Resolvers Revealed: Characterizing DNS Resolvers and their Clients

The Domain Name System (DNS) allows clients to use resolvers, sometimes called caches, to query a set of authoritative servers to translate host names into IP addresses. Prior work has proposed using the interaction between these DNS resolvers and the authoritative servers as an access control mechanism. However, while prior work has examined the DNS from many angles, the resolver component has received little scrutiny. Essential factors for using a resolver in an access control system, such as whether a resolver is part of an ISP’s infrastructure or running on an end-user’s system, have not been examined. In this study, we examine DNS resolver behavior and usage, from query patterns and reactions to nonstandard responses to passive association techniques to pair resolvers with their client hosts. In doing so, we discover evidence of security protocol support, misconfigured resolvers, techniques to fingerprint resolvers, and features for detecting automated clients. These measurements can influence the implementation and design of these resolvers and DNS-based access control systems.

[1]  Zhuoqing Morley Mao,et al.  Characterizing Dark DNS Behavior , 2007, DIMVA.

[2]  Felix C. Freiling,et al.  On Botnets That Use DNS for Command and Control , 2011, 2011 Seventh European Conference on Computer Network Defense.

[3]  Edith Cohen,et al.  Proactive caching of DNS records: addressing a performance bottleneck , 2001, Proceedings 2001 Symposium on Applications and the Internet.

[4]  Stefan Savage,et al.  Manufacturing compromise: the emergence of exploit-as-a-service , 2012, CCS.

[5]  Daniel Massey,et al.  Protocol Modifications for the DNS Security Extensions RFC 4035 | NIST , 2005 .

[6]  Niels Provos,et al.  Corrupted DNS Resolution Paths: The Rise of a Malicious Resolution Authority , 2008, NDSS.

[7]  Craig A. Shue,et al.  Touring DNS Open Houses for Trends and Configurations , 2011, IEEE/ACM Transactions on Networking.

[8]  Paul Vixie,et al.  Extension Mechanisms for DNS (EDNS0) , 1999, RFC.

[9]  Nick Feamster,et al.  Understanding the network-level behavior of spammers , 2006, SIGCOMM.

[10]  John Langford,et al.  CAPTCHA: Using Hard AI Problems for Security , 2003, EUROCRYPT.

[11]  Curtis R. Taylor,et al.  On building inexpensive network capabilities , 2012, CCRV.

[12]  Jia Wang,et al.  Proceedings of the 2002 Usenix Annual Technical Conference a Precise and Efficient Evaluation of the Proximity between Web Clients and Their Local Dns Servers , 2022 .

[13]  Craig A. Shue,et al.  The web is smaller than it seems , 2007, IMC '07.

[14]  Duane Wessels,et al.  Passive Monitoring of DNS Anomalies , 2007, DIMVA.

[15]  Scott Rose,et al.  Protocol Modifications for the DNS Security Extensions , 2005, RFC.

[16]  Daniel Massey,et al.  Impact of configuration errors on DNS robustness , 2004, IEEE Journal on Selected Areas in Communications.

[17]  Robert Tappan Morris,et al.  DNS performance and the effectiveness of caching , 2001, IMW '01.

[18]  Heejo Lee,et al.  Botnet Detection by Monitoring Group Activities in DNS Traffic , 2007, 7th IEEE International Conference on Computer and Information Technology (CIT 2007).

[19]  Wolfgang Mühlbauer,et al.  Comparing DNS resolvers in the wild , 2010, IMC '10.