DNS Noise: Measuring the Pervasiveness of Disposable Domains in Modern DNS Traffic

advertisement

DNS Noise: Measuring the

Pervasiveness of Disposable

Domains in Modern DNS Traffic

Yizheng Chen, Manos Antonakakis,

Roberto Perdisci, Yacin Nadji,

David Dagon, and Wenke Lee

2

Domain Name System

Machine-level Address

Human-readable Name

3

DNS for agility, scalability, etc.

•   CDN server selection

–   Really “close”? [Mao et al. USENIX ATEC 2002]

•   Browser prefetching auto-completed domains

–   Privacy? [Krishnan et al. LEET 2010]

•   NXDOMAIN remapping

–   Controversial? [Weaver et al. USENIX FOCI 2011]

4

McAfee

0.0.0.0.1.0.0.4e.11dfrin96mcqal3p534njpwplq.avqs.mcafee.com

0.0.0.0.1.0.0.4e.12kiq7cqq9lz7zbc4jza4n7nji.avqs.mcafee.com

0.0.0.0.1.0.0.4e.1bz5cjj8nbhqhpia1v8svi12g6.avqs.mcafee.com

0.0.0.0.1.0.0.4e.1pfrfc3jc9diw1lnd2jrha2ilq.avqs.mcafee.com

0.0.0.0.1.0.0.4e.1vcqruwkjhgp4qdhku6rpdqdsb.avqs.mcafee.com

0.0.0.0.1.0.0.4e.25tbw5dedhc2ap8ct1bi8jpp6i.avqs.mcafee.com

0.0.0.0.1.0.0.4e.2sprf11evqccpami3epfvj1r35.avqs.mcafee.com

0.0.0.0.1.0.0.4e.2tj85ckvumlddbmrbu67ev6s8t.avqs.mcafee.com

0.0.0.0.1.0.0.4e.35wv398iew1kdub6t35lbmwhbj.avqs.mcafee.com

0.0.0.0.1.0.0.4e.3amrhtqqbkvkbbqr8igcajdubv.avqs.mcafee.com

5

McAfee Global Threat Intelligence File Reputation

•   Query for suspicious exe, pdf, apk files.

–   suspicious: e.g., packed exe

0.0.0.0.1.0.0.4e.11dfrin96mcqal3p534njpwplq.avqs.mcafee.com

•   Version and product information

•   File hash

•   Fingerprint information

•   Environmental information

6

Google p2.a22a43lt5rwfg.ihg5ki5i6q3cfn3n.191742.i1.ds.ipv6-exp.l.google.com p2.a22a43lt5rwfg.ihg5ki5i6q3cfn3n.191742.i2.v4.ipv6-exp.l.google.com p2.a22a43lt5rwfg.ihg5ki5i6q3cfn3n.191742.s1.v4.ipv6-exp.l.google.com p2.a22antzfkdg5g.nay6cy6qq26fr64b.544760.i1.v4.ipv6-exp.l.google.com p2.a22antzfkdg5g.nay6cy6qq26fr64b.544760.i2.ds.ipv6-exp.l.google.com p2.a22bc6fi6edwk.qa2gdjd72sdbycs5.199480.i1.ds.ipv6-exp.l.google.com p2.a22bc6fi6edwk.qa2gdjd72sdbycs5.199480.i2.v4.ipv6-exp.l.google.com p2.a22bc6fi6edwk.qa2gdjd72sdbycs5.199480.s1.v4.ipv6-exp.l.google.com p2.a22cax6c5l5h2.7s2llcerkgtvdu5f.632143.i2.ds.ipv6-exp.l.google.com p2.a22cax6c5l5h2.7s2llcerkgtvdu5f.632143.s1.v4.ipv6-exp.l.google.com

7

Google IPv6 Experiment

Search request

Search results

+ background load

Background request www.google.*

*.ipv6-exp.l.google.com p2.a22a43lt5rwfg.ihg5ki5i6q3cfn3n.191742.i1.ds.ipv6-exp.l.google.com

•   Recorded information:

–   IPv4 and IPv6 addresses, as applicable

–   Image request latency

–   Browser/OS details (User-Agent string)

8 eSoft load-0-p-01.up-1852280.mem-251379712-24440832-0-p-50.swap-236691456-297943040-0p-44.3302068.1222092134.device.trans.manage.esoft.com load-0-p-49.up-1066332.mem-118550528-17743872-0-p-49.swap-186757120-347877376-0p-35.3300639.1643250616.device.trans.manage.esoft.com load-0-p-90.up-41144.mem-193540096-523649024-0-p-19.swap-56713216-477921280-0p-11.3303042.3049260335.device.trans.manage.esoft.com load-0-p-08.up-117864.mem-76529664-15839232-0-p-29.swap-13049856-529776640-0p-02.8551447.2050639502.device.trans.manage.esoft.com load-0-p-01.up-122977.mem-76460032-16359424-0-p-29.swap-13180928-529645568-0p-02.8551447.2050639502.device.trans.manage.esoft.com load-0-p-01.up-12664453.mem-195096576-117325824-0-p-39.swap-541405184-536096768-0p-50.5001772.2852986008.device.trans.manage.esoft.com load-0-p-05.up-2968675.mem-405557248-302886912-0-p-39.swap-91910144-442724352-0p-17.3300672.2763414838.device.trans.manage.esoft.com load-0-p-56.up-9190020.mem-112308224-14741504-0-p-43.swap-49680384-493146112-0p-09.8120531.946954102.device.trans.manage.esoft.com load-0-p-38.up-1852942.mem-253808640-26693632-0-p-50.swap-236720128-297914368-0p-44.3302068.1222092134.device.trans.manage.esoft.com load-0-p-13.up-9160910.mem-108138496-15101952-0-p-41.swap-48463872-494362624-0p-09.8120531.946954102.device.trans.manage.esoft.com

9

Characteristics of Disposable Domains

•   Automatically generated

•   “One-time use” pattern

•   Signaling

•   Share same name suffix

–   E.g., ipv6-exp.l.google.com

Disposable Zones

•   Low average cache hit rate

Individual Domain

–   Over 90% of cache hit rates for domains under disposable zones are zero

–   Cache hit rates for domains under non-disposable zones are evenly distributed

10

Why do we care about disposable domain names

(and effectively zones)?

Impact of Disposable Domains

•   DNS Caching

–   heavy load, premature eviction of useful domains

–   hierarchical cache

•   DNSSEC-Enabled Resolvers

–   be careful about implementation, e.g. verification

11

•   Passive DNS Databases

–   storage requirement

–   query-response latency

12

Measure Disposable Domains

•   Different than traditional content delivery?

•   How prevalent?

•   Growth?

•   Implication?

Outline

•   Data Collection and Analysis

•   Defining Disposable Domains

•   Mining Disposable Domains

•   Results

•   Discussion

13

•   Conclusion

DNS Resolution

Recursive DNS

Server Cluster

A? www.example.com

.(Root Server)

A? www.example.com

14

Stub Resolver www.example.com IN

A 192.0.12.0

“Below” com. TLD www.example.com IN

A 192.0.12.0

“Above” example.com.

15

Notation

•   Resource Record

–   {t, r, d, qtype, ttl, rdata}

–   t – timestamp

–   r – anonymized IP address of host that issued the query

–   d – queried domain name

–   qtype – type of query

–   ttl – time-to-live value

–   rdata – resolved data

•   Given the domain name d = www.example.com, TLD(d)

= com, 2LD(d) = example.com, and 3LD(d) = www.example.com.

•   We use the notion of “zone” loosely, it can be 2LD, 3LD, or any Nth-level domain.

16

Dataset

•   Full passive DNS (fpDNS) dataset

–   A mid-western city in US, Comcast, RDNS Server Cluster

–   02/01/2011 to 02/07/2011, 09/02/2011, 09/13/2011,

11/14/2011, from 11/28/2011 to 12/10/2011, and

12/30/2011. (24 days)

–   A NS CNAME

–   2.67TB

•   Reduced passive DNS (rpDNS) dataset

–   De-duplication

–   11/28/2011 to 12/10/2011

–   7 to 9 GB/Day

17

DNS Traffic Volume

18

DNS Traffic Volume

Observation 1: Positive Caching.

10^6 Above RDNS Servers 10^7 Below RDNS Servers

19

DNS Traffic Volume

Observation 2: Diurnal Effect – heavy load times!

20

DNS Traffic Volume

Observation 3: Google + Akamai < Half Traffic.

21

DNS Traffic Volume

Observation 4: No Negative Caching. [RFC2308]

NXDOMAIN: 40%

NXDOMAIN: 6%

22

DNS Long Tail of Lookup Volume

DNS Long Tail of Lookup Volume

23

10 Lookups

Observation 1: More than 90% of all RRs have lookup volumes lower than 10.

Observation 2: Long tail of lookup volume increased from 90% to 94% in 2011.

24

DNS Cache Hit Rate

•   Black Box Analysis

•   Domain Hit Rate

•   Total query: answers seen below the RDNS cluster

•   Cache miss: answers issued to the RDNS cluster observed above them

•   Cache hit: total query - cache miss

•   Cache Hit Rate

25

Domain Hit Rate Distribution

26

Domain Hit Rate Distribution

Observation 1: 89% of all RRs have domain hit rate of 0%.

Observation 2: Long tail of domain hit rate increased from 89% to 93% in 2011.

89%

27

Cache Hit Rate Distribution

28

Cache Hit Rate Distribution

Observation: 58% cache hit rates are lower than

50%.

58%

29

DNS Deduplication

30

DNS Deduplication

Log Scale

Observation 1: The number of new RRs observed every day decreased by 13,614,102 (30%) on the

13th consecutive day.

31

DNS Deduplication

Log Scale

Observation 2: Number of new Akamai RRs dropped by 128,957 (69%) records on the 13th day.

32

DNS Deduplication

Log Scale

Observation 3: Google increases its daily new RRs by 4,264,585 (25%) on the 13th consecutive day.

Outline

•   Data Collection and Analysis

•   Defining Disposable Domains

•   Mining Disposable Domains

•   Results

•   Discussion

33

•   Conclusion

34

Disposable Domains Definition

•   Successfully resolved domain names that have the following two properties:

–   Their name strings are automatically generated.

Namely, some software generates them with an algorithm.

–   The RRs under a given zone are only observed once, or a handful of times, when they are in the recursive

DNS servers’ cache. More formally, the RRs of child domains under the zone have a low or close to zero median value in cache hit rate distribution.

35

Training Dataset

•   398 disposable zones

•   401 non-disposable zones

–   Randomly selected 2LD zones from the top 1,000

Alexa domain names

Zone Structure

•   Algorithm-generated string can be anywhere in the domain name

–   0.0.0.0.1.0.0.4e.

11dfrin96mcqal3p534njpwplq.avqs.mcafee.com

–   p2.a22a43lt5rwfg.ihg5ki5i6q3cfn3n.191742.i1.ds.ipv6exp.l.google.com

–   load-0-p-01.up-1852280.mem-251379712-24440832-0p-50.swap-236691456-297943040-0p-44.3302068.1222092134.device.trans.manage.esoft.com

•   Domains generated by the same algorithm are under the same zone, and have same number of periods

36

•   Intuition for Domain Name Tree

37

Cache Hit Rate Distribution

38

Cache Hit Rate Distribution

90%

Observation 1: 90% of cache hit rates from disposable RRs are zero.

39

Cache Hit Rate Distribution

Observation 2: Half of cache hit rates from non-disposable RRs are over 0.58.

50%

40

Cache Hit Rate Distribution

Observation 2: Half of cache hit rates from non-disposable RRs are over 0.58.

50%

Outline

•   Data Collection and Analysis

•   Defining Disposable Domains

•   Mining Disposable Domains

•   Results

•   Discussion

41

•   Conclusion

42

Disposable Zone Miner

FpDNS

1

Disposable Zone Miner

Domain Name

Tree Builder

2 Disposable

Domain

Classifier

3

Disposable

Zone

Ranking root a.example.com

com net example.com

depth

3 depth

4 b.example.com

1.a.example.com

c.example.com

2.a.example.com

3.a.example.com

4.b.example.com

i.1.a.example.com

depth

5

Six Tree Structure Features

Two Cache Hit Rate Features

43

Domain Name Tree a.example.com, i.1.a.example.com, 2.a.example.com,

3.a.example.com, 4.b.example.com, and c.example.com

Domain Name Tree

44

Non-leaf node root a.example.com

com net example.com

depth

3 depth

4 b.example.com

1.a.example.com

c.example.com

2.a.example.com

3.a.example.com

4.b.example.com

Leaf node i.1.a.example.com

depth

5

45

Domain Name Tree root a.example.com

com net example.com

depth

3 depth

4 b.example.com

1.a.example.com

c.example.com

Child nodes of a.example.com

2.a.example.com

3.a.example.com

4.b.example.com

i.1.a.example.com

depth

5

46

Domain Name Tree root com net a.example.com

Descendants of example.com example.com

b.example.com

1.a.example.com

depth

3 depth

4 c.example.com

2.a.example.com

3.a.example.com

4.b.example.com

i.1.a.example.com

depth

5

47

Domain Name Tree root a.example.com

com net example.com

depth

3 depth

4 b.example.com

1.a.example.com

c.example.com

2.a.example.com

3.a.example.com

4.b.example.com

i.1.a.example.com

depth

5

48

Groups

•   G

3

= {a.example.com, c.example.com}

•   G

4

= {2.a.example.com, 3.a.example.com,

4.b.example.com}

•   G

5

={i.1.a.example.com}

•   Set of labels for each G k

•   L

3

= {a,c}, L

4

= {a,b}, and L

5

= {a}

Tree Structure Features

•   For each set G k

, we calculate corresponding set L k

.

49

•   Let the Shannon entropy of characters in the label l be H ( l ). For all the labels l i

( i = 1...

m ) in set L compute the entropy values H ( l i

). k we

–   Cardinality m of the set L k

–   Maximum

–   Minimum

–   Average

–   Median

–   Variance of all H ( l i

) values.

50

Cache Hit Rate Features

•   From the cache hit rate distribution of each set G k

.

–   Median

–   Percentage of RRs with zero cache hit rate

51

Classify

•   G

3

= {a.example.com, c.example.com}

•   G

4

= {2.a.example.com, 3.a.example.com,

4.b.example.com}

•   G

5

={i.1.a.example.com}

52

Domain Name Tree

G

3

= {a.example.com, c.example.com} likely to be disposable! root a.example.com

com net example.com

depth

3 depth

4 b.example.com

1.a.example.com

c.example.com

2.a.example.com

3.a.example.com

4.b.example.com

i.1.a.example.com

depth

5

53

Domain Name Tree

G

3

= {a.example.com, c.example.com} likely to be disposable! root a.example.com

com net example.com

depth

3 depth

4 b.example.com

1.a.example.com

c.example.com

2.a.example.com

3.a.example.com

4.b.example.com

i.1.a.example.com

depth

5

54

Classifier

•   LAD tree

•   True Positive 97%

•   False Positive 1%

55

Algorithm

Outline

•   Data Collection and Analysis

•   Defining Disposable Domains

•   Mining Disposable Domains

•   Results

•   Discussion

56

•   Conclusion

57

Results

•   Disposable Zone Miner was run over 02/01/2011,

09/02/2011, 09/13/2011, 11/14/2011, 11/29/2011,

12/30/2011.

•   12,397 2LDs including 14,488 disposable zones using disposable domains with over 90% confidence

58

Prevalence

•   Popular websites

–   labelled: Google, Microsoft

•   AV/DNSBL

–   labelled: McAfee, Sophos, Sonicwall

–   new: countries.nerd.dk, Spamhaus, Mailshell, sorbs.net

•   Social Network

–   labelled: Facebook, Myspace

–   new: photobucket, msn, linkbucks, torn, vkontakte, Quora

•   Streaming Services

–   labelled: Netflix

•   P2P services

–   new: Skype

•   Tracking services

–   new: esomniture.com

•   Ad networks

–   new: AdSense, Bluelink Marketing

•   E-commerce business

–   labelled: Paypal

–   new: ClickBank

59

Skype aa0pt04dj0srjvtcrjjbzbyf3bb2kpptqb6qjh6cxq6yda4byamuzumlnqgq.vnkubl40ma3rkskoemnx3p2c2qxbjcwwpjz0zojdc4zxtz2avg0ap5okcjnt.2pttogpgckb36w6z203vyffor5keyyvylhe41gkxoq0l6nlxqgnuqaklo4gg.dtntv2qagsuvwt3nelfuresdvnvouyzu31ur65kczmt43mz2vyzl.sa.skype.net

aa1 fl kw2x04oggqgp2ltmh3gfyg6hthvevufbozvokg6f3ybrulsvwwqmphg.1payh4gntmwk4p3rmq5jepahusks2krfa0wuxzn1e1bkzz624lke0aonxbgk.4db55waheppd5vgwyfdtwkmfhtocmr0ee66wz1hrhoyq4p65pubmtcttrmxh.rtt0k4bkwjafw41css2ymwjhwfaqy1zf14n13ao2jgjrjbrowyzr.sa.skype.net

aa1uw2qznoadmcfkruyvnomhfjue1cq4pr0a3zsjn66z2sp5jpekl420315s.o1zznxcrtx143fjcuanb1nx4w2aehocepm3m1tdknuqlu02jwgtyrvuea5qm.myzpjf0nzlrpk46osk0m6n3dl32kvkfnobc0eobnunk65opfqc3zraq50ut3.0klfz24gaw6rhyvy2jjd6olc613v5f14l0cb2ppvhv4hj4ge5z4g.sa.skype.net

aa344vrgfutcxvyuv4jshy2zzmhfeeb1jto0ekp1vxr0pdb666edh54cwmng.2zpmz0cdlcb4kzs0e551tkmynpoeewyweg4q1gdnecb545jvc1wme30me3w1.yog265e04nc26kl1jkyrnbrkf55ze2d6khwfpwhxbqjalruwnp61414czdx2.fqu0nap4fqs3a22v16hf1fudshsfhwhsz02abhk6hs41q4oz5d3e.sa.skype.net

aa4nsp6mftelf1j0qj1km6dwhanb1k45kemfyf2axvszr5tjxwhx04vbvjxf.nav1qr2b0stm00mjm5lfcjek24bkdxggf5dqxw2n0epgg31d

fl 20nvn2o4tt.mz5dgb2ql4ektaeepenvpyov6oygys03o3xbvhmoafvwtlkmjcxnun2q0ozu.krvbw6j0loehfovkbw4phbpttf3okv3o24ef3msrph5lbsgj0z4k.sa.skype.net

aaa4sorlkuv4wxt4owbtxp24ge2puxwdul2vdhmnasoxy3y0xj fl ovkkzws4.s3ycv0eu6drun0j6jbrb2ps5nkhf2q6wcxbqqd43dgz3s3mxssrf5s63q5rv.nkysazqgfrwt2p1sdju5qgazdnamelkucplpfk0mywyyjrrkyh532yqutv05.zgl1c6yyquzvutkpbcfq4g04lu5xfkwydpysdqhhqels51tvzbhs.sa.skype.net

aaehyrhoygrb2jydabdlr24vwejp6x4nxd6bhlwsm5curofr0xtgj3yuc5pw.knxdnfsf3pqszmznxsaoejmo3qg3dd62l3wy5jha62omvote6akyza1f3uoj.u1jt2w0b2w653duh3abssmvnnejd4ytb6lqpucc2xtrgohem2syysros6vox.2t5gt6yy02olmabrpa1apgo5ckwefn1qfpptz0hcpfqw0k3k2fgv.sa.skype.net

aagjnzyxe3w5n0c5htbbtkqmpebfqugqffe31vywd2xhqwprng61kba1zxub.myv4bkoa4gsryo60c2selcbmnyb0k2ccjmmdhhgjsxrsj0qsg2fypsdbpsdv.enrn3n3a4wtg6kzarermk5jkct02tot2dpl4lqlwbtj1bqkmbdluruuqve3b.cy53yp6zpkq4ocu4wyfckkkazfhb2bqd3wvf65dcxb4ffs6p0w2b.sa.skype.net

aah3gpwzjmyx5hzmwkh0ph1cev61krear2ja0xqgstmwtdgdwobqfb1mjxcn.5hopa3cbwbtbsmrv1xshgsr0621h3jvyphvokw6dvqlhl5py32dc41cghkpk.g6bjxys52rvx566fppjh5o3ft4oqryldlxa4k0mn2z2ja1w4a04bbakttv2g.oh3skutu6u2qzkyto6mo16a32esfwr0amdytgjz6fzzj6n56smfh.sa.skype.net

aajptdjoadjp0go20vzc5mfdzyxnd41nqdvm0j33tu43zfvoxa1w6wjh0tye.b0zfmgawl1gmaeotdp0hc5eskxzgkpbceydpzxn3yegvx1xvfdsba3x4gz3m.ybp3u5ryhd6vxb01hd3zfolhnzzt36vxwt5j040ambxoxlac1h3cehcdmrbt.chspylpxszhjbfok3zseeycjn3t2v2qx6wvrft2pe2mgtjcellr4.sa.skype.net

aakrre11hxcfpuoqg4c0ydxhsm3yhmny6oxqf5ozwuonplzebtyze2s1sryv.tcywvoymp6mbqclb2g2ezwbp0nwpl0dbwnl6ovrembxuqnthrza4e4xsns2e.yvcgm5fhkgd2x53b5yxdsn2lphclvqcprqlxqow0wg4ul05c004tmyuowouq.2rbrgaephjanelkvpo1qbo4xm641mrfngm4clmrhovgfuv5r6g2v.sa.skype.net

aane6nuck4zm1lqlywmmsot1nlmuydnlsqzdlyzbe0pukc1dyecfz54gn0fj.jb4jjmbh4gt4qmo65s55nkwglwvxw6rqll1zohw4dcr21zykbxt6dhxaxnal.3tt5f6aq3qnaonjtkb1nmc3l61w4gtg3j2ncvfc6se61cq1vw5hp1fuuytrt.xnwoynnu3t5dqzc5y4p3fvoup32wl2q5rumvm2xzoyzj03rly2az.sa.skype.net

aanscdbeyfjl2lhfjeyvmthapfm6mjjc1scj4bclknxes0zx2znsypqoyvl4.0xuk3x4cs4mqk2ayfgh0t44d1j36psutxf0gdxc5en52ww10bp306ndmwwjz.n4q1zvaye6lpek2fz6kr5aduefpwugxcd5thbwjrvsk1fmg6l5dbwenj5uok.60eryahhznmgmj4b1kljkp2y1juuauc41pj0xyjsgbtoc6r1y3dt.sa.skype.net

aaoy6yp53dbfclsvcc1nd3rsedxttzsfv641o6e0b3g5elupem3cv1yo22mp.m3mr1cpbro0vlbnetyw4zdjfslcmrlwehpvtjgocwlz0mgn0e5rawtrc0rh5.g3stu5ydwr3vwasv23xwzhauankmywfjszqhydnsu06qfmj00qgyjv3w1ute.jebmg1oy1oo4uj2hk0s3m1su4sdudxtxzxuean66ghjt4xpj5zzv.sa.skype.net

aazxuqkonmubvnsdcjf3qx2t5q1dal00cur3zm4uxpsfchraczx1bftzlrnv.60m00nepwfhenm4a1hvmkfqraq0ybrsrrn022zbn3gtn3gsspmgsnqxjbxuw.z3lw5zqh2czmqsz53sozpxjn1dgv266r4p2ku4lwjyr53lcz0cm5hcf1mau3.p5xawwxq3qxfalejyf55s310enpbwttkro0rjylxo6c6qygun0u1.sa.skype.net

ab4dv4s1am3okusl6uhnz1hst5fjes4wcz5agnmvmhu0nm6yksudzdngabgq.ykjdujvbz6eztehl4qhsyml5hx0xs361uyx1prs6blecwdnpgt4bwrw4dgcy.ubtysuwbvb4do4efp5g56xnr556qljsbml6vcgkn4rru14ptmrtc4lvbro3c.ahkx2kxn1z4qyetbhxfgmlup3xg0klg22ec5dhrwmtsw3q6bsnwv.sa.skype.net

abczh6b55n4qowa3cvuo0sekw0ud0vmcgm0er05exeh6sq4c2rwfzyypy6b2.nae3qb35l4dm5delam1ue2owonl1xpcus

fl uqeosq25vnk5wvl15vqyjaw10.46vlbfhnn5lyuk6c5sv3v6dlf43afo5s6ygcj4zpp0zzxhb2gvoda5ot1gsh.cfnbs5uac3tght0ctutmzfrj5gqtc5fsyj6z4504dqvshluy1v6j.sa.skype.net

abdno2lardhe543ockcmoqx45zhe1avpqr0ddn2dhjl2wdogj0v31qz0cuyv.vgvp5tudahbfjwx623vsdtl5a6vo3dv3wx6yxh5lnhhcxl6rx31gullfghw6.u50ewdtx6dxqbz6rl6pzgdwxsqh2sahwgvhxgg1zgnh2r1ho1kcfafpjn0po.ubh3nzbvux3ejf4wjubxgj1ewd5r2up4ycw4l3glnx61xdwzvhoj.sa.skype.net

abgdq52put14suq5dt0mox0ktjn61ub5ke1uaxr4gxbq5ou25xyjqz6t45qj.1t0p0q1nwurjzy0w4blusfrhnq1ru05oylv20oh2zf5rundjux64xteedt6x.bugmunulv0eo0pnwvx1m5wnrjt0posdn3ubpoz4oyl6uq4l2rdmjudcmtan4.p3s6f0ddbn0g1kvonub0dncqaxw5okaf3bqv2ht3v1b4s2kugpjk.sa.skype.net

abj60ado5tfoakco4h64sgnpydgdmfbnvfgdx6oecky4d1qoqwx64dgyrfjz.rbrjtud4nrvxqngkyh65yozt2snsblqxnmxy3d3qjburkg16j2lgfp2331d3.1r636wajxnvp44q2kg2jkv002xamogwr0yzltazv6vnmlqvf0ezlzv03gsdr.l0hsywzhlny2f6s4m2g6frokzdulrrh4wwrrwnegp0enlodkcbjd.sa.skype.net

abnkczhtwjz665ljd3hz26u16p2x6gmtxkgfgfh5ta66zy1f2dh21tanexfs.bjpp3ck4f6pgk3xqzlffszd06xads50bq0e514qpyoersqkwbblcz04dk1en.o43baxsrrv2ahs0tbg3fa3g2mbku6wav604pl0d515b5rvytnp33cxwhbhoy.rrlnhnzojsf1jwcdxjcnfmb0to5xorxbpqaw5d4xo212p0bexm4u.sa.skype.net

abqnhh4gx6mheee4y3mbkl12feec5el53r02mrd52slo5t2j1hw6fdoltgbv.6eptmuf5wognlgrzjssnxmz05sw35v16wyyxuar6pm64bddpx35sumot2gvg.o5ftozwlcqaqulqldydrtt62rtj3pjldsekxooplp5uo34rz135l6j2vpawm.sr2nyl2yb5tr32va604hee0dongdq3uoughh6yjog1jdqmqd06u2.sa.skype.net

60

Disposable domains and CDN

•   91 (0.6%) of 14,488 disposable zones were related to content delivery networks (CDNs).

•   24 (5.3%) of 451 CDN 2LDs (customized list of

CDNs) are classified as disposable.

–   False positives

–   Extremely unpopular content

–   Different level of service

61

Growth

62

Growth

Observation 1: Among daily unique queried domains seen below the RDNSs, disposable domains increased from 23.1% to 27.6%.

63

Growth

Observation 2: Among daily unique resolved domains seen below the RDNSs, disposable domains increased from 27.6% to 37.2%.

64

Growth

Observation 3: Percentage of daily unique disposable RRs increased from 38.3% to

65.5%.

65

Growth in DNS Long Tail

66

Growth in DNS Long Tail

Outline

•   Data Collection and Analysis

•   Defining Disposable Domains

•   Mining Disposable Domains

•   Results

•   Discussion

67

•   Conclusion

68

Discussion

•   DNS Caching

Human Diurnal Behavior

–   heavy load, premature eviction of useful domains in cache

–   hierarchical cache

69

Time-to-live Histogram

2.0e+07

Time − to − live for Disposable Domains

1.5e+07

1.0e+07

5.0e+06

0.0e+00

1e+00 1e+01 1e+02 1e+03 1e+04 1e+05

TTL month

December

February

70

Time-to-live Histogram

2.0e+07

Time − to − live for Disposable Domains

Domain owners switched to use relatively larger TTL values over time.

1.5e+07

Recursive DNS software enforce minimum

1.0e+07 zero [RFC 1536], [RFC 1912].

December

February

5.0e+06

0.0e+00

1e+00 1e+01 1e+02 1e+03 1e+04 1e+05

TTL

Discussion

•   DNS Caching

–   heavy load, premature eviction of useful domains in cache

–   hierarchical cache

•   DNSSEC-Enabled Resolvers

–   be careful about implementation, e.g. verification

71

•   Passive DNS Databases

–   storage requirement

–   query-response latency

72

New Resource Records over 13 days

73

New Resource Records over 13 days

Using wildcard in the storage scheme, we can reduce 129,674,213 distinct disposable resource records to 945,065 (0.7%).

74

Conclusion

•   We presented a study from large scale DNS traffic traces collected at Comcast serving millions of end users.

•   We proposed a novel algorithm to measure DNS zones that extensively use disposable domains.

•   We discussed the possible negative implications that disposable domains may have on the DNS caching infrastructure, DNSSEC-validating resolvers, and passive DNS data collection systems.

Download