closed Resolver Project: Measuring the Deployment of Inbound Source Address ValidationIEEE/ACM Transactions on Networking10.1109/TNET.2023.325741331:6(2589-2603)Online publication date: Dec-2023
https://doi.org/10.1109/TNET.2023.3257413
Bartoli A(2023)Network architecture and ROA protection of government mail domains: A case studyComputer Communications10.1016/j.comcom.2023.02.004201(143-161)Online publication date: Mar-2023
https://doi.org/10.1016/j.comcom.2023.02.004
Affinito ABotta AVentre G(2022)Local and Public DNS Resolvers: do you trade off performance against security?2022 IFIP Networking Conference (IFIP Networking)10.23919/IFIPNetworking55013.2022.9829756(1-9)Online publication date: 13-Jun-2022
https://doi.org/10.23919/IFIPNetworking55013.2022.9829756
Fejrskov MPedersen JVasilomanolakis E(2022)Detecting DNS hijacking by using NetFlow data2022 IEEE Conference on Communications and Network Security (CNS)10.1109/CNS56114.2022.9947264(273-280)Online publication date: 3-Oct-2022
https://doi.org/10.1109/CNS56114.2022.9947264
Klein AHeftrig EShulman HWaidner MHan DFeldmann A(2020)Black-box caches fingerprintingProceedings of the 16th International Conference on emerging Networking EXperiments and Technologies10.1145/3386367.3432148(564-565)Online publication date: 23-Nov-2020
https://dl.acm.org/doi/10.1145/3386367.3432148
Korczyński MNosyk YLone QSkwarek MJonglez BDuda A(2020)Don’t Forget to Lock the Front Door! Inferring the Deployment of Source Address Validation of Inbound TrafficPassive and Active Measurement10.1007/978-3-030-44081-7_7(107-121)Online publication date: 18-Mar-2020
https://doi.org/10.1007/978-3-030-44081-7_7
Gupta VGupta S(2018)Reducing DNSSEC Packet Size using Memorization in SDN environment2018 International Conference on Advances in Computing, Communications and Informatics (ICACCI)10.1109/ICACCI.2018.8554638(2259-2263)Online publication date: Sep-2018
https://doi.org/10.1109/ICACCI.2018.8554638
Hu QAsghar MBrownlee N(2018)Measuring IPv6 DNS Reconnaissance Attacks and Preventing Them Using DNS Guard2018 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)10.1109/DSN.2018.00045(350-361)Online publication date: Jun-2018
https://doi.org/10.1109/DSN.2018.00045
Bushart JRossow C(2018)DNS Unchained: Amplified Application-Layer DoS Attacks Against DNS AuthoritativesResearch in Attacks, Intrusions, and Defenses10.1007/978-3-030-00470-5_7(139-160)Online publication date: 7-Sep-2018
https://doi.org/10.1007/978-3-030-00470-5_7
Klein AKravtsov VPerlmuter AShulman HWaidner MThuraisingham BEvans DMalkin TXu D(2017)POSTERProceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security10.1145/3133956.3138821(2519-2521)Online publication date: 30-Oct-2017
https://dl.acm.org/doi/10.1145/3133956.3138821
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Issue’s Table of Contents