1. DNS Measurement at a Root Server Nevil Brownlee, kc Claffy and Evi Nemeth Presented by Zhengxiang Pan Mar. 27 th, 2003

2. Introduction DNS: Domain Name System BIND: Berkeley Internet Name Domain System clientLocal Name ServerRoot Server Local Name Server UDP

3. Methodology Passive capture DNS packets at F.root-server.net Use Tcpdump & Error logs

4. Results A. query rate Responds 93% of the input packets.

5. B1. Repeated queries –Maybe the results of a broken nameserver or a broken client. B2. Private Address Space –About 7% of the queries are asking for hostname associated with an RFC 1918 address. –2% - 3% of the queries have the source IP address in RFC 1918 space. Error taxonomy

6. B3. Top Level Domains –In 1 hour trace of Jan. 7, 2001: –16.5% of the servers asked only INVALID TLD –37.1% of the servers asked at least one INVALID TLD

7. Error taxonomy B4. Bogus A Queries –A query: hostname  IP address –12-18% A queries target IP address B5. Source Port Zero –Port 0 is reserved and not valid in UDP / TCP. –Root servers never answer queries from port 0

8. Error Taxonomy B6. Dynamic Updates –DHCP can dynamic update local nameserver, should not try to update root servers.

9. Results Attacks –Spoofing source IP, using root server as reflector, flooding the attack target with answers it did not ask. –Scanning IP space. Microsoft’s DNS woes –Jan. 24, 2001 Microsoft nameserves down, query load for Microsoft names go to over 25% of the total query load.

10. Summary Percentages of servers have bad behaviors: –13% bogus A query –35% invalid TLD –35% leaking internal information Strategy –Diagnose and repair bugs in implementation –Deploy negative answers