Security news that informs and inspires

Most DNS Traffic Pass Through Just a Few Name Servers


The Domain Name System was designed to be decentralized, where any organization could run their own name server to handle DNS queries. In reality, the bulk of the world’s DNS traffic pass through authoritative name servers operated by less than 10 organizations.

DNS acts as an address book for the Internet by translating human-friendly domain names to machine addresses, and helps make practically every transaction possible. When a user types in a website name, that query typically goes to a recursive DNS resolver to find the corresponding machine address. If the resolver does not know, it asks other resolvers or passes the query to an authoritative name server—which maintain a list of names and addresses it is responsible for—to find the answer.

The system is designed to accommodate any number of resolvers and name servers, but in reality, just 1,000 name servers handle 60 percent of DNS resolution requests, according to statistics collected by the DNS Observatory, a project backed by Farsight Security. The DNS Observatory acts as a “telescope” for global DNS traffic, as it lets researchers see the details of queries as they flow between recursive DNS resolvers and authoritative name servers.

"Approximately 60% of the DNS transactions captured in our list were handled by just 1,000 name servers; the majority of queries flowed into ASes [authoritative servers] operated by less than 10 organizations," said Pawel Foremski, Farsight’s scientist and senior distributed systems engineer.

The DNS Observatory project processed over 1 trillion DNS transactions over a three-month period from January to March 2019, and saw over 2.5 million unique FQDNs per minute, on average. Partner organizations running their own resolvers, including ISPs, universities, and recursive DNS providers, contributed data to the project. Foremski presented DNS Observatory’s findings during MAPRG at IETF 104 back in March.

Researchers studied the top 10,000 name servers, defined as the most popular IP addresses of authoritative name servers seen in the transaction data, and found that DNS traffic was highly concentrated on a relative small set of IP addresses, Foremski said. The “really popular name servers,” such as the root and TLD name servers were more likely to be queries for random or otherwise erroneous name.

“We found some non-existing TLDs, such as ‘.local’ being more popular than existing TLDs, such as the Italian ccTLD ‘.it,’” Foremski said.

The Internet depends on the integrity and resilience of DNS, which is why the system is supposed to be decentralized. Even if one resolver goes offline, other resolvers can pick up the load until that resolver comes back. If a resolver has incorrect destination information, it affects only the users that rely on that name server, and the resolver gets the correct destination after the initial record expires. However, the fact that most of the traffic is passing through the same servers means errors—or attacks against DNS—affect a larger number of users and impact more machines.

Paul Vixie, internet pioneer and founder of Farsight Security, has been warning for a while about the growing consolidation of DNS servers. Too many users rely on DNS servers operated by Google and a handful of other organizations instead of running their own, or using the ones operated by their ISP. When Vixie originally designed DNS (he designed and deployed numerous DNS protocol extensions and applications, including dynamic update, network reputation and BIND open-source software), the expectation was that name resolvers would be located geographically close to the users to make the query time very quick.

Other organizations—Google, Cloudflare, IBM, etc—promised better performance and extra security in exchange for being able to see where people are going on the Internet. Over time, users lost control of their DNS data.

"The idea the that we're going to ultimately end up with a dozen companies that have all our information and know everything about us because it just has become impractical to operate any service for ourselves because everything is so complicated now—that's crazy," Vixie said recently.

“We must not let it just be the big tech companies that decide humanity’s future,” Vixie said.