Impact of Configuration Errors on DNS Robustness

IBM Res., Hawthorne, NY
IEEE Journal on Selected Areas in Communications (Impact Factor: 3.45). 05/2009; 27(3):275 - 290. DOI: 10.1109/JSAC.2009.090404
Source: DBLP


During the past twenty years the Domain Name System (DNS) has sustained phenomenal growth while maintaining satisfactory user-level performance. However, the original design focused mainly on system robustness against physical failures, and neglected the impact of operational errors such as mis-configurations. Our measurement efforts have revealed a number of mis-configurations in DNS today: delegation inconsistency, lame delegation, diminished server redundancy, and cyclic zone dependency. Zones with configuration errors suffer from reduced availability and increased query delays up to an order of magnitude. The original DNS design assumed that redundant DNS servers fail independently, but our measurements show that operational choices create dependencies between servers. We found that, left unchecked, DNS configuration errors are widespread. Specifically, lame delegation affects 15% of the measured DNS zones, delegation inconsistency appears in 21% of the zones, diminished server redundancy is even more prevalent, and cyclic dependency appears in 2% of the zones. We also noted that the degrees of mis-configuration vary from zone to zone, with the most popular zones having the lowest percentage of errors. Our results indicate that DNS, as well as any other truly robust large-scale system, must include systematic checking mechanisms to cope with operational errors.

Download full-text


Available from: Andreas Terzis,
168 Reads
  • Source
    • "A DNS query failure often signifies that the requested resource does not exist in the system when the query is issued. While such a failure may be caused by a mis-typed host name or URL by a human user or occasionally due to DNS misconfigurations by human operators [1], a large portion of DNS query failures can be attributed to other causes — as pointed out in several recent studies [2], [3], [4]. For instance, several anti-spam and anti-virus services employ DNS " overloading " to notify a querying host whether the requested domain name belongs to the blacklists they maintain (e.g., of email spam servers or reported attack sites). "
    [Show abstract] [Hide abstract]
    ABSTRACT: As a key approach to securing large networks, existing anomaly detection techniques focus primarily on network traffic data. However, the sheer volume of such data often renders detailed analysis very expensive and reduces the effectiveness of these tools. In this paper, we propose a light-weight anomaly detection approach based on unproductive DNS traffic, namely, the failed DNS queries, with a novel tool - DNS failure graphs. A DNS failure graph captures the interactions between hosts and failed domain names. We apply a graph decomposition algorithm based on the tri-nonnegative matrix factorization technique to iteratively extract coherent co-clusters (dense subgraphs) from DNS failure graphs. By analyzing the co-clusters in the daily DNS failure graphs from a 3-month DNS trace captured at a large campus network, we find these co-clusters represent a variety of anomalous activities, e.g., spamming, trojans, bots, etc.. In addition, these activities often exhibit distinguishable subgraph structures. By exploring the temporal properties of the co-clusters, we show our method can identify new anomalies that likely correspond to unreported domain-flux bots.
    Network Protocols (ICNP), 2010 18th IEEE International Conference on; 11/2010
  • Source
    • "This phenomenon has also been discussed by Papas et al. [10]. A zone in DNS does usually provide at least two name servers to serve RRs in case one server is down or unavailable through maintenance, or hardware or software failures. "
    [Show abstract] [Hide abstract]
    ABSTRACT: DNS is one of the most important components of the Internet infrastructure. Unfortunately, it is known to be difficult to implement, and available implementations are difficult to configure correctly. DNS performance and availability often suffer from poor configuration which leads to unavailability or erroneous behavior of distributed systems that depend on DNS. The data structures of DNS are historically grown. Some are no longer needed, some have changed their semantics. However, they have to be maintained by implementations. We measure the extent and configuration issues in DNS data and propose simplifications to DNS data types and semantics that would allow building more dependable implementations. New DNS implementations could also reduce complexity by ignoring certain functionality of DNS that are not needed or that can be implemented in other ways.
  • Source
    • "We also consider the role of glue records and caching. Pappas, et al. [2] surveyed the DNS infrastructure for configuration errors that negatively impact DNS robustness. The authors examined subtle misconfigurations that could bring about behaviors such as diminished server redundancy, lame delegation, and cyclic dependency. "
    [Show abstract] [Hide abstract]
    ABSTRACT: The domain name system (DNS) is integral to today's Internet. Name resolution for a domain is often dependent on servers well outside the control of the domain's owner. In this paper we propose a formal model for analyzing the name dependencies inherent in DNS, based on protocol specification and actual implementations. We derive metrics to quantify the extent to which domain names affect other domain names. It is found that under certain conditions, the name resolution for over one-half of the queries exhibits influence of domains not expressly configured by administrators. This result serves to quantify the degree of vulnerability of DNS due to dependencies that administrators are unaware of. The model presented in the paper also shows that the set of domains whose resolution affects a given domain name is much smaller than previously thought. The model also shows that with caching of NS target addresses, the number of influential domains expands greatly, thereby making the DNS infrastructure more vulnerable.
    Proceedings of the 17th annual IEEE International Conference on Network Protocols, 2009. ICNP 2009, Princeton, NJ, USA, 13-16 October 2009; 10/2009
Show more