DNS Measurement at a Root Server

Nevil Brownlee, kc Claffy and Evi Nemeth

Presented by Zhengxiang PanMar. 27th, 2003

Introduction

• DNS: Domain Name System

• BIND: Berkeley Internet Name Domain System

client Local Name Server Root Server

Local Name Server

Local Name Server

UDP

MethodologyPassive capture DNS packets at F.root-server.net

Use Tcpdump

& Error logs

Results

• A. query rate• Responds 93% of the input packets.

• B1. Repeated queries– Maybe the results of a broken nameserver or a

broken client.

• B2. Private Address Space– About 7% of the queries are asking for hostname

associated with an RFC 1918 address.– 2% - 3% of the queries have the source IP address in

RFC 1918 space.

Error taxonomy

Error taxonomy

• B3. Top Level Domains– In 1 hour trace of Jan. 7, 2001:– 16.5% of the servers asked only INVALID TLD– 37.1% of the servers asked at least one INVALID TLD

Error taxonomy

• B4. Bogus A Queries– A query: hostname IP address– 12-18% A queries target IP address

• B5. Source Port Zero– Port 0 is reserved and not valid in UDP / TCP.– Root servers never answer queries from port 0

Error Taxonomy

• B6. Dynamic Updates– DHCP can dynamic update local nameserver, should

not try to update root servers.

Results• Attacks

– Spoofing source IP, using root server as reflector, flooding the attack target with answers it did not ask.

– Scanning IP space.

• Microsoft’s DNS woes– Jan. 24, 2001 Microsoft nameserves down,

query load for Microsoft names go to over 25% of the total query load.

Summary

• Percentages of servers have bad behaviors:– 13% bogus A query– 35% invalid TLD– 35% leaking internal information

• Strategy– Diagnose and repair bugs in implementation– Deploy negative answers