DNS Noise: Measuring the Pervasiveness of Disposable Domains in Modern DNS Traffic

Transcription

1 DNS Noise: Measuring the Pervasiveness of Disposable Domains in Modern DNS Traffic Yizheng Chen, Manos Antonakakis, Roberto Perdisci, Yacin Nadji, David Dagon, and Wenke Lee

2 Domain Name System Machine-level Address Human-readable Name 2

3 DNS for agility, scalability, etc. CDN server selection Really close? [Mao et al. USENIX ATEC 2002] Browser prefetching auto-completed domains Privacy? [Krishnan et al. LEET 2010] NXDOMAIN remapping Controversial? [Weaver et al. USENIX FOCI 2011] 3

4 McAfee e.11dfrin96mcqal3p534njpwplq.avqs.mcafee.com e.12kiq7cqq9lz7zbc4jza4n7nji.avqs.mcafee.com e.1bz5cjj8nbhqhpia1v8svi12g6.avqs.mcafee.com e.1pfrfc3jc9diw1lnd2jrha2ilq.avqs.mcafee.com e.1vcqruwkjhgp4qdhku6rpdqdsb.avqs.mcafee.com e.25tbw5dedhc2ap8ct1bi8jpp6i.avqs.mcafee.com e.2sprf11evqccpami3epfvj1r35.avqs.mcafee.com e.2tj85ckvumlddbmrbu67ev6s8t.avqs.mcafee.com e.35wv398iew1kdub6t35lbmwhbj.avqs.mcafee.com e.3amrhtqqbkvkbbqr8igcajdubv.avqs.mcafee.com 4

5 McAfee Global Threat Intelligence File Reputation Query for suspicious exe, pdf, apk files. suspicious: e.g., packed exe e.11dfrin96mcqal3p534njpwplq.avqs.mcafee.com Version and product information File hash Fingerprint information Environmental information 5

6 Google p2.a22a43lt5rwfg.ihg5ki5i6q3cfn3n i1.ds.ipv6-exp.l.google.com p2.a22a43lt5rwfg.ihg5ki5i6q3cfn3n i2.v4.ipv6-exp.l.google.com p2.a22a43lt5rwfg.ihg5ki5i6q3cfn3n s1.v4.ipv6-exp.l.google.com p2.a22antzfkdg5g.nay6cy6qq26fr64b i1.v4.ipv6-exp.l.google.com p2.a22antzfkdg5g.nay6cy6qq26fr64b i2.ds.ipv6-exp.l.google.com p2.a22bc6fi6edwk.qa2gdjd72sdbycs i1.ds.ipv6-exp.l.google.com p2.a22bc6fi6edwk.qa2gdjd72sdbycs i2.v4.ipv6-exp.l.google.com p2.a22bc6fi6edwk.qa2gdjd72sdbycs s1.v4.ipv6-exp.l.google.com p2.a22cax6c5l5h2.7s2llcerkgtvdu5f i2.ds.ipv6-exp.l.google.com p2.a22cax6c5l5h2.7s2llcerkgtvdu5f s1.v4.ipv6-exp.l.google.com 6

7 Google IPv6 Experiment Search request Search results + background load Background request *.ipv6-exp.l.google.com p2.a22a43lt5rwfg.ihg5ki5i6q3cfn3n i1.ds.ipv6-exp.l.google.com Recorded information: IPv4 and IPv6 addresses, as applicable Image request latency Browser/OS details (User-Agent string) 7

8 esoft load-0-p-01.up mem p-50.swap p device.trans.manage.esoft.com load-0-p-49.up mem p-49.swap p device.trans.manage.esoft.com load-0-p-90.up mem p-19.swap p device.trans.manage.esoft.com load-0-p-08.up mem p-29.swap p device.trans.manage.esoft.com load-0-p-01.up mem p-29.swap p device.trans.manage.esoft.com load-0-p-01.up mem p-39.swap p device.trans.manage.esoft.com load-0-p-05.up mem p-39.swap p device.trans.manage.esoft.com load-0-p-56.up mem p-43.swap p device.trans.manage.esoft.com load-0-p-38.up mem p-50.swap p device.trans.manage.esoft.com load-0-p-13.up mem p-41.swap p device.trans.manage.esoft.com 8

9 Characteristics of Disposable Domains Automatically generated One-time use pattern Signaling Share same name suffix E.g., ipv6-exp.l.google.com Disposable Zones Individual Domain Low average cache hit rate Over 90% of cache hit rates for domains under disposable zones are zero Cache hit rates for domains under non-disposable zones are evenly distributed 9

10 Why do we care about disposable domain names (and effectively zones)? 10

11 Impact of Disposable Domains DNS Caching heavy load, premature eviction of useful domains hierarchical cache DNSSEC-Enabled Resolvers be careful about implementation, e.g. verification Passive DNS Databases storage requirement query-response latency 11

12 Measure Disposable Domains Different than traditional content delivery? How prevalent? Growth? Implication? 12

13 Outline Data Collection and Analysis Defining Disposable Domains Mining Disposable Domains Results Discussion 13 Conclusion

14 DNS Resolution Recursive DNS Server Cluster A? Server) A? Stub Resolver IN A com. TLD Below IN A Above example.com. 14

15 Notation Resource Record {t, r, d, qtype, ttl, rdata} t timestamp r anonymized IP address of host that issued the query d queried domain name qtype type of query ttl time-to-live value rdata resolved data Given the domain name d = TLD(d) = com, 2LD(d) = example.com, and 3LD(d) = We use the notion of zone loosely, it can be 2LD, 3LD, or any Nth-level domain. 15

16 Dataset Full passive DNS (fpdns) dataset A mid-western city in US, Comcast, RDNS Server Cluster 02/01/2011 to 02/07/2011, 09/02/2011, 09/13/2011, 11/14/2011, from 11/28/2011 to 12/10/2011, and 12/30/2011. (24 days) A NS CNAME 2.67TB Reduced passive DNS (rpdns) dataset De-duplication 11/28/2011 to 12/10/ to 9 GB/Day 16

17 17 DNS Traffic Volume

18 DNS Traffic Volume Observation 1: Positive Caching. 10^6 Above RDNS Servers 10^7 Below RDNS Servers 18

19 DNS Traffic Volume Observation 2: Diurnal Effect heavy load times! 10 AM Midnight 19

20 DNS Traffic Volume Observation 3: Google + Akamai < Half Traffic. 20

21 DNS Traffic Volume Observation 4: No Negative Caching. [RFC2308] NXDOMAIN: 40% NXDOMAIN: 6% 21

22 22 DNS Long Tail of Lookup Volume

23 DNS Long Tail of Lookup Volume Observation 1: More than 90% of all RRs have lookup volumes lower than 10. Observation 2: Long tail of lookup volume increased from 90% to 94% in Lookups 23

24 DNS Cache Hit Rate Black Box Analysis Domain Hit Rate Total query: answers seen below the RDNS cluster Cache miss: answers issued to the RDNS cluster observed above them Cache hit: total query - cache miss Cache Hit Rate 24

25 25 Domain Hit Rate Distribution

26 Domain Hit Rate Distribution Observation 1: 89% of all RRs have domain hit rate of 0%. Observation 2: Long tail of domain hit rate increased from 89% to 93% in % 26

27 27 Cache Hit Rate Distribution

28 Cache Hit Rate Distribution Observation: 58% cache hit rates are lower than 50%. 58% 28

29 29 DNS Deduplication

30 DNS Deduplication Log Scale Observation 1: The number of new RRs observed every day decreased by 13,614,102 (30%) on the 13th consecutive day. 30

31 DNS Deduplication Log Scale Observation 2: Number of new Akamai RRs dropped by 128,957 (69%) records on the 13th day. 31

32 DNS Deduplication Log Scale Observation 3: Google increases its daily new RRs by 4,264,585 (25%) on the 13th consecutive day. 32

33 Outline Data Collection and Analysis Defining Disposable Domains Mining Disposable Domains Results Discussion 33 Conclusion

34 Disposable Domains Definition Successfully resolved domain names that have the following two properties: Their name strings are automatically generated. Namely, some software generates them with an algorithm. The RRs under a given zone are only observed once, or a handful of times, when they are in the recursive DNS servers cache. More formally, the RRs of child domains under the zone have a low or close to zero median value in cache hit rate distribution. 34

35 Training Dataset 398 disposable zones 401 non-disposable zones Randomly selected 2LD zones from the top 1,000 Alexa domain names 35

36 Zone Structure Algorithm-generated string can be anywhere in the domain name e. 11dfrin96mcqal3p534njpwplq.avqs.mcafee.com p2.a22a43lt5rwfg.ihg5ki5i6q3cfn3n i1.ds.ipv6- exp.l.google.com load-0-p-01.up mem p-50.swap p device.trans.manage.esoft.com Domains generated by the same algorithm are under the same zone, and have same number of periods Intuition for Domain Name Tree 36

37 37 Cache Hit Rate Distribution

38 Cache Hit Rate Distribution 90% Observation 1: 90% of cache hit rates from disposable RRs are zero. 38

39 Cache Hit Rate Distribution Observation 2: Half of cache hit rates from non-disposable RRs are over % 39

40 Cache Hit Rate Distribution Observation 2: Half of cache hit rates from non-disposable RRs are over % 40

41 Outline Data Collection and Analysis Defining Disposable Domains Mining Disposable Domains Results Discussion 41 Conclusion

42 Disposable Zone Miner FpDNS Disposable Zone Miner Domain Name Tree Builder Disposable Domain Classifier Disposable Zone Ranking 1.a.example.com a.example.com com root net example.com b.example.com c.example.com 4.b.example.com 2.a.example.com 3.a.example.com i.1.a.example.com depth 3 depth 4 depth 5 Six Tree Structure Features Two Cache Hit Rate Features 42

43 Domain Name Tree a.example.com, i.1.a.example.com, 2.a.example.com, 3.a.example.com, 4.b.example.com, and c.example.com 43

44 Domain Name Tree Non-leaf node root 1.a.example.com a.example.com com net example.com b.example.com c.example.com depth 3 depth 4 depth 5 Leaf node 4.b.example.com 2.a.example.com 3.a.example.com i.1.a.example.com 44

45 Domain Name Tree root a.example.com com net example.com b.example.com 1.a.example.com c.example.com Child nodes of a.example.com 4.b.example.com 2.a.example.com 3.a.example.com depth 3 depth 4 depth 5 i.1.a.example.com 45

46 Domain Name Tree root a.example.com Descendants of example.com 1.a.example.com com net example.com b.example.com c.example.com depth 3 depth 4 depth 5 2.a.example.com 4.b.example.com 3.a.example.com i.1.a.example.com 46

47 Domain Name Tree root 1.a.example.com a.example.com com net example.com b.example.com c.example.com depth 3 depth 4 depth 5 2.a.example.com 4.b.example.com 3.a.example.com i.1.a.example.com 47

48 Groups G 3 = {a.example.com, c.example.com} G 4 = {2.a.example.com, 3.a.example.com, 4.b.example.com} G 5 ={i.1.a.example.com} Set of labels for each G k L 3 = {a,c}, L 4 = {a,b}, and L 5 = {a} 48

49 Tree Structure Features For each set G k, we calculate corresponding set L k. Let the Shannon entropy of characters in the label l be H(l). For all the labels l i (i = 1...m) in set L k we compute the entropy values H (l i ). Cardinality m of the set L k Maximum Minimum Average Median Variance of all H(l i ) values. 49

50 Cache Hit Rate Features From the cache hit rate distribution of each set G k. Median Percentage of RRs with zero cache hit rate 50

51 Classify G 3 = {a.example.com, c.example.com} G 4 = {2.a.example.com, 3.a.example.com, 4.b.example.com} G 5 ={i.1.a.example.com} 51

52 Domain Name Tree G 3 = {a.example.com, c.example.com} likely to be disposable! root 1.a.example.com a.example.com com net example.com b.example.com c.example.com depth 3 depth 4 depth 5 2.a.example.com 4.b.example.com 3.a.example.com i.1.a.example.com 52

53 Domain Name Tree G 3 = {a.example.com, c.example.com} likely to be disposable! root 1.a.example.com a.example.com com net example.com b.example.com c.example.com depth 3 depth 4 depth 5 2.a.example.com 4.b.example.com 3.a.example.com i.1.a.example.com 53

54 Classifier LAD tree True Positive 97% False Positive 1% 54

55 55 Algorithm

56 Outline Data Collection and Analysis Defining Disposable Domains Mining Disposable Domains Results Discussion 56 Conclusion

57 Results Disposable Zone Miner was run over 02/01/2011, 09/02/2011, 09/13/2011, 11/14/2011, 11/29/2011, 12/30/ ,397 2LDs including 14,488 disposable zones using disposable domains with over 90% confidence 57

58 Prevalence Popular websites labelled: Google, Microsoft AV/DNSBL labelled: McAfee, Sophos, Sonicwall new: countries.nerd.dk, Spamhaus, Mailshell, sorbs.net Social Network labelled: Facebook, Myspace new: photobucket, msn, linkbucks, torn, vkontakte, Quora Streaming Services labelled: Netflix P2P services new: Skype Tracking services new: esomniture.com Ad networks new: AdSense, Bluelink Marketing E-commerce business labelled: Paypal new: ClickBank 58

59 Skype aa0pt04dj0srjvtcrjjbzbyf3bb2kpptqb6qjh6cxq6yda4byamuzumlnqgq.vnkubl40ma3rkskoemnx3p2c2qxbjcwwpjz0zojdc4zxtz2avg0ap5okcjnt.2pttogpgckb36w6z203vyffor5keyyvylhe41gkxoq0l6nlxqgnuqaklo4gg.dtntv2qagsuvwt3nelfuresdvnvouyzu31ur65kczmt43mz2vyzl.sa.skype.net aa1flkw2x04oggqgp2ltmh3gfyg6hthvevufbozvokg6f3ybrulsvwwqmphg.1payh4gntmwk4p3rmq5jepahusks2krfa0wuxzn1e1bkzz624lke0aonxbgk.4db55waheppd5vgwyfdtwkmfhtocmr0ee66wz1hrhoyq4p65pubmtcttrmxh.rtt0k4bkwjafw41css2ymwjhwfaqy1zf14n13ao2jgjrjbrowyzr.sa.skype.net aa1uw2qznoadmcfkruyvnomhfjue1cq4pr0a3zsjn66z2sp5jpekl420315s.o1zznxcrtx143fjcuanb1nx4w2aehocepm3m1tdknuqlu02jwgtyrvuea5qm.myzpjf0nzlrpk46osk0m6n3dl32kvkfnobc0eobnunk65opfqc3zraq50ut3.0klfz24gaw6rhyvy2jjd6olc613v5f14l0cb2ppvhv4hj4ge5z4g.sa.skype.net aa344vrgfutcxvyuv4jshy2zzmhfeeb1jto0ekp1vxr0pdb666edh54cwmng.2zpmz0cdlcb4kzs0e551tkmynpoeewyweg4q1gdnecb545jvc1wme30me3w1.yog265e04nc26kl1jkyrnbrkf55ze2d6khwfpwhxbqjalruwnp61414czdx2.fqu0nap4fqs3a22v16hf1fudshsfhwhsz02abhk6hs41q4oz5d3e.sa.skype.net aa4nsp6mftelf1j0qj1km6dwhanb1k45kemfyf2axvszr5tjxwhx04vbvjxf.nav1qr2b0stm00mjm5lfcjek24bkdxggf5dqxw2n0epgg31dfl20nvn2o4tt.mz5dgb2ql4ektaeepenvpyov6oygys03o3xbvhmoafvwtlkmjcxnun2q0ozu.krvbw6j0loehfovkbw4phbpttf3okv3o24ef3msrph5lbsgj0z4k.sa.skype.net aaa4sorlkuv4wxt4owbtxp24ge2puxwdul2vdhmnasoxy3y0xjflovkkzws4.s3ycv0eu6drun0j6jbrb2ps5nkhf2q6wcxbqqd43dgz3s3mxssrf5s63q5rv.nkysazqgfrwt2p1sdju5qgazdnamelkucplpfk0mywyyjrrkyh532yqutv05.zgl1c6yyquzvutkpbcfq4g04lu5xfkwydpysdqhhqels51tvzbhs.sa.skype.net aaehyrhoygrb2jydabdlr24vwejp6x4nxd6bhlwsm5curofr0xtgj3yuc5pw.knxdnfsf3pqszmznxsaoejmo3qg3dd62l3wy5jha62omvote6akyza1f3uoj.u1jt2w0b2w653duh3abssmvnnejd4ytb6lqpucc2xtrgohem2syysros6vox.2t5gt6yy02olmabrpa1apgo5ckwefn1qfpptz0hcpfqw0k3k2fgv.sa.skype.net aagjnzyxe3w5n0c5htbbtkqmpebfqugqffe31vywd2xhqwprng61kba1zxub.myv4bkoa4gsryo60c2selcbmnyb0k2ccjmmdhhgjsxrsj0qsg2fypsdbpsdv.enrn3n3a4wtg6kzarermk5jkct02tot2dpl4lqlwbtj1bqkmbdluruuqve3b.cy53yp6zpkq4ocu4wyfckkkazfhb2bqd3wvf65dcxb4ffs6p0w2b.sa.skype.net aah3gpwzjmyx5hzmwkh0ph1cev61krear2ja0xqgstmwtdgdwobqfb1mjxcn.5hopa3cbwbtbsmrv1xshgsr0621h3jvyphvokw6dvqlhl5py32dc41cghkpk.g6bjxys52rvx566fppjh5o3ft4oqryldlxa4k0mn2z2ja1w4a04bbakttv2g.oh3skutu6u2qzkyto6mo16a32esfwr0amdytgjz6fzzj6n56smfh.sa.skype.net aajptdjoadjp0go20vzc5mfdzyxnd41nqdvm0j33tu43zfvoxa1w6wjh0tye.b0zfmgawl1gmaeotdp0hc5eskxzgkpbceydpzxn3yegvx1xvfdsba3x4gz3m.ybp3u5ryhd6vxb01hd3zfolhnzzt36vxwt5j040ambxoxlac1h3cehcdmrbt.chspylpxszhjbfok3zseeycjn3t2v2qx6wvrft2pe2mgtjcellr4.sa.skype.net aakrre11hxcfpuoqg4c0ydxhsm3yhmny6oxqf5ozwuonplzebtyze2s1sryv.tcywvoymp6mbqclb2g2ezwbp0nwpl0dbwnl6ovrembxuqnthrza4e4xsns2e.yvcgm5fhkgd2x53b5yxdsn2lphclvqcprqlxqow0wg4ul05c004tmyuowouq.2rbrgaephjanelkvpo1qbo4xm641mrfngm4clmrhovgfuv5r6g2v.sa.skype.net aane6nuck4zm1lqlywmmsot1nlmuydnlsqzdlyzbe0pukc1dyecfz54gn0fj.jb4jjmbh4gt4qmo65s55nkwglwvxw6rqll1zohw4dcr21zykbxt6dhxaxnal.3tt5f6aq3qnaonjtkb1nmc3l61w4gtg3j2ncvfc6se61cq1vw5hp1fuuytrt.xnwoynnu3t5dqzc5y4p3fvoup32wl2q5rumvm2xzoyzj03rly2az.sa.skype.net aanscdbeyfjl2lhfjeyvmthapfm6mjjc1scj4bclknxes0zx2znsypqoyvl4.0xuk3x4cs4mqk2ayfgh0t44d1j36psutxf0gdxc5en52ww10bp306ndmwwjz.n4q1zvaye6lpek2fz6kr5aduefpwugxcd5thbwjrvsk1fmg6l5dbwenj5uok.60eryahhznmgmj4b1kljkp2y1juuauc41pj0xyjsgbtoc6r1y3dt.sa.skype.net aaoy6yp53dbfclsvcc1nd3rsedxttzsfv641o6e0b3g5elupem3cv1yo22mp.m3mr1cpbro0vlbnetyw4zdjfslcmrlwehpvtjgocwlz0mgn0e5rawtrc0rh5.g3stu5ydwr3vwasv23xwzhauankmywfjszqhydnsu06qfmj00qgyjv3w1ute.jebmg1oy1oo4uj2hk0s3m1su4sdudxtxzxuean66ghjt4xpj5zzv.sa.skype.net aazxuqkonmubvnsdcjf3qx2t5q1dal00cur3zm4uxpsfchraczx1bftzlrnv.60m00nepwfhenm4a1hvmkfqraq0ybrsrrn022zbn3gtn3gsspmgsnqxjbxuw.z3lw5zqh2czmqsz53sozpxjn1dgv266r4p2ku4lwjyr53lcz0cm5hcf1mau3.p5xawwxq3qxfalejyf55s310enpbwttkro0rjylxo6c6qygun0u1.sa.skype.net ab4dv4s1am3okusl6uhnz1hst5fjes4wcz5agnmvmhu0nm6yksudzdngabgq.ykjdujvbz6eztehl4qhsyml5hx0xs361uyx1prs6blecwdnpgt4bwrw4dgcy.ubtysuwbvb4do4efp5g56xnr556qljsbml6vcgkn4rru14ptmrtc4lvbro3c.ahkx2kxn1z4qyetbhxfgmlup3xg0klg22ec5dhrwmtsw3q6bsnwv.sa.skype.net abczh6b55n4qowa3cvuo0sekw0ud0vmcgm0er05exeh6sq4c2rwfzyypy6b2.nae3qb35l4dm5delam1ue2owonl1xpcusfluqeosq25vnk5wvl15vqyjaw10.46vlbfhnn5lyuk6c5sv3v6dlf43afo5s6ygcj4zpp0zzxhb2gvoda5ot1gsh.cfnbs5uac3tght0ctutmzfrj5gqtc5fsyj6z4504dqvshluy1v6j.sa.skype.net abdno2lardhe543ockcmoqx45zhe1avpqr0ddn2dhjl2wdogj0v31qz0cuyv.vgvp5tudahbfjwx623vsdtl5a6vo3dv3wx6yxh5lnhhcxl6rx31gullfghw6.u50ewdtx6dxqbz6rl6pzgdwxsqh2sahwgvhxgg1zgnh2r1ho1kcfafpjn0po.ubh3nzbvux3ejf4wjubxgj1ewd5r2up4ycw4l3glnx61xdwzvhoj.sa.skype.net abgdq52put14suq5dt0mox0ktjn61ub5ke1uaxr4gxbq5ou25xyjqz6t45qj.1t0p0q1nwurjzy0w4blusfrhnq1ru05oylv20oh2zf5rundjux64xteedt6x.bugmunulv0eo0pnwvx1m5wnrjt0posdn3ubpoz4oyl6uq4l2rdmjudcmtan4.p3s6f0ddbn0g1kvonub0dncqaxw5okaf3bqv2ht3v1b4s2kugpjk.sa.skype.net abj60ado5tfoakco4h64sgnpydgdmfbnvfgdx6oecky4d1qoqwx64dgyrfjz.rbrjtud4nrvxqngkyh65yozt2snsblqxnmxy3d3qjburkg16j2lgfp2331d3.1r636wajxnvp44q2kg2jkv002xamogwr0yzltazv6vnmlqvf0ezlzv03gsdr.l0hsywzhlny2f6s4m2g6frokzdulrrh4wwrrwnegp0enlodkcbjd.sa.skype.net abnkczhtwjz665ljd3hz26u16p2x6gmtxkgfgfh5ta66zy1f2dh21tanexfs.bjpp3ck4f6pgk3xqzlffszd06xads50bq0e514qpyoersqkwbblcz04dk1en.o43baxsrrv2ahs0tbg3fa3g2mbku6wav604pl0d515b5rvytnp33cxwhbhoy.rrlnhnzojsf1jwcdxjcnfmb0to5xorxbpqaw5d4xo212p0bexm4u.sa.skype.net abqnhh4gx6mheee4y3mbkl12feec5el53r02mrd52slo5t2j1hw6fdoltgbv.6eptmuf5wognlgrzjssnxmz05sw35v16wyyxuar6pm64bddpx35sumot2gvg.o5ftozwlcqaqulqldydrtt62rtj3pjldsekxooplp5uo34rz135l6j2vpawm.sr2nyl2yb5tr32va604hee0dongdq3uoughh6yjog1jdqmqd06u2.sa.skype.net 59

60 Disposable domains and CDN 91 (0.6%) of 14,488 disposable zones were related to content delivery networks (CDNs). 24 (5.3%) of 451 CDN 2LDs (customized list of CDNs) are classified as disposable. False positives Extremely unpopular content Different level of service 60

61 61 Growth

62 Growth Observation 1: Among daily unique queried domains seen below the RDNSs, disposable domains increased from 23.1% to 27.6%. 62

63 Growth Observation 2: Among daily unique resolved domains seen below the RDNSs, disposable domains increased from 27.6% to 37.2%. 63

64 Growth Observation 3: Percentage of daily unique disposable RRs increased from 38.3% to 65.5%. 64

65 65 Growth in DNS Long Tail

66 66 Growth in DNS Long Tail

67 Outline Data Collection and Analysis Defining Disposable Domains Mining Disposable Domains Results Discussion 67 Conclusion

68 Discussion DNS Caching Human Diurnal Behavior heavy load, premature eviction of useful domains in cache hierarchical cache 68

69 Time-to-live Histogram 2.0e+07 Time to live for Disposable Domains 1.5e+07 Frequency 1.0e+07 month December February 5.0e e+00 1e+00 1e+01 1e+02 1e+03 1e+04 1e+05 TTL 69

70 Time-to-live Histogram Frequency 2.0e e e+07 Time to live for Disposable Domains Domain owners switched to use relatively larger TTL values over time. Recursive DNS software enforce minimum time of caching, even when the TTL is set to zero [RFC 1536], [RFC 1912]. month December February 5.0e e+00 1e+00 1e+01 1e+02 1e+03 1e+04 1e+05 TTL 70

71 Discussion DNS Caching heavy load, premature eviction of useful domains in cache hierarchical cache DNSSEC-Enabled Resolvers be careful about implementation, e.g. verification Passive DNS Databases storage requirement query-response latency 71

72 72 New Resource Records over 13 days

73 New Resource Records over 13 days Using wildcard in the storage scheme, we can reduce 129,674,213 distinct disposable resource records to 945,065 (0.7%). 73

74 Conclusion We presented a study from large scale DNS traffic traces collected at Comcast serving millions of end users. We proposed a novel algorithm to measure DNS zones that extensively use disposable domains. We discussed the possible negative implications that disposable domains may have on the DNS caching infrastructure, DNSSEC-validating resolvers, and passive DNS data collection systems. 74