Fault tree method for DNS name resolution fault analyse
XU Haiyan1, WANG Yingkang2, DU Yuejin1, YAN Jianen1, ZHANG Zhaoxin1
1. School of Computer Science and Technology, Harbin Institute of Technology, Harbin 150001, China;
2. Information Center of Ministry of Industry and Information Technology, Beijing 100846, China
摘要域名系统(domain name system,DNS)是Internet的重要基础设施,其核心功能是域名解析。为保证域名解析的可用性以及解析结果的正确性,需要参与解析的域名服务器正常、 稳定工作。该文针对域名解析过程中的安全性问题,提出了一个域名解析故障分析方法。首先,根据域名解析过程的依赖关系构造依赖图;其次,运用故障树分析法挖掘出了保证域名解析的关键服务器集合和引起域名解析故障的关键服务器集合,用来定位DNS重点防护区域;最后,使用该方法对单个域名和Alex Top 50 000的域名进行了解析故障分析。结果发现,部分域名区域配置存在不合理的依赖关系,这将导致非必要的域名解析过程,加重DNS服务器的解析负载。
Abstract:The domain name system (DNS) is an important part of the internet with core function being to resolve the domain name. The DNS servers must be stable to ensure the availability of the domain name resolution process and accurate resolution results. A domain name resolution fault analysis method is presented in this paper to resolve name resolution problems. Firstly, a name dependency graph is constructed according to the dependency relationship of the name resolution. Then a fault tree analysis is used to mine the DNS servers that give success for name resolution and the DNS servers that fail to give correct results. A single domain name and the Alex Top 50 000 domain names were analyzed using this method to show that there are unreasonable dependencies in the configurations of individual domain names which lead to some unnecessary resolution procedures and increase the DNS server load.
许海燕, 王营康, 杜跃进, 闫健恩, 张兆心. 基于故障树的域名解析故障分析方法[J]. 清华大学学报(自然科学版), 2017, 57(7): 680-686.
XU Haiyan, WANG Yingkang, DU Yuejin, YAN Jianen, ZHANG Zhaoxin. Fault tree method for DNS name resolution fault analyse. Journal of Tsinghua University(Science and Technology), 2017, 57(7): 680-686.
Lee B S, Yu S T, Sekiya Y, et al. Availability and effectiveness of root DNS servers: A long term study [C]//Network Operations and Management Symposium. Osaka, Japan: IEEE, 2010: 862-865.
[2]
Casalicchio E, Caselli M, Coletta A. Measuring the global domain name system [J]. IEEE Network, 2013, 27(1): 25-31.
[3]
Krishnan S, Monrose F. An empirical study of the performance, security and privacy implications of domain name prefetching [C]//International Conference on Dependable Systems & Networks. Hong Kong, China: IEEE, 2011: 61-72.
[4]
Son S, Shmatikov V. The hitchhiker's guide to DNS cache poisoning [C]//Security and Privacy in Communication Networks International ICST Conference. Singapore: Springer, 2010: 466-483.
[5]
Dagon D. Large-scale DNS data analysis [C]//ACM Conference on Computer and Communications Security. Raleigh, NC, USA: ACM, 2012: 1054-1055.
[6]
Kadir A F A, Othman R A R, Aziz N A. Behavioral analysis and visualization of fast-flux DNS [C]//European Intelligence and Security Informatics Conference. Odense, Denmark: IEEE, 2012: 250-253.
[7]
Deccio C, Sedayao J, Kant K, et al. Quantifying and improving DNSSEC availability [C]//Proceedings of the International Conference on Computer Communication and Networks. Hawaii, USA: IEEE, 2011: 1-7.
[8]
Choi H, Lee H. Identifying botnets by capturing group activities in DNS traffic [J]. Computer Networks, 2012, 56(1): 20-33.
[9]
Ramasubramanian V. Perils of transitive trust in the domain name system [C]//Proceedings of the 5th ACM SIGCOMM conference on Internet Measurement. Berkeley, CA, USA: ACM, 2005: 379-384.
[10]
Deccio C T, Chen C C, Sedayao J, et al. Quality of name resolution in the domain name system [C]//IEEE International Conference on Network Protocols. Princeton, NJ, USA: IEEE, 2009: 113-122.
[11]
Deccio C. Quantifying and Improving DNS Availability [D]. Davis: University of California Davis, 2010.
[12]
Fujiwara K, Sato A, Yoshida K. DNS traffic analysis: Issues of IPv6 and CDN [C]//IEEE/IPSJ 12th International Symposium on Applications and the Internet. Izmir, Turkey: IEEE, 2012: 129-137.
[13]
RFC1034. Domain Names: Concepts and Facilities [S]. Fremont: IETF, 1987.
[14]
RFC1035. Domain Names: Implementation and Specification [S]. Fremont: IETF, 1987.
[15]
罗航. 故障树分析的若干关键问题研究 [D]. 成都: 电子科技大学, 2011.LUO Hang. Research on Several Key Problems Based on Fault Tree Analysis [D]. Chengdu: University of Electronic Science and Technology of China, 2011. (in Chinese)