Identifying and Characterizing Anycast in the Domain Name System
نویسندگان
چکیده
Since its first appearance, IP anycast has become essential for critical network services such as the Domain Name System (DNS). Despite this, there has been little attention to independently identifying and characterizing anycast nodes. External evaluation of anycast allows both third-party auditing of its benefits, and is essential to discovering benign masquerading or hostile hijacking of anycast services. In this paper, we develop ACE, an approach to identify and characterize anycast nodes. ACE first method is DNS queries for CHAOS records, the recommended debugging service for anycast, suitable for cooperative anycast services. Its second method uses traceroute to identify all anycast services by their connectivity to the Internet. Each individual method has ambiguities in some circumstances; we show a combined method improves on both. We validate ACE against two widely used anycast DNS services that provide ground truth. ACE has good precision, with 88% of its results corresponding to unique anycast nodes of the F-root DNS service. Its recall is affected by the number and diversity of vantage points. We use ACE for an initial study of how anycast is used for top-level domain servers. We find one case where a third-party server operates on root-DNS IP address, masquerades to capture traffic for its organization. We also study the 1164 nameserver IP addresses that cover all generic and country-code top-level domains, gather evidence that at least 14% and perhaps 32% use anycast.
منابع مشابه
Characterizing Anycast in the Domain Name System
IP anycast is a central part of production DNS. While prior work has explored proximity, affinity and load balancing for some anycast services, there has been little attention to third-party discovery and enumeration of components of an anycast service. Enumeration can reveal abnormal service configurations, benign masquerading or hostile hijacking of anycast services, and can help characterize...
متن کاملQuery / Response Cycle Application Client Anycast Domain Name Specification Client Filter IP Address Anycast Server Filter Anycast Group Response Metric Info Query Anycast Anycast Resolver
Server replication is a key approach for maintaining user-perceived quality of service within a geographically widespread network. The anycasting communication paradigm is designed to support server replication by allowing applications to easily select and communicate with the \best" server, according to some performance or policy criteria, in a group of content-equivalent servers. We examine t...
متن کاملApplication Client Anycast Domain Name Specification Client Filter IP Address Anycast Server Filter Anycast Group Response Metric Info Query Anycast Anycast Resolver Filter
The anycasting communication paradigm is designed to support server replication by allowing applications to easily select and communicate with the \best" server, according to some performance or policy criteria, in a group of content-equivalent servers. We examine the deenition and support of the anycasting paradigm at the application layer, providing a service that maps anycast domain names in...
متن کاملRecursives in the Wild : Engineering Authoritative DNS Servers ( extended ) ISI - TR - 720 1 June 2017
In Internet Domain Name System (DNS), services operate authoritative name servers that individuals query through recursive resolvers. Operators strive to provide reliability by operating multiple name servers (NS), each on a separate IP address, and by using IP anycast to allow NSes to provide service from many physical locations. To meet their goals of minimizing latency and balancing load acr...
متن کاملRequirements for a Mechanism Identifying a Name Server Instance
With the increased use of DNS anycast, load balancing, and other mechanisms allowing more than one DNS name server to share a single IP address, it is sometimes difficult to tell which of a pool of name servers has answered a particular query. A standardized mechanism to determine the identity of a name server responding to a particular query would be useful, particularly as a diagnostic aid fo...
متن کامل