DNS Noise: Measuring the Pervasiveness of Disposable Domains in Modern DNS Traffic

DNS Noise: Measuring the Pervasiveness of Disposable Domains in Modern DNS Traffic

Wednesday, January 1, 2014
Yizheng Chen, Manos Antonakakis and Wenke Lee
International Conference on Dependable Systems and Networks (DSN)

In recent years DNS has been increasingly leveraged to build and scale highly reliable network infrastructures. In this paper, we will introduce and analyze a new class of domains, which we refer to as disposable domains. Disposable domains appear to be heavily employed by common Internet services (i.e., Search Engines, Social Networks, Online Trackers etc.), and they seem to be automatically generated. They are characterized by a “one-time use” pattern, and appear to be used as a way of “signaling” via DNS. While this is yet another “creative” use of the DNS to enable new Internet applications and efficient scaling of services, little do we know about the size and DNS caching properties of this family of domains.

To shed light on the pervasiveness and growth of disposable domains, we present a study of their characteristics based on live DNS traffic observed at Comcast, in a city that serves millions of end users. We found that disposable domains increased from 23.1% to 27.6% in all queried domain names, and from 27.6% to 37.2 % among all resolved domain names daily, and more than 60% of all distinct resource records observed daily in modern DNS traffic are related to disposable domains. We discuss the possible negative implications that disposable domains may have on the DNS caching infrastructure, resolvers validating DNSSEC transactions, and passive DNS data collection systems.