OARC 46

A Look at Traffic to Authoritative DNS Servers of a Large Enterprise

16 May 2026, 16:35

25m

Tinto and Moorfoot (Edinburgh International Conference Centre)

In-Person Standard Presentation Main Session OARC 46 Day 1

Speakers

Pallavi Aras (Salesforce) Shumon Huque (Salesforce)

Description

We think we understand how DNS is used. But what does authoritative DNS traffic at scale actually reveal about resolver behavior, application trends, and operational reality? Authoritative DNS servers sit at a uniquely powerful vantage point in enterprise infrastructure. The query and response traffic they handle offers a rich and frequently under-explored source of operational, architectural, and security insight, which this talk will delve into.

What does real-world enterprise DNS traffic actually look like? Who is querying it—and for what? Which record types dominate, and which emerging types are gaining traction? Do resolvers behave as expected, or do we see unexpected behavior such as persistent retries after NXDOMAIN responses? Are there unexpected queries for internal names? Which domains and resolvers are the “top talkers,” and how do these patterns evolve over time?

In this talk, we present findings from a multi-month analysis of authoritative DNS traffic across enterprise zones hosted at a managed DNS provider. We examine domain and resolver populations, distributions of query types and classes, response codes, TTL characteristics, and client retry behavior. We explore DNSSEC deployment signals (e.g., DO-bit prevalence and signed response rates), analyze EDNS header flags and options, looking for signals revealing the adoption of newer protocol features (Compact Answers, DELEG, HTTPS, SVCB etc). We highlight observable trends that reflect broader application, resolver, and DNS ecosystem changes.

Beyond measurement results, we also describe the server-side data collection and analytics architecture that enables high-volume DNS telemetry analysis at scale. Finally, we discuss ongoing work and some early results leveraging emerging A.I. driven techniques to extract deeper operational and security insights from authoritative DNS traffic.

Attendees will come away with a clearer understanding of how enterprise DNS data is actually consumed in the wild—and how authoritative traffic analysis can inform capacity planning, misconfiguration detection, security investigations, and future architectural decisions.