Impact of configuration errors on DNS robustness

IBM Res., Hawthorne, NY
IEEE Journal on Selected Areas in Communications (Impact Factor: 3.12). 05/2009; DOI: 10.1109/JSAC.2009.090404
Source: DBLP

ABSTRACT During the past twenty years the Domain Name System (DNS) has sustained phenomenal growth while maintaining satisfactory user-level performance. However, the original design focused mainly on system robustness against physical failures, and neglected the impact of operational errors such as mis-configurations. Our measurement efforts have revealed a number of mis-configurations in DNS today: delegation inconsistency, lame delegation, diminished server redundancy, and cyclic zone dependency. Zones with configuration errors suffer from reduced availability and increased query delays up to an order of magnitude. The original DNS design assumed that redundant DNS servers fail independently, but our measurements show that operational choices create dependencies between servers. We found that, left unchecked, DNS configuration errors are widespread. Specifically, lame delegation affects 15% of the measured DNS zones, delegation inconsistency appears in 21% of the zones, diminished server redundancy is even more prevalent, and cyclic dependency appears in 2% of the zones. We also noted that the degrees of mis-configuration vary from zone to zone, with the most popular zones having the lowest percentage of errors. Our results indicate that DNS, as well as any other truly robust large-scale system, must include systematic checking mechanisms to cope with operational errors.

  • [Show abstract] [Hide abstract]
    ABSTRACT: Content Delivery Networks (CDNs) rely on the Domain Name System (DNS) for replica server selection. DNS-based server selection builds on the assumption that, in the absence of information about the client's actual network location, the location of a client's DNS resolver provides a good approximation. The recent growth of remote DNS services breaks this assumption and can negatively impact client's web performance. In this paper, we assess the end-to-end impact of using remote DNS services on CDN performance and present the first evaluation of an industry-proposed solution to the problem. We find that remote DNSusage can indeed significantly impact client's web performance and that the proposed solution, if available, can effectively address the problem for most clients. Considering the performance cost of remote DNS usage and the limited adoption base of the industry-proposed solution, we present and evaluate an alternative approach, Direct Resolution, to readily obtain comparable performance improvements without requiring CDN or DNS participation.
    Proceedings of the 2012 ACM conference on Internet measurement conference; 11/2012
  • [Show abstract] [Hide abstract]
    ABSTRACT: The Domain Name System (DNS) allows clients to use resolvers, sometimes called caches, to query a set of authoritative servers to translate host names into IP addresses. Prior work has proposed using the interaction between these DNS resolvers and the authoritative servers as an access control mechanism. However, while prior work has examined the DNS from many angles, the resolver component has received little scrutiny. Essential factors for using a resolver in an access control system, such as whether a resolver is part of an ISP’s infrastructure or running on an end-user’s system, have not been examined. In this study, we examine DNS resolver behavior and usage, from query patterns and reactions to nonstandard responses to passive association techniques to pair resolvers with their client hosts. In doing so, we discover evidence of security protocol support, misconfigured resolvers, techniques to fingerprint resolvers, and features for detecting automated clients. These measurements can influence the implementation and design of these resolvers and DNS-based access control systems.
    ACM Transactions on Internet Technology (TOIT). 07/2013; 12(4).
  • [Show abstract] [Hide abstract]
    ABSTRACT: This paper presents a Linux virtual server (LVS) based cluster system which is designed to simulate the operation of E-mail service in the real world. For a complete study of the system we build a load generator that is used to perform a series of stress-tests with LVS load-balancing technology. We obtain important results by comparing a series of stress-testing reports. After we take some steps to resolve problems of the system we obtain the expected results, that is, a well-designed system which provides scalable, reliable and highly cost-efficient E-mail service.
    Electrical and Computer Engineering (CCECE), 2013 26th Annual IEEE Canadian Conference on; 01/2013

Full-text (2 Sources)

Available from
May 28, 2014