DNS Single Point of Failure Detection using Transitive Availability Dependency Analysis — Florian Maury
Date : 15 June 2018 à 15:00 — 30 min.
The Domain Name System (DNS) is one of the cornerstones of modern Internet, allowing users to access data from a distributed database, using domain names as reference keys. Data includes IP addresses of servers. DNS servers are no exception, and their names must be resolved into IP addresses, as well. The crucial difference between the name of a DNS server and, say, the name of a web server, is that one must resolve the name of a DNS server in order to query it and proceed with a user request such as "what’s the address of that web server?". DNS experts advocate for various naming strategies for DNS servers, each having their own set of distinctive advantages and drawbacks. During this study, we analyzed over four million domain names of websites from the .fr country-code top Level Domain (ccTLD) and from Alexa top 1 million domain names, to detect single points of failure (SPOF) from DNS servers and DNS alias naming strategies, and IP address dispersion. We discovered that 83 % of the studied domain names delegated from the .fr ccTLD present SPOFs that could easily be avoided. We also discovered that over one domain out of 20 from Alexa top 1 Million web server domain names depend on a single IP address to work properly. In this paper, we detail our measurement methodology, break down the generating causes for SPOFs into classes of misconfigurations and provide guidance to improve the resiliency of the DNS.