DNS Noise: Measuring the
Pervasiveness of Disposable
Domains in Modern DNS Traffic
Yizheng Chen, Manos Antonakakis,
Roberto Perdisci, Yacin Nadji,
David Dagon, and Wenke Lee
2
Domain Name System
Machine-level Address
Human-readable Name
3
DNS for agility, scalability, etc.
• CDN server selection
– Really “close”? [Mao et al. USENIX ATEC 2002]
• Browser prefetching auto-completed domains
– Privacy? [Krishnan et al. LEET 2010]
• NXDOMAIN remapping
– Controversial? [Weaver et al. USENIX FOCI 2011]
4
McAfee
0.0.0.0.1.0.0.4e.11dfrin96mcqal3p534njpwplq.avqs.mcafee.com
0.0.0.0.1.0.0.4e.12kiq7cqq9lz7zbc4jza4n7nji.avqs.mcafee.com
0.0.0.0.1.0.0.4e.1bz5cjj8nbhqhpia1v8svi12g6.avqs.mcafee.com
0.0.0.0.1.0.0.4e.1pfrfc3jc9diw1lnd2jrha2ilq.avqs.mcafee.com
0.0.0.0.1.0.0.4e.1vcqruwkjhgp4qdhku6rpdqdsb.avqs.mcafee.com
0.0.0.0.1.0.0.4e.25tbw5dedhc2ap8ct1bi8jpp6i.avqs.mcafee.com
0.0.0.0.1.0.0.4e.2sprf11evqccpami3epfvj1r35.avqs.mcafee.com
0.0.0.0.1.0.0.4e.2tj85ckvumlddbmrbu67ev6s8t.avqs.mcafee.com
0.0.0.0.1.0.0.4e.35wv398iew1kdub6t35lbmwhbj.avqs.mcafee.com
0.0.0.0.1.0.0.4e.3amrhtqqbkvkbbqr8igcajdubv.avqs.mcafee.com
5
McAfee Global Threat Intelligence File Reputation
• Query for suspicious exe, pdf, apk files.
– suspicious: e.g., packed exe
0.0.0.0.1.0.0.4e.11dfrin96mcqal3p534njpwplq.avqs.mcafee.com
• Version and product information
• File hash
• Fingerprint information
• Environmental information
6
Google p2.a22a43lt5rwfg.ihg5ki5i6q3cfn3n.191742.i1.ds.ipv6-exp.l.google.com p2.a22a43lt5rwfg.ihg5ki5i6q3cfn3n.191742.i2.v4.ipv6-exp.l.google.com p2.a22a43lt5rwfg.ihg5ki5i6q3cfn3n.191742.s1.v4.ipv6-exp.l.google.com p2.a22antzfkdg5g.nay6cy6qq26fr64b.544760.i1.v4.ipv6-exp.l.google.com p2.a22antzfkdg5g.nay6cy6qq26fr64b.544760.i2.ds.ipv6-exp.l.google.com p2.a22bc6fi6edwk.qa2gdjd72sdbycs5.199480.i1.ds.ipv6-exp.l.google.com p2.a22bc6fi6edwk.qa2gdjd72sdbycs5.199480.i2.v4.ipv6-exp.l.google.com p2.a22bc6fi6edwk.qa2gdjd72sdbycs5.199480.s1.v4.ipv6-exp.l.google.com p2.a22cax6c5l5h2.7s2llcerkgtvdu5f.632143.i2.ds.ipv6-exp.l.google.com p2.a22cax6c5l5h2.7s2llcerkgtvdu5f.632143.s1.v4.ipv6-exp.l.google.com
7
Google IPv6 Experiment
Search request
Search results
+ background load
Background request www.google.*
*.ipv6-exp.l.google.com p2.a22a43lt5rwfg.ihg5ki5i6q3cfn3n.191742.i1.ds.ipv6-exp.l.google.com
• Recorded information:
– IPv4 and IPv6 addresses, as applicable
– Image request latency
– Browser/OS details (User-Agent string)
8 eSoft load-0-p-01.up-1852280.mem-251379712-24440832-0-p-50.swap-236691456-297943040-0p-44.3302068.1222092134.device.trans.manage.esoft.com load-0-p-49.up-1066332.mem-118550528-17743872-0-p-49.swap-186757120-347877376-0p-35.3300639.1643250616.device.trans.manage.esoft.com load-0-p-90.up-41144.mem-193540096-523649024-0-p-19.swap-56713216-477921280-0p-11.3303042.3049260335.device.trans.manage.esoft.com load-0-p-08.up-117864.mem-76529664-15839232-0-p-29.swap-13049856-529776640-0p-02.8551447.2050639502.device.trans.manage.esoft.com load-0-p-01.up-122977.mem-76460032-16359424-0-p-29.swap-13180928-529645568-0p-02.8551447.2050639502.device.trans.manage.esoft.com load-0-p-01.up-12664453.mem-195096576-117325824-0-p-39.swap-541405184-536096768-0p-50.5001772.2852986008.device.trans.manage.esoft.com load-0-p-05.up-2968675.mem-405557248-302886912-0-p-39.swap-91910144-442724352-0p-17.3300672.2763414838.device.trans.manage.esoft.com load-0-p-56.up-9190020.mem-112308224-14741504-0-p-43.swap-49680384-493146112-0p-09.8120531.946954102.device.trans.manage.esoft.com load-0-p-38.up-1852942.mem-253808640-26693632-0-p-50.swap-236720128-297914368-0p-44.3302068.1222092134.device.trans.manage.esoft.com load-0-p-13.up-9160910.mem-108138496-15101952-0-p-41.swap-48463872-494362624-0p-09.8120531.946954102.device.trans.manage.esoft.com
9
Characteristics of Disposable Domains
• Automatically generated
• “One-time use” pattern
• Signaling
• Share same name suffix
– E.g., ipv6-exp.l.google.com
Disposable Zones
• Low average cache hit rate
Individual Domain
– Over 90% of cache hit rates for domains under disposable zones are zero
– Cache hit rates for domains under non-disposable zones are evenly distributed
10
Impact of Disposable Domains
• DNS Caching
– heavy load, premature eviction of useful domains
– hierarchical cache
• DNSSEC-Enabled Resolvers
– be careful about implementation, e.g. verification
11
• Passive DNS Databases
– storage requirement
– query-response latency
12
Measure Disposable Domains
• Different than traditional content delivery?
• How prevalent?
• Growth?
• Implication?
Outline
• Data Collection and Analysis
• Defining Disposable Domains
• Mining Disposable Domains
• Results
• Discussion
13
• Conclusion
DNS Resolution
Recursive DNS
Server Cluster
A? www.example.com
.(Root Server)
A? www.example.com
14
Stub Resolver www.example.com IN
A 192.0.12.0
“Below” com. TLD www.example.com IN
A 192.0.12.0
“Above” example.com.
15
Notation
• Resource Record
– {t, r, d, qtype, ttl, rdata}
– t – timestamp
– r – anonymized IP address of host that issued the query
– d – queried domain name
– qtype – type of query
– ttl – time-to-live value
– rdata – resolved data
• Given the domain name d = www.example.com, TLD(d)
= com, 2LD(d) = example.com, and 3LD(d) = www.example.com.
• We use the notion of “zone” loosely, it can be 2LD, 3LD, or any Nth-level domain.
16
Dataset
• Full passive DNS (fpDNS) dataset
– A mid-western city in US, Comcast, RDNS Server Cluster
– 02/01/2011 to 02/07/2011, 09/02/2011, 09/13/2011,
11/14/2011, from 11/28/2011 to 12/10/2011, and
12/30/2011. (24 days)
– A NS CNAME
– 2.67TB
• Reduced passive DNS (rpDNS) dataset
– De-duplication
– 11/28/2011 to 12/10/2011
– 7 to 9 GB/Day
17
DNS Traffic Volume
18
DNS Traffic Volume
Observation 1: Positive Caching.
10^6 Above RDNS Servers 10^7 Below RDNS Servers
19
DNS Traffic Volume
Observation 2: Diurnal Effect – heavy load times!
20
DNS Traffic Volume
Observation 3: Google + Akamai < Half Traffic.
21
DNS Traffic Volume
Observation 4: No Negative Caching. [RFC2308]
NXDOMAIN: 40%
NXDOMAIN: 6%
22
DNS Long Tail of Lookup Volume
DNS Long Tail of Lookup Volume
23
10 Lookups
Observation 1: More than 90% of all RRs have lookup volumes lower than 10.
Observation 2: Long tail of lookup volume increased from 90% to 94% in 2011.
24
DNS Cache Hit Rate
• Black Box Analysis
• Domain Hit Rate
• Total query: answers seen below the RDNS cluster
• Cache miss: answers issued to the RDNS cluster observed above them
• Cache hit: total query - cache miss
• Cache Hit Rate
25
Domain Hit Rate Distribution
26
Domain Hit Rate Distribution
Observation 1: 89% of all RRs have domain hit rate of 0%.
Observation 2: Long tail of domain hit rate increased from 89% to 93% in 2011.
89%
27
Cache Hit Rate Distribution
28
Cache Hit Rate Distribution
Observation: 58% cache hit rates are lower than
50%.
58%
29
DNS Deduplication
30
DNS Deduplication
Log Scale
Observation 1: The number of new RRs observed every day decreased by 13,614,102 (30%) on the
13th consecutive day.
31
DNS Deduplication
Log Scale
Observation 2: Number of new Akamai RRs dropped by 128,957 (69%) records on the 13th day.
32
DNS Deduplication
Log Scale
Observation 3: Google increases its daily new RRs by 4,264,585 (25%) on the 13th consecutive day.
Outline
• Data Collection and Analysis
• Defining Disposable Domains
• Mining Disposable Domains
• Results
• Discussion
33
• Conclusion
34
Disposable Domains Definition
• Successfully resolved domain names that have the following two properties:
– Their name strings are automatically generated.
Namely, some software generates them with an algorithm.
– The RRs under a given zone are only observed once, or a handful of times, when they are in the recursive
DNS servers’ cache. More formally, the RRs of child domains under the zone have a low or close to zero median value in cache hit rate distribution.
35
Training Dataset
• 398 disposable zones
• 401 non-disposable zones
– Randomly selected 2LD zones from the top 1,000
Alexa domain names
Zone Structure
• Algorithm-generated string can be anywhere in the domain name
– 0.0.0.0.1.0.0.4e.
11dfrin96mcqal3p534njpwplq.avqs.mcafee.com
– p2.a22a43lt5rwfg.ihg5ki5i6q3cfn3n.191742.i1.ds.ipv6exp.l.google.com
– load-0-p-01.up-1852280.mem-251379712-24440832-0p-50.swap-236691456-297943040-0p-44.3302068.1222092134.device.trans.manage.esoft.com
• Domains generated by the same algorithm are under the same zone, and have same number of periods
36
• Intuition for Domain Name Tree
37
Cache Hit Rate Distribution
38
Cache Hit Rate Distribution
90%
Observation 1: 90% of cache hit rates from disposable RRs are zero.
39
Cache Hit Rate Distribution
Observation 2: Half of cache hit rates from non-disposable RRs are over 0.58.
50%
40
Cache Hit Rate Distribution
Observation 2: Half of cache hit rates from non-disposable RRs are over 0.58.
50%
Outline
• Data Collection and Analysis
• Defining Disposable Domains
• Mining Disposable Domains
• Results
• Discussion
41
• Conclusion
42
Disposable Zone Miner
FpDNS
1
Disposable Zone Miner
Domain Name
Tree Builder
2 Disposable
Domain
Classifier
3
Disposable
Zone
Ranking root a.example.com
com net example.com
depth
3 depth
4 b.example.com
1.a.example.com
c.example.com
2.a.example.com
3.a.example.com
4.b.example.com
i.1.a.example.com
depth
5
Six Tree Structure Features
Two Cache Hit Rate Features
43
Domain Name Tree a.example.com, i.1.a.example.com, 2.a.example.com,
3.a.example.com, 4.b.example.com, and c.example.com
Domain Name Tree
44
Non-leaf node root a.example.com
com net example.com
depth
3 depth
4 b.example.com
1.a.example.com
c.example.com
2.a.example.com
3.a.example.com
4.b.example.com
Leaf node i.1.a.example.com
depth
5
45
Domain Name Tree root a.example.com
com net example.com
depth
3 depth
4 b.example.com
1.a.example.com
c.example.com
Child nodes of a.example.com
2.a.example.com
3.a.example.com
4.b.example.com
i.1.a.example.com
depth
5
46
Domain Name Tree root com net a.example.com
Descendants of example.com example.com
b.example.com
1.a.example.com
depth
3 depth
4 c.example.com
2.a.example.com
3.a.example.com
4.b.example.com
i.1.a.example.com
depth
5
47
Domain Name Tree root a.example.com
com net example.com
depth
3 depth
4 b.example.com
1.a.example.com
c.example.com
2.a.example.com
3.a.example.com
4.b.example.com
i.1.a.example.com
depth
5
48
Groups
• G
3
= {a.example.com, c.example.com}
• G
4
= {2.a.example.com, 3.a.example.com,
4.b.example.com}
• G
5
={i.1.a.example.com}
• Set of labels for each G k
• L
3
= {a,c}, L
4
= {a,b}, and L
5
= {a}
Tree Structure Features
• For each set G k
, we calculate corresponding set L k
.
49
• Let the Shannon entropy of characters in the label l be H ( l ). For all the labels l i
( i = 1...
m ) in set L compute the entropy values H ( l i
). k we
– Cardinality m of the set L k
– Maximum
– Minimum
– Average
– Median
– Variance of all H ( l i
) values.
50
Cache Hit Rate Features
• From the cache hit rate distribution of each set G k
.
– Median
– Percentage of RRs with zero cache hit rate
51
Classify
• G
3
= {a.example.com, c.example.com}
• G
4
= {2.a.example.com, 3.a.example.com,
4.b.example.com}
• G
5
={i.1.a.example.com}
52
Domain Name Tree
G
3
= {a.example.com, c.example.com} likely to be disposable! root a.example.com
com net example.com
depth
3 depth
4 b.example.com
1.a.example.com
c.example.com
2.a.example.com
3.a.example.com
4.b.example.com
i.1.a.example.com
depth
5
53
Domain Name Tree
G
3
= {a.example.com, c.example.com} likely to be disposable! root a.example.com
com net example.com
depth
3 depth
4 b.example.com
1.a.example.com
c.example.com
2.a.example.com
3.a.example.com
4.b.example.com
i.1.a.example.com
depth
5
54
Classifier
• LAD tree
• True Positive 97%
• False Positive 1%
55
Algorithm
Outline
• Data Collection and Analysis
• Defining Disposable Domains
• Mining Disposable Domains
• Results
• Discussion
56
• Conclusion
57
Results
• Disposable Zone Miner was run over 02/01/2011,
09/02/2011, 09/13/2011, 11/14/2011, 11/29/2011,
12/30/2011.
• 12,397 2LDs including 14,488 disposable zones using disposable domains with over 90% confidence
58
Prevalence
• Popular websites
– labelled: Google, Microsoft
• AV/DNSBL
– labelled: McAfee, Sophos, Sonicwall
– new: countries.nerd.dk, Spamhaus, Mailshell, sorbs.net
• Social Network
– labelled: Facebook, Myspace
– new: photobucket, msn, linkbucks, torn, vkontakte, Quora
• Streaming Services
– labelled: Netflix
• P2P services
– new: Skype
• Tracking services
– new: esomniture.com
• Ad networks
– new: AdSense, Bluelink Marketing
• E-commerce business
– labelled: Paypal
– new: ClickBank
59
Skype aa0pt04dj0srjvtcrjjbzbyf3bb2kpptqb6qjh6cxq6yda4byamuzumlnqgq.vnkubl40ma3rkskoemnx3p2c2qxbjcwwpjz0zojdc4zxtz2avg0ap5okcjnt.2pttogpgckb36w6z203vyffor5keyyvylhe41gkxoq0l6nlxqgnuqaklo4gg.dtntv2qagsuvwt3nelfuresdvnvouyzu31ur65kczmt43mz2vyzl.sa.skype.net
aa1 fl kw2x04oggqgp2ltmh3gfyg6hthvevufbozvokg6f3ybrulsvwwqmphg.1payh4gntmwk4p3rmq5jepahusks2krfa0wuxzn1e1bkzz624lke0aonxbgk.4db55waheppd5vgwyfdtwkmfhtocmr0ee66wz1hrhoyq4p65pubmtcttrmxh.rtt0k4bkwjafw41css2ymwjhwfaqy1zf14n13ao2jgjrjbrowyzr.sa.skype.net
aa1uw2qznoadmcfkruyvnomhfjue1cq4pr0a3zsjn66z2sp5jpekl420315s.o1zznxcrtx143fjcuanb1nx4w2aehocepm3m1tdknuqlu02jwgtyrvuea5qm.myzpjf0nzlrpk46osk0m6n3dl32kvkfnobc0eobnunk65opfqc3zraq50ut3.0klfz24gaw6rhyvy2jjd6olc613v5f14l0cb2ppvhv4hj4ge5z4g.sa.skype.net
aa344vrgfutcxvyuv4jshy2zzmhfeeb1jto0ekp1vxr0pdb666edh54cwmng.2zpmz0cdlcb4kzs0e551tkmynpoeewyweg4q1gdnecb545jvc1wme30me3w1.yog265e04nc26kl1jkyrnbrkf55ze2d6khwfpwhxbqjalruwnp61414czdx2.fqu0nap4fqs3a22v16hf1fudshsfhwhsz02abhk6hs41q4oz5d3e.sa.skype.net
aa4nsp6mftelf1j0qj1km6dwhanb1k45kemfyf2axvszr5tjxwhx04vbvjxf.nav1qr2b0stm00mjm5lfcjek24bkdxggf5dqxw2n0epgg31d
fl 20nvn2o4tt.mz5dgb2ql4ektaeepenvpyov6oygys03o3xbvhmoafvwtlkmjcxnun2q0ozu.krvbw6j0loehfovkbw4phbpttf3okv3o24ef3msrph5lbsgj0z4k.sa.skype.net
aaa4sorlkuv4wxt4owbtxp24ge2puxwdul2vdhmnasoxy3y0xj fl ovkkzws4.s3ycv0eu6drun0j6jbrb2ps5nkhf2q6wcxbqqd43dgz3s3mxssrf5s63q5rv.nkysazqgfrwt2p1sdju5qgazdnamelkucplpfk0mywyyjrrkyh532yqutv05.zgl1c6yyquzvutkpbcfq4g04lu5xfkwydpysdqhhqels51tvzbhs.sa.skype.net
aaehyrhoygrb2jydabdlr24vwejp6x4nxd6bhlwsm5curofr0xtgj3yuc5pw.knxdnfsf3pqszmznxsaoejmo3qg3dd62l3wy5jha62omvote6akyza1f3uoj.u1jt2w0b2w653duh3abssmvnnejd4ytb6lqpucc2xtrgohem2syysros6vox.2t5gt6yy02olmabrpa1apgo5ckwefn1qfpptz0hcpfqw0k3k2fgv.sa.skype.net
aagjnzyxe3w5n0c5htbbtkqmpebfqugqffe31vywd2xhqwprng61kba1zxub.myv4bkoa4gsryo60c2selcbmnyb0k2ccjmmdhhgjsxrsj0qsg2fypsdbpsdv.enrn3n3a4wtg6kzarermk5jkct02tot2dpl4lqlwbtj1bqkmbdluruuqve3b.cy53yp6zpkq4ocu4wyfckkkazfhb2bqd3wvf65dcxb4ffs6p0w2b.sa.skype.net
aah3gpwzjmyx5hzmwkh0ph1cev61krear2ja0xqgstmwtdgdwobqfb1mjxcn.5hopa3cbwbtbsmrv1xshgsr0621h3jvyphvokw6dvqlhl5py32dc41cghkpk.g6bjxys52rvx566fppjh5o3ft4oqryldlxa4k0mn2z2ja1w4a04bbakttv2g.oh3skutu6u2qzkyto6mo16a32esfwr0amdytgjz6fzzj6n56smfh.sa.skype.net
aajptdjoadjp0go20vzc5mfdzyxnd41nqdvm0j33tu43zfvoxa1w6wjh0tye.b0zfmgawl1gmaeotdp0hc5eskxzgkpbceydpzxn3yegvx1xvfdsba3x4gz3m.ybp3u5ryhd6vxb01hd3zfolhnzzt36vxwt5j040ambxoxlac1h3cehcdmrbt.chspylpxszhjbfok3zseeycjn3t2v2qx6wvrft2pe2mgtjcellr4.sa.skype.net
aakrre11hxcfpuoqg4c0ydxhsm3yhmny6oxqf5ozwuonplzebtyze2s1sryv.tcywvoymp6mbqclb2g2ezwbp0nwpl0dbwnl6ovrembxuqnthrza4e4xsns2e.yvcgm5fhkgd2x53b5yxdsn2lphclvqcprqlxqow0wg4ul05c004tmyuowouq.2rbrgaephjanelkvpo1qbo4xm641mrfngm4clmrhovgfuv5r6g2v.sa.skype.net
aane6nuck4zm1lqlywmmsot1nlmuydnlsqzdlyzbe0pukc1dyecfz54gn0fj.jb4jjmbh4gt4qmo65s55nkwglwvxw6rqll1zohw4dcr21zykbxt6dhxaxnal.3tt5f6aq3qnaonjtkb1nmc3l61w4gtg3j2ncvfc6se61cq1vw5hp1fuuytrt.xnwoynnu3t5dqzc5y4p3fvoup32wl2q5rumvm2xzoyzj03rly2az.sa.skype.net
aanscdbeyfjl2lhfjeyvmthapfm6mjjc1scj4bclknxes0zx2znsypqoyvl4.0xuk3x4cs4mqk2ayfgh0t44d1j36psutxf0gdxc5en52ww10bp306ndmwwjz.n4q1zvaye6lpek2fz6kr5aduefpwugxcd5thbwjrvsk1fmg6l5dbwenj5uok.60eryahhznmgmj4b1kljkp2y1juuauc41pj0xyjsgbtoc6r1y3dt.sa.skype.net
aaoy6yp53dbfclsvcc1nd3rsedxttzsfv641o6e0b3g5elupem3cv1yo22mp.m3mr1cpbro0vlbnetyw4zdjfslcmrlwehpvtjgocwlz0mgn0e5rawtrc0rh5.g3stu5ydwr3vwasv23xwzhauankmywfjszqhydnsu06qfmj00qgyjv3w1ute.jebmg1oy1oo4uj2hk0s3m1su4sdudxtxzxuean66ghjt4xpj5zzv.sa.skype.net
aazxuqkonmubvnsdcjf3qx2t5q1dal00cur3zm4uxpsfchraczx1bftzlrnv.60m00nepwfhenm4a1hvmkfqraq0ybrsrrn022zbn3gtn3gsspmgsnqxjbxuw.z3lw5zqh2czmqsz53sozpxjn1dgv266r4p2ku4lwjyr53lcz0cm5hcf1mau3.p5xawwxq3qxfalejyf55s310enpbwttkro0rjylxo6c6qygun0u1.sa.skype.net
ab4dv4s1am3okusl6uhnz1hst5fjes4wcz5agnmvmhu0nm6yksudzdngabgq.ykjdujvbz6eztehl4qhsyml5hx0xs361uyx1prs6blecwdnpgt4bwrw4dgcy.ubtysuwbvb4do4efp5g56xnr556qljsbml6vcgkn4rru14ptmrtc4lvbro3c.ahkx2kxn1z4qyetbhxfgmlup3xg0klg22ec5dhrwmtsw3q6bsnwv.sa.skype.net
abczh6b55n4qowa3cvuo0sekw0ud0vmcgm0er05exeh6sq4c2rwfzyypy6b2.nae3qb35l4dm5delam1ue2owonl1xpcus
fl uqeosq25vnk5wvl15vqyjaw10.46vlbfhnn5lyuk6c5sv3v6dlf43afo5s6ygcj4zpp0zzxhb2gvoda5ot1gsh.cfnbs5uac3tght0ctutmzfrj5gqtc5fsyj6z4504dqvshluy1v6j.sa.skype.net
abdno2lardhe543ockcmoqx45zhe1avpqr0ddn2dhjl2wdogj0v31qz0cuyv.vgvp5tudahbfjwx623vsdtl5a6vo3dv3wx6yxh5lnhhcxl6rx31gullfghw6.u50ewdtx6dxqbz6rl6pzgdwxsqh2sahwgvhxgg1zgnh2r1ho1kcfafpjn0po.ubh3nzbvux3ejf4wjubxgj1ewd5r2up4ycw4l3glnx61xdwzvhoj.sa.skype.net
abgdq52put14suq5dt0mox0ktjn61ub5ke1uaxr4gxbq5ou25xyjqz6t45qj.1t0p0q1nwurjzy0w4blusfrhnq1ru05oylv20oh2zf5rundjux64xteedt6x.bugmunulv0eo0pnwvx1m5wnrjt0posdn3ubpoz4oyl6uq4l2rdmjudcmtan4.p3s6f0ddbn0g1kvonub0dncqaxw5okaf3bqv2ht3v1b4s2kugpjk.sa.skype.net
abj60ado5tfoakco4h64sgnpydgdmfbnvfgdx6oecky4d1qoqwx64dgyrfjz.rbrjtud4nrvxqngkyh65yozt2snsblqxnmxy3d3qjburkg16j2lgfp2331d3.1r636wajxnvp44q2kg2jkv002xamogwr0yzltazv6vnmlqvf0ezlzv03gsdr.l0hsywzhlny2f6s4m2g6frokzdulrrh4wwrrwnegp0enlodkcbjd.sa.skype.net
abnkczhtwjz665ljd3hz26u16p2x6gmtxkgfgfh5ta66zy1f2dh21tanexfs.bjpp3ck4f6pgk3xqzlffszd06xads50bq0e514qpyoersqkwbblcz04dk1en.o43baxsrrv2ahs0tbg3fa3g2mbku6wav604pl0d515b5rvytnp33cxwhbhoy.rrlnhnzojsf1jwcdxjcnfmb0to5xorxbpqaw5d4xo212p0bexm4u.sa.skype.net
abqnhh4gx6mheee4y3mbkl12feec5el53r02mrd52slo5t2j1hw6fdoltgbv.6eptmuf5wognlgrzjssnxmz05sw35v16wyyxuar6pm64bddpx35sumot2gvg.o5ftozwlcqaqulqldydrtt62rtj3pjldsekxooplp5uo34rz135l6j2vpawm.sr2nyl2yb5tr32va604hee0dongdq3uoughh6yjog1jdqmqd06u2.sa.skype.net
60
Disposable domains and CDN
• 91 (0.6%) of 14,488 disposable zones were related to content delivery networks (CDNs).
• 24 (5.3%) of 451 CDN 2LDs (customized list of
CDNs) are classified as disposable.
– False positives
– Extremely unpopular content
– Different level of service
61
Growth
62
Growth
Observation 1: Among daily unique queried domains seen below the RDNSs, disposable domains increased from 23.1% to 27.6%.
63
Growth
Observation 2: Among daily unique resolved domains seen below the RDNSs, disposable domains increased from 27.6% to 37.2%.
64
Growth
Observation 3: Percentage of daily unique disposable RRs increased from 38.3% to
65.5%.
65
Growth in DNS Long Tail
66
Growth in DNS Long Tail
Outline
• Data Collection and Analysis
• Defining Disposable Domains
• Mining Disposable Domains
• Results
• Discussion
67
• Conclusion
68
Discussion
• DNS Caching
Human Diurnal Behavior
– heavy load, premature eviction of useful domains in cache
– hierarchical cache
69
Time-to-live Histogram
2.0e+07
Time − to − live for Disposable Domains
1.5e+07
1.0e+07
5.0e+06
0.0e+00
1e+00 1e+01 1e+02 1e+03 1e+04 1e+05
TTL month
December
February
70
Time-to-live Histogram
2.0e+07
Time − to − live for Disposable Domains
Domain owners switched to use relatively larger TTL values over time.
1.5e+07
Recursive DNS software enforce minimum
1.0e+07 zero [RFC 1536], [RFC 1912].
December
February
5.0e+06
0.0e+00
1e+00 1e+01 1e+02 1e+03 1e+04 1e+05
TTL
Discussion
• DNS Caching
– heavy load, premature eviction of useful domains in cache
– hierarchical cache
• DNSSEC-Enabled Resolvers
– be careful about implementation, e.g. verification
71
• Passive DNS Databases
– storage requirement
– query-response latency
72
New Resource Records over 13 days
73
New Resource Records over 13 days
Using wildcard in the storage scheme, we can reduce 129,674,213 distinct disposable resource records to 945,065 (0.7%).
74
Conclusion
• We presented a study from large scale DNS traffic traces collected at Comcast serving millions of end users.
• We proposed a novel algorithm to measure DNS zones that extensively use disposable domains.
• We discussed the possible negative implications that disposable domains may have on the DNS caching infrastructure, DNSSEC-validating resolvers, and passive DNS data collection systems.