random technical thoughts from the Nominet technical team

DNS Traffic Analysis

1 Star2 Stars3 Stars4 Stars5 Stars (2 votes, average: 4 out of 5)
Loading ... Loading ...
Posted by geoff on Jul 1st, 2005

Resolver Personalities

In the course of developing some DNS tools (which will be the subject
of a future post) we analysed the queries received at the authoritative
.uk name servers. We’ve
known for years that many of hosts sending large numbers of queries
were either misconfigured or attempting to harvest data. However
what caught our eye during this analysis was the various patterns
of behaviour of normal high-volume resolvers.

We observed that many resolvers from which our name servers received
large number of queries fell broadly into four categories, or
`personalities’:

  1. Resolvers serving large communities of interactive users:
    • Lots of queries for A resource records (RRs) with leading
      `www.’ label.
    • Peppered with occasional MX RR queries.
    • Fairly consistent ratio of RRs queried:
      Queries for A RRs: 96%
      Queries for MX RRs: 3%
      Queries for other RRs: 1%
  2. Resolvers serving busy mail exchangers:
    • Most queries for MX RRs, with the occasional query for A RRs.
  3. Resolvers serving large mailing lists:
    • Most queries for MX RRs, with the occasional query for A RRs.
    • Distinct from resolver serving busy mail exchanger in that messages
      frequently appear to be ordered, e.g. alphabetical patterns.
  4. Combination of 1) and 2):
    • More even distribution of queries for A RRs and MX RRs.

Even broken resolvers appeared to have distinct personalities:

  1. Resolvers which repeatedly look up the same name or set of names.
  2. Resolvers which appear to be attempting to resolve IP addresses but
    appear to be unintentionally appending “co.uk” to the end instead.

Why is this interesting? It provides a possible basis for
distinguishing between normal and abnormal activity. This may be
useful for implementing tools for detecting patterns of abuse.

Open Resolvers

One other interesting result of our analysis: we looked at resolvers
sending between 1000 and 4000 queries per hour to ns1.nic.uk and found that just over 50% of them are
`open resolvers’; that is, they will resolve recursive queries for
any host. While open resolvers are less of a menace than open mail
relays, which can be used to forward spam, they still pose a threat.
Notably:

  • They can be used to anonymise criminal activity
  • They can be used to distribute and anonymise domain name harvesting
    activity.
  • They can be used to for distributed denial-of-service (DDoS) attacks.

Historically the latter use hasn’t been attractive to attackers,
as typically DNS replies result in an amplification of only about
3× in the worst case. However, with the deployment of IPv6
and DNSSEC this amplification can reach as high as 20× -
30×. This could see open resolvers used as yet another weapon
in the escalating DDoS wars.

Leave a Comment

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.

Recent Posts

Highest Rated

Categories

Archives

Meta: