DNS Measurement at a Root Server

1
DNS Measurement at a Root Server

• Nevil Brownlee, kc Claffy and Evi Nemeth
• Presented by Zhengxiang Pan
• Mar. 27th, 2003

2
Introduction

• DNS Domain Name System
• BIND Berkeley Internet Name Domain System

Local Name Server
UDP
client
Local Name Server
Root Server
Local Name Server
3
Methodology
Passive capture DNS packets at F.root-server.net U
se Tcpdump Error logs
4
Results

• A. query rate
• Responds 93 of the input packets.

5
Error taxonomy

• B1. Repeated queries
• Maybe the results of a broken nameserver or a
  broken client.
• B2. Private Address Space
• About 7 of the queries are asking for hostname
  associated with an RFC 1918 address.
• 2 - 3 of the queries have the source IP address
  in RFC 1918 space.

6
Error taxonomy

• B3. Top Level Domains
• In 1 hour trace of Jan. 7, 2001
• 16.5 of the servers asked only INVALID TLD
• 37.1 of the servers asked at least one INVALID
  TLD

7
Error taxonomy

• B4. Bogus A Queries
• A query hostname ? IP address
• 12-18 A queries target IP address
• B5. Source Port Zero
• Port 0 is reserved and not valid in UDP / TCP.
• Root servers never answer queries from port 0

8
Error Taxonomy

• B6. Dynamic Updates
• DHCP can dynamic update local nameserver, should
  not try to update root servers.

9
Results

• Attacks
• Spoofing source IP, using root server as
  reflector, flooding the attack target with
  answers it did not ask.
• Scanning IP space.
• Microsofts DNS woes
• Jan. 24, 2001 Microsoft nameserves down, query
  load for Microsoft names go to over 25 of the
  total query load.

10
Summary

• Percentages of servers have bad behaviors
• 13 bogus A query
• 35 invalid TLD
• 35 leaking internal information
• Strategy
• Diagnose and repair bugs in implementation
• Deploy negative answers