Quantifying DNS namespace influence

Name resolution using the Domain Name System (DNS) is integral to today’s Internet. The resolution of a domain name is often dependent on namespace outside the control of the domain’s owner. In this article we review the DNS protocol and several DNS server implementations. Based on our examination, we propose a formal model for analyzing the name dependencies inherent in DNS, and experimentally validate the model with actual domain names. Using our name dependency model we derive metrics to quantify the extent to which domain names affect other domain names. It is found that under certain conditions, more than half of the queries for a domain name are influenced by namespaces not expressly configured by administrators. This result serves to quantify the degree of vulnerability of DNS due to dependencies that administrators are unaware of. When we apply metrics from our model to production DNS data, we show that the set of domains whose resolution affects a given ✩This research was supported in part by the National Science Foundation under the grant CNS-0716741. ✩✩This is a revised personal version of the journal article published by Elsevier in Computer Networks, Volume 56, Issue 2, on 2 February 2012, pages 780 – 794, available at http://dx.doi.org/10.1016/j.comnet.2011.11.005 ∗Corresponding author Email addresses: [email protected] (Casey Deccio), [email protected] (Jeff Sedayao), [email protected] (Krishna Kant), [email protected] (Prasant Mohapatra) Sandia National Laboratories is a multi-program laboratory managed and operated by Sandia Corporation, a wholly owned subsidiary of Lockheed Martin Corporation, for the U.S. Department of Energy’s National Nuclear Security Administration under contract DE-AC0494AL85000. Preprint submitted to Computer Networks February 27, 2012 domain name is much smaller than previously thought. However, behaviors such as using cached addresses for querying authoritative servers and chaining domain name aliases increase the number and diversity of influential domains, thereby making the DNS infrastructure more vulnerable.