Duane Wessels

IBM, Armonk, New York, United States

Are you Duane Wessels?

Claim your profile

Publications (13)3.12 Total impact

  • [Show abstract] [Hide abstract]
    ABSTRACT: As more and more authority DNS servers turn on DNS security extensions (DNSSEC), it becomes increasingly important to understand whether, and how many, DNS resolvers perform DNSSEC validation. In this paper we present a query-based measurement method, called Check-Repeat, to gauge the presence of DNSSEC validating resolvers. Utilizing the fact that most validating resolver implementations retry DNS queries with a different authority server if they receive a bad DNS response, Check-Repeat can identify validating resolvers by removing the signatures from regular DNS responses and observing whether a resolver retries DNS queries. We tested Check-Repeat in different scenarios and our results showed that Check-Repeat can identify validating resolvers with a low error rate. We also cross-checked our measurement results with DNS query logs from .COM and .NET domains, and confirmed that the resolvers measured in our study can account for more than 60% of DNS queries in the Internet.
    INFOCOM, 2013 Proceedings IEEE; 01/2013
  • [Show abstract] [Hide abstract]
    ABSTRACT: As more and more authority DNS servers turn on DNS security extensions (DNSSEC), it becomes increasingly important to understand whether, and how many, DNS resolvers perform DNSSEC validation. In this paper we present a query-based measurement method, called Check-Repeat, to gauge the presence of DNSSEC validating resolvers. Utilizing the fact that most validating resolver implementations retry DNS queries with a different authority server if they receive a bad DNS response, Check-Repeat can identify validating resolvers by removing the signatures from regular DNS responses and observing whether a resolver retries DNS queries. We tested Check-Repeat in different scenarios and our results showed that Check-Repeat can identify validating resolvers with a low error rate. We also cross-checked our measurement results with DNS query logs from .COM and .NET domains, and confirmed that the resolvers measured in our study can account for more than 60% of DNS queries in the Internet.
    Computer Communications Workshops (INFOCOM WKSHPS), 2013 IEEE Conference on; 01/2013
  • Yingdi Yu, Duane Wessels, Matt Larson, Lixia Zhang
    [Show abstract] [Hide abstract]
    ABSTRACT: Operators of high-profile DNS zones utilize multiple authority servers for performance and robustness. We conducted a series of trace-driven measurements to understand how current caching resolver implementations distribute queries among a set of authority servers. Our results reveal areas for improvement in the ``apparently sound'' server selection schemes used by some popular implementations. In some cases, the selection schemes lead to sub-optimal behavior of caching resolvers, e.g. sending a significant amount of queries to unresponsive servers. We believe that most of these issues are caused by careless implementations, such as keeping decreasing a server's SRTT after the server has been selected, treating unresponsive servers as responsive ones, and using constant SRTT decaying factor. For the problems identified in this work, we recommended corresponding solutions.
    Computer Communication Review - CCR. 01/2012;
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: The Domain Name System (DNS) is a crucial component of today's Internet. The top layer of the DNS hierarchy (the root name-servers) is facing dramatic changes: cryptographically signing the root zone with DNSSEC, deploying Internationalized Top-Level Domain (TLD) Names (IDNs), and addition of other new global Top Level Domains (TLDs). ICANN has stated plans to deploy all of these changes in the next year or two, and there is growing interest in measurement, testing, and provisioning for foreseen (or unforeseen) complications. We describe the Day-in-the-Life annual datasets available to characterize workload at the root servers, and we provide some analysis of the last several years of these datasets as a baseline for operational preparation, additional research, and informed policy. We confirm some trends from previous years, including the low fraction of clients (0.55% in 2009) still gener-ating most misconfigured "pollution", which constitutes the vast major-ity of observed queries to the root servers. We present new results on security-related attributes of the client population: an increase in the prevalence of DNS source port randomization, a short-term measure to improve DNS security; and a surprising decreasing trend in the fraction of DNSSEC-capable clients. Our insights on IPv6 data are limited to the nodes who collected IPv6 traffic, which does show growth. These statis-tics serve as a baseline for the impending transition to DNSSEC. We also report lessons learned from our global trace collection experiments, including improvements to future measurements that will help answer critical questions in the evolving DNS landscape.
    03/2010;
  • Source
    Duane Wessels, Geoffrey Sisson
    [Show abstract] [Hide abstract]
    ABSTRACT: Executive Summary A number of developments within the last 12 months promise to bring changes to the upper layers of the Domain Name System. In combination, these changes have the potential to radically transform the DNS root zone. DNS-OARC has, under a contract with ICANN, studied the impact of these proposed or imminent changes to the root zone. One of these changes is the increasing deployment of IPv6 in both the root zone and the TLDs. ICANN has been offering AAAA record publication in the root zone since 2004; however, uptake has been somewhat slow. Five years later (July 2009), 169 TLDs have AAAA records while the other 111 do not. Another significant change is the advancing deployment of DNSSEC. At present, 10 full-production TLDs are signing their zones. The root zone remains unsigned, though, and DNSSEC-related records have yet to be added to it. However, parties responsible for the management of the root zone say they expect it to be signed by the end of this year.
    10/2009;
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: During the past twenty years the Domain Name System (DNS) has sustained phenomenal growth while maintaining satisfactory user-level performance. However, the original design focused mainly on system robustness against physical failures, and neglected the impact of operational errors such as mis-configurations. Our measurement efforts have revealed a number of mis-configurations in DNS today: delegation inconsistency, lame delegation, diminished server redundancy, and cyclic zone dependency. Zones with configuration errors suffer from reduced availability and increased query delays up to an order of magnitude. The original DNS design assumed that redundant DNS servers fail independently, but our measurements show that operational choices create dependencies between servers. We found that, left unchecked, DNS configuration errors are widespread. Specifically, lame delegation affects 15% of the measured DNS zones, delegation inconsistency appears in 21% of the zones, diminished server redundancy is even more prevalent, and cyclic dependency appears in 2% of the zones. We also noted that the degrees of mis-configuration vary from zone to zone, with the most popular zones having the lowest percentage of errors. Our results indicate that DNS, as well as any other truly robust large-scale system, must include systematic checking mechanisms to cope with operational errors.
    IEEE Journal on Selected Areas in Communications 05/2009; · 3.12 Impact Factor
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: We analyzed the largest simultaneous collection of full-payload packet traces from a core component of the global Internet infras- tructure ever made available to academic researchers. Our dataset consists of three large samples of global DNS traffic collected dur- ing three annual "Day in the Life of the Internet" (DITL) exper- iments in January 2006, January 2007, and March 2008. Build- ing on our previous comparison of DITL 2006 and DITL 2007 DNS datasets (28), we venture to extract historical trends, compar- isons with other data sources, and interpretations, including traffic growth, usage patterns, impact of anycast distribution, and persis- tent problems in the root nameserver system that reflect ominously on the global Internet. Most notably, the data consistently reveals an extraordinary amount of DNS pollution - an estimated 98% of the traffic at the root servers should not be there at all. Unfortu- nately, there is no clear path to reducing the pollution, so root server operators, and those who finance them, must perpetually overprovi- sion to handle this pollution. Our study presents the most complete characterization to date of traffic reaching the roots, and while the study does not adequately fulfill the "Day in the Life of the In- ternet" vision, it does succeed at unequivocally demonstrating that the infrastructure on which we are all now betting our professional, personal, and political lives deserves a closer and more scientific look.
    Computer Communication Review. 01/2008; 38:41-46.
  • Source
    Bojan Zdrnja, Nevil Brownlee, Duane Wessels
    [Show abstract] [Hide abstract]
    ABSTRACT: We collected DNS responses at the University of Auckland Internet gateway in an SQL database, and analyzed them to detect un- usual behaviour. Our DNS response data have included typo squatter domains, fast flux domains and domains being (ab)used by spammers. We observe that current attempts to reduce spam have greatly increased the number of A records being resolved. We also observe that the data locality of DNS requests diminishes because of domains advertised in spam.
    Detection of Intrusions and Malware, and Vulnerability Assessment, 4th International Conference, DIMVA 2007, Lucerne, Switzerland, July 12-13, 2007, Proceedings; 01/2007
  • Source
    Duane Wessels
    [Show abstract] [Hide abstract]
    ABSTRACT: Previous research has shown that most of the DNS queries reaching the root of the hierarchy are bogus [1]. This behavior derives from two constraints on the system: (1) queries that cannot be satisfied locally percolate up to the root of the DNS; (2) some caching nameservers are behind packet filters or firewalls that allow outgoing queries but block incoming replies. These resolvers assume the network failure is temporary and retransmit their queries, often aggressively.
    07/2004;
  • [Show abstract] [Hide abstract]
    ABSTRACT: Given that the global DNS system, especially at the higher root and top-levels, experiences significant query loads, we seek to answer the following questions: (1) How does the choice of DNS caching software for local resolvers affect query load at the higher levels? (2) How do DNS caching implementations spread the query load among a set of higher level DNS servers? To answer these questions we did case studies of workday DNS traffic at the University of California San Diego (USA), the University of Auckland (New Zealand), and the University of Colorado at Boulder (USA). We also tested various DNS caching implementations in fully controlled laboratory experiments.
    03/2004;
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: Given that the global DNS system, especially at the higher root and top-levels, experiences significant query loads, we seek to answer the following questions: (1) How does the choice of DNS caching software for local resolvers affect query load at the higher levels? (2) How do DNS caching implementations spread the query load among a set of higher level DNS servers? To answer these questions we did case studies of workday DNS traffic at the University of California San Diego (USA), the University of Auckland (New Zealand), and the University of Colorado at Boulder (USA). We also tested var- ious DNS caching implementations in fully controlled laboratory experiments. This paper presents the results of our analysis of real and simulated DNS traffic. We make recommendations to network administrators and software developers aimed at improving the overall DNS system.
    Passive and Active Network Measurement, 5th International Workshop, PAM 2004, Antibes Juan-les-Pins, France, April 19-20, 2004, Proceedings; 01/2004
  • Source
    Duane Wessels, Marina Fomenkov
    [Show abstract] [Hide abstract]
    ABSTRACT: Organizations operating Root DNS servers report loads exceeding 100 million queries per day. Given the design goals of the DNS, and what we know about today's Internet, this number is about two orders of magnitude more than we would expect.
    03/2003;
  • Duane Wessels