DNS root server resolution anomaly detection

The DNS root server is at the top of the hierarchical structure of the DNS system and is the initial node that bootstraps all DNS queries. If the root server resolves abnormally, all domain name resolutions will fail, and many users cannot access the Internet. For this reason, this paper detects the...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Veröffentlicht in:Computers & security 2024-09, Vol.144, p.103946, Article 103946
Hauptverfasser: Li, Chao, Chen, Jian, Zhang, Zhaoxin, Li, Zhiping, Cheng, Yanan, Ma, Chendi
Format: Artikel
Sprache:eng
Schlagworte:
Online-Zugang:Volltext
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
Beschreibung
Zusammenfassung:The DNS root server is at the top of the hierarchical structure of the DNS system and is the initial node that bootstraps all DNS queries. If the root server resolves abnormally, all domain name resolutions will fail, and many users cannot access the Internet. For this reason, this paper detects the root server itself resolution anomalies and non-self resolution anomalies by constructing high-confidence root zone file and anomaly judgment rules. First, we use the weighted voting statistics method to build high-confidence root zone file by calculating the confidence of multi-source root zone files. Based on high-confidence root zone files, we construct three types of anomaly detection judgment rules: (1) root-side resolution anomaly judgment rules based on feature value matching, (2) response hijacking judgment rules by correlating response anomaly features and resolution routing information, (3) root zone file synchronization anomaly judgment rules by calculating the relative synchronization delay of multi-source root zone files. Finally, using three anomaly judgment rules, we perform anomaly detection on the root resolution data obtained by active measurement. Our detection results show that root zone file synchronization delay distributions of different root server instances vary greatly. Some instances even show minute-level convergence, resulting in incorrect resolution for some TLDs. We also detect one response hijacking incident for 2 TLDs resolution, caused by the domain takeover mechanism adopted by the ISP to reduce inter-domain traffic settlement and decrease resolution latency. Except for the unresponsive exception caused by network packet loss, no root-side resolution anomaly is found, indicating that there is no artificial manipulation of TLD resolution on the root server and reflecting the responsibility of each root server operator aiming to maintain global Internet interconnection. The detection results show that the detection rules proposed in this paper can effectively achieve the anomaly detection of root server resolution and help to maintain the health and stability of the DNS system.
ISSN:0167-4048
DOI:10.1016/j.cose.2024.103946