A High-Performance, Scalable Infrastructure for Large-Scale Active DNS Measurements

The domain name system (DNS) is a core component of the Internet. It performs the vital task of mapping human readable names into machine readable data (such as IP addresses, which hosts handle e-mail, and so on). The content of the DNS reveals a lot about the technical operations of a domain. Thus, studying the state of large parts of the DNS over time reveals valuable information about the evolution of the Internet. We collect a unique long-term data set with daily DNS measurements for all the domains under the main top-level domains (TLDs) on the Internet (including .com, .net, and .org, comprising 50% of the global DNS name space). This paper discusses the challenges of performing such a large-scale active measurement. These challenges include scaling the daily measurement to collect data for the largest TLD (.com, with 123M names) and ensuring that a measurement of this scale does not impose an unacceptable burden on the global DNS infrastructure. The paper discusses the design choices we have made to meet these challenges and documents the design of the measurement system we implemented based on these choices. Two case studies related to cloud e-mail services illustrate the value of measuring the DNS at this scale. The data this system collects is valuable to the network research community. Therefore, we end this paper by discussing how we make the data accessible to other researchers.

[1]  Tom White,et al.  Hadoop: The Definitive Guide , 2009 .

[2]  Daniel Massey,et al.  Impact of configuration errors on DNS robustness , 2009, IEEE J. Sel. Areas Commun..

[3]  Roberto Perdisci,et al.  Early Detection of Malicious Flux Networks via Large-Scale Passive DNS Traffic Analysis , 2012, IEEE Transactions on Dependable and Secure Computing.

[4]  Eric Wustrow,et al.  ZMap: Fast Internet-wide Scanning and Its Security Applications , 2013, USENIX Security Symposium.

[5]  Leyla Bilge,et al.  Exposure: A Passive DNS Analysis Service to Detect and Report Malicious Domains , 2014, TSEC.

[6]  Florian Weimer,et al.  Passive DNS Replication , 2005 .

[7]  Wolfgang Mühlbauer,et al.  Web content cartography , 2011, IMC '11.

[8]  Daniel Massey,et al.  Quantifying the operational status of the DNSSEC deployment , 2008, IMC '08.

[9]  Mark Allman,et al.  On measuring the client-side DNS infrastructure , 2013, Internet Measurement Conference.

[10]  Aiko Pras,et al.  Making the Case for Elliptic Curves in DNSSEC , 2015, CCRV.

[11]  Duane Wessels,et al.  Authority server selection in DNS caching resolvers , 2012, CCRV.

[12]  Bobby Bhattacharjee,et al.  D-mystifying the D-root address change , 2013, Internet Measurement Conference.

[13]  Duane Wessels,et al.  A day at the root of the internet , 2008, CCRV.

[14]  John S. Heidemann,et al.  Measuring DANE TLSA Deployment , 2015, TMA.

[15]  Aiko Pras,et al.  DNSSEC and its potential for DDoS attacks: a comprehensive measurement study , 2014, Internet Measurement Conference.

[16]  Aiko Pras,et al.  DNSSEC meets real world: dealing with unreachability caused by fragmentation , 2014, IEEE Communications Magazine.

[17]  Daniel Massey,et al.  Behavior of DNS' Top Talkers, a .com/.net View , 2012, PAM.

[18]  Scott Kitterman,et al.  Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, Version 1 , 2014, RFC.

[19]  Marco Mellia,et al.  DNS to the rescue: discerning content and services in a tangled web , 2012, IMC '12.

[20]  Maurizio Martinelli,et al.  Towards a passive DNS monitoring system , 2012, SAC '12.