Speaker
Description
The Domain Name System (DNS) is a fundamental protocol of the Internet. Enhancing its efficiency requires in-depth analysis of DNS data. The analysis of negative responses (with a focus on the NXDOMAIN response code of 3 in this paper) is a critical area of research, as it directly affects the security and performance of servers from the root to the recursive level. In September 2022, a bug in a Chinese top-level application caused users' MAC addresses being led to the DNS query system as domain name requests. This issue affected several DNS servers, including root servers.
As the operator of an open resolver that carries approximately 5% of DNS traffic in China, we have developed a monitoring system that tracks negative responses in the DNS system and identifies anomalies in a timely manner. This system also enables regional analysis of DNS efficiency, providing insight into performance in different areas.
To uncover anomalies within this data, we clustered NXDOMAIN names into distinct patterns based on their string characteristics and analysed the causes of these patterns. We found that the causes ranged from server misconfiguration such as DNS suffixes, to application-related causes, such as DNS blacklisting, reverse lookups, or chromids. By monitoring the long-tail, non-patterned NXDOMAIN query names, the proposed system can identify and actively monitor the domain name patterns of recent large-scale NXDOMAIN events. In addition, from a regional perspective, there are significant differences in the rate of NXDOMAIN responses between different provinces in China, likely due to the specific equipment used by local operators.
We hope to collaborate with the community to enhance the efficiency and security of the DNS system.
| Talk duration |
|---|
