DNS Measurement at a Root
Server
Nevil Brownlee, kc Claffy and Evi Nemeth
Presented by Zhengxiang Pan
Mar. 27th, 2003
Introduction
• DNS: Domain Name System
• BIND: Berkeley Internet Name Domain
System
Local Name Server
UDP
client
Local Name Server
Local Name Server
Root Server
Methodology
Passive capture DNS packets at F.root-server.net
Use Tcpdump
& Error logs
Results
• A. query rate
• Responds 93% of the input packets.
Error taxonomy
• B1. Repeated queries
– Maybe the results of a broken nameserver or a
broken client.
• B2. Private Address Space
– About 7% of the queries are asking for hostname
associated with an RFC 1918 address.
– 2% - 3% of the queries have the source IP address in
RFC 1918 space.
Error taxonomy
• B3. Top Level Domains
– In 1 hour trace of Jan. 7, 2001:
– 16.5% of the servers asked only INVALID TLD
– 37.1% of the servers asked at least one INVALID TLD
Error taxonomy
• B4. Bogus A Queries
– A query: hostname  IP address
– 12-18% A queries target IP address
• B5. Source Port Zero
– Port 0 is reserved and not valid in UDP / TCP.
– Root servers never answer queries from port 0
Error Taxonomy
• B6. Dynamic Updates
– DHCP can dynamic update local nameserver, should
not try to update root servers.
Results
• Attacks
– Spoofing source IP, using root server as
reflector, flooding the attack target with
answers it did not ask.
– Scanning IP space.
• Microsoft’s DNS woes
– Jan. 24, 2001 Microsoft nameserves down,
query load for Microsoft names go to over
25% of the total query load.
Summary
• Percentages of servers have bad
behaviors:
– 13% bogus A query
– 35% invalid TLD
– 35% leaking internal information
• Strategy
– Diagnose and repair bugs in implementation
– Deploy negative answers