Rami Al-Dalky
ABSTRACT
Content delivery networks (CDNs) commonly use DNS to map end-users to the best edge servers. A recently proposed EDNS0-Client-Subnet (ECS) extension allows recursive resolvers to include end-user subnet information in DNS queries, so that authoritative DNS servers, especially those belonging to CDNs, could use this information to improve user mapping. In this paper, we study the ECS behavior of ECS-enabled recursive resolvers from the perspectives of the opposite sides of a DNS interaction, the authoritative DNS servers of a major CDN and a busy DNS resolution service. We find a range of erroneous (i.e., deviating from the protocol specification) and detrimental (even if compliant) behaviors that may unnecessarily erode client privacy, reduce the effectiveness of DNS caching, diminish ECS benefits, and in some cases turn ECS from facilitator into an obstacle to authoritative DNS servers' ability to optimize user-to-edge-server mappings.
- Bernhard Ager, Wolfgang Mühlbauer, Georgios Smaragdakis, and Steve Uhlig. 2010. Comparing DNS resolvers in the wild. In Proceedings of the Internet Measurement Conference. ACM, 15--21.Google Scholar
Digital Library
- Akamai 2019. Akamai Technologies, Inc. Retrieved 2019-09-07 from https://www.akamai.com/Google Scholar
- Rami Al-Dalky, Michael Rabinovich, and Mark Allman. 2018. Practical challenge-response for DNS. ACM SIGCOMM Computer Communication Review 48, 3 (2018), 20--28.Google ScholarDigital Library
- Matt Calder, Xun Fan, Zi Hu, Ethan Katz-Bassett, John Heidemann, and Ramesh Govindan. 2013. Mapping the expansion of Google's serving infrastructure. In Proceedings of the Internet Measurement Conference. ACM, 313--326.Google ScholarDigital Library
- Matt Calder, Xun Fan, and Liang Zhu. 2019. A Cloud Provider's View of EDNS Client-Subnet Adoption. In Network Traffic Measurement and Analysis Conference (TMA). IEEE, 129--136.Google ScholarCross Ref
- Fangfei Chen, Ramesh K Sitaraman, and Marcelo Torres. 2015. End-User Mapping: Next Generation Request Routing for Content Delivery. ACM SIGCOMM Computer Communication Review 45, 4 (2015), 167--181.Google ScholarDigital Library
- CloudFront 2019. Amazon CloudFront. Retrieved 2019-09-07 from https://aws.amazon.com/cloudfront/Google Scholar
- CNAME 2019. Introducing CNAME Flattening: RFC-Compliant CNAMEs at a Domain's Root. https://blog.cloudflare.com/introducing-cname-flattening-rfc-compliant-cnames-at-a-domains-root/Google Scholar
- C. Contavalli, W. van der Gaast, D. Lawrence, and W. Kumari. 2016. Client Subnet in DNS Queries. RFC 7871. RFC Editor. https://tools.ietf.org/html/rfc7871Google Scholar
- D. Dagon, N. Provos, C.P. Lee, and W. Lee. 2008. Corrupted DNS Resolution Paths: The Rise of a Malicious Resolution Authority. In Network and Distributed System Security Symposium.Google Scholar
- J. Damas, M. Graff, and P. Vixie. 2013. Extension Mechanisms for DNS (EDNS(0)). RFC 6891. RFC Editor. https://tools.ietf.org/html/rfc6891Google Scholar
- Wouter B De Vries, Roland van Rijswijk-Deij, Pieter-Tjerk de Boer, and Aiko Pras. 2018. Passive observations of a large DNS service: 2.5 years in the life of Google. In Network Traffic Measurement and Analysis Conference (TMA). IEEE, 1--8.Google ScholarCross Ref
- DITL 2018. A-Root DITL Data, submitted to DNS-OARC by Verisign. https://www.dns-oarc.net/oarc/data/ditl/2018.Google Scholar
- ECS 2019. EDNS Client Subnet FAQ. Retrieved 2019-09-07 from https://support.opendns.com/hc/en-us/articles/227987647-EDNS-Client-Subnet-FAQGoogle Scholar
- EdgeScape 2019. Akamai EdgeScape. Retrieved 2019-09-07 from https://developer.akamai.com/edgescapeGoogle Scholar
- R. Elz and R. Bush. 1997. Clarifications To the DNS Specification. RFC 2181. https://tools.ietf.org/html/rfc2181Google Scholar
- Fastly 2019. Fastly, Inc. Retrieved 2019-09-07 from https://www.fastly.com/Google Scholar
- T. Finch, E. Hunt, P. van Dijk, and A. Eden. 2018. Address-specific DNS aliases (ANAME). https://tools.ietf.org/html/draft-ietf-dnsop-aname-02. https://tools.ietf.org/html/draft-ietf-dnsop-aname-02Google Scholar
- Cheng Huang, David A Maltz, Jin Li, and Albert Greenberg. 2011. Public DNS system and global traffic management. In IEEE INFOCOM - The 30th Conference on Computer Communications. 2615--2623.Google ScholarCross Ref
- Ben Jones, Nick Feamster, Vern Paxson, Nicholas Weaver, and Mark Allman. 2016. Detecting DNS root manipulation. In International Conference on Passive and Active Network Measurement. Springer, 276--288.Google ScholarCross Ref
- Panagiotis Kintis, Yacin Nadji, David Dagon, Michael Farrell, and Manos Antonakakis. 2016. Understanding the Privacy Implications of ECS. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. 343--353.Google Scholar
- D. Leonard and D. Loguinov. 2008. Turbo King: Framework for Large-Scale Internet Delay Measurements. In IEEE INFOCOM - The 27th Conference on Computer Communications. 31--35.Google Scholar
- J Ott, M Sanchez, J Rula, and F Bustamante. 2012. Content delivery and the natural evolution of DNS. In Proceedings of the Internet Measurement Conference. ACM, 523--536.Google ScholarDigital Library
- PDNS 2019. PowerDNS Recursor. Retrieved 2019-09-07 from https://www.powerdns.com/recursor.htmlGoogle Scholar
- David Plonka and Arthur Berger. 2017. kIP: a Measured Approach to IPv6 Address Anonymization. arXiv preprint arXiv:1707.03900 (2017).Google Scholar
- RIPE Atlas 2019. Welcome to RIPE Atlas. Retrieved 2019-09-07 from https://atlas.ripe.net/Google Scholar
- Kyle Schomp, Tom Callahan, Michael Rabinovich, and Mark Allman. 2013. On Measuring the Client-Side DNS Infrastructure. In Proceedings of the Internet Measurement Conference. ACM, 77--90.Google ScholarDigital Library
- Shadow 2019. Open Resolver Scanning Project. Retrieved 2019-09-07 from https://dnsscan.shadowserver.org/Google Scholar
- Philip Smith, Rob Evans, and Mike Hughes. 2006. RIPE routing working group recommendations on route aggregation. Document ripe-399, RIPE (2006).Google Scholar
- Florian Streibelt, Jan Böttger, Nikolaos Chatzis, Georgios Smaragdakis, and Anja Feldmann. 2013. Exploring EDNS-Client-Subnet Adopters in your Free Time. In Proceedings of the Internet Measurement Conference. ACM, 305--312.Google ScholarDigital Library
Index Terms
- A Look at the ECS Behavior of DNS Resolvers
Recommendations
Comparing DNS resolvers in the wild
IMC '10: Proceedings of the 10th ACM SIGCOMM conference on Internet measurementThe Domain Name System (DNS) is a fundamental building block of the Internet. Today, the performance of more and more applications depend not only on the responsiveness of DNS, but also the exact answer returned by the queried DNS resolver, e.g., for ...
Pollution resilience for DNS resolvers
ICC'09: Proceedings of the 2009 IEEE international conference on CommunicationsThe DNS is a cornerstone of the Internet. Unfortunately, no matter how securely an organization provisions and guards its own DNS infrastructure, it is at the mercy of others' provisioning when it comes to resolutions its resolvers perform on behalf of ...
Resolvers Revealed: Characterizing DNS Resolvers and their Clients
The Domain Name System (DNS) allows clients to use resolvers, sometimes called caches, to query a set of authoritative servers to translate host names into IP addresses. Prior work has proposed using the interaction between these DNS resolvers and the ...
Comments