skip to main content
10.1145/3663408.3663412acmotherconferencesArticle/Chapter ViewAbstractPublication PagescommConference Proceedingsconference-collections
research-article

Rethinking DNS Configuration Verification with a Distributed Architecture

Published: 03 August 2024 Publication History

Abstract

DNS misconfiguration can result in severe social and financial consequences. Existing DNS configuration verification tools employ a centralized architecture, where all zone files are collected for verification. This architecture faces significant scalability issues (e.g., the verifier becoming the performance bottleneck and not supporting incremental verification). Inspired by the recent proposal of distributed data plane verification and the resemblance between the network data plane and DNS configuration, we propose to rearchitect DNS configuration verification with a distributed design. Our key insight is that by analyzing the query processing behavior of each DNS zone file in parallel and stitching the results in a symbolic way, we can substantially scale up the verification of DNS configuration. Evaluation shows that an up to 9.51× speed up on a dataset with over 410,000 resource records while having small overhead.

References

[1]
Robert S Boyer, Bernard Elspas, and Karl N Levitt. 1975. SELECT—a formal system for testing and debugging programs by symbolic execution. ACM SigPlan Notices 10, 6, 234–245.
[2]
DNS Census2013. 2013. https://dnscensus2013.neocities.org/Accessed: March 16, 2024.
[3]
Cloudfare. 2023. 1.1.1.1 lookup failures on October 4, 2023. https://blog.cloudflare.com/1-1-1-1-lookup-failures-on-october-4th-2023. Accessed: March 16, 2024.
[4]
Internet Systems Consortium. 2009. Linux man page: named-checkzone. https://linux.die.net/man/8/named-checkconf. Accessed: March 16, 2024.
[5]
Dr. Matt Crawford. 1999. Non-Terminal DNS Name Redirection. RFC 2672. https://www.rfc-editor.org/rfc/rfc2672.html
[6]
Incident Report for npm. 2018. DNS misconfiguration cached in ISP DNS caches. https://status.npmjs.org/incidents/v22ffls5cd6h. Accessed: March 16, 2024.
[7]
James Fryman. 2014. DNS Outage Post Mortem. https://github.blog/2014-01-18-dns-outage-post-mortem. Accessed: March 16, 2024.
[8]
Dong Guo, Jian Luo, Kai Gao, and Y Richard Yang. 2023. Poster: Scaling Data Plane Verification with Throughput-Optimized Atomic Predicates. In Proceedings of the ACM SIGCOMM 2023 Conference. 1141–1143.
[9]
Paul E. Hoffman and Patrick McManus. 2018. DNS Queries over HTTPS (DoH). RFC 8484. https://www.rfc-editor.org/rfc/rfc8484.html
[10]
Check Host. 2020. Check Host. http://check-host.net/check-dns. Accessed: March 16, 2024.
[11]
Zi Hu, Liang Zhu, John Heidemann, Allison Mankin, Duane Wessels, and Paul E. Hoffman. 2016. Specification for DNS over Transport Layer Security (TLS). RFC 7858. https://www.rfc-editor.org/rfc/rfc7858.html
[12]
Christian Huitema, Sara Dickinson, and Allison Mankin. 2022. DNS over Dedicated QUIC Connections. RFC 9250. https://www.rfc-editor.org/rfc/rfc9250.html
[13]
InfinityFree. 2019. DNS Outage at iFastNet: Softaculous down. https://forum.infinityfree.com/t/dns-outage-at-ifastnet-softaculous-down/19374. Accessed: March 16, 2024.
[14]
Internet Systems Consortium, Inc.2022. BIND - DNS Software. https://www.isc.org/bind/. Accessed: March 16, 2024.
[15]
Siva Kesava Reddy Kakarla, Ryan Beckett, Behnaz Arzani, Todd Millstein, and George Varghese. 2020. GRooT: Proactive verification of dns configurations. In SIGCOMM’20. ACM, 310–328.
[16]
Siva Kesava Reddy Kakarla, Ryan Beckett, Todd Millstein, and George Varghese. 2021. How Complex is DNS?. In Proceedings of the 20th ACM Workshop on Hot Topics in Networks. 116–122.
[17]
Peyman Kazemian, Michael Chang, Hongyi Zeng, George Varghese, Nick McKeown, and Scott Whyte. 2013. Real time network policy checking using header space analysis. In 10th USENIX Symposium on Networked Systems Design and Implementation. 99–111.
[18]
Si Liu, Huayi Duan, Lukas Heimes, Marco Bearzi, Jodok Vieli, David Basin, and Adrian Perrig. 2023. A Formal Framework for End-to-End DNS Resolution. In Proceedings of the ACM SIGCOMM 2023 Conference. 932–949.
[19]
P. Mockapetris. 1987. Domain names - concepts and facilities. RFC 1034. https://www.rfc-editor.org/rfc/rfc1034.html
[20]
P. Mockapetris. 1987. Domain names - implementation and specification. RFC 1035. https://www.rfc-editor.org/rfc/rfc1035.html
[21]
Paul Mockapetris and Kevin J Dunlap. 1988. Development of the domain name system. In Symposium proceedings on Communications architectures and protocols. 123–133.
[22]
SecurityWeek News. 2010. Reports of Massive DNS Outages in Germany. https://www.securityweek.com/content/reports-massivedns-outages-germany. Accessed: March 16, 2024.
[23]
Wayne Schlitt and Meng Weng Wong. 2006. Sender Policy Framework (SPF) for Authorizing Use of Domains in E-Mail, Version 1. RFC 4408. https://www.rfc-editor.org/rfc/rfc4408.html
[24]
Radu Stoenescu, Matei Popovici, Lorina Negreanu, and Costin Raiciu. 2016. Symnet: Scalable symbolic execution for modern networks. In Proceedings of the 2016 ACM SIGCOMM Conference. 314–327.
[25]
Satoru Sunahara, Yong Jin, and Katsuyoshi Iida. 2023. Authoritative DNS Server Discovery Method to Enhance DNS Privacy Preservation. In Proceedings of the on CoNEXT Student Workshop 2023. 31–32.
[26]
Liam Tung. 2019. Azure global outage: Our DNS update mangled domain records, says Microsoft. https://www.zdnet.com/article/azure-global-outage-our-dns-update-mangled-domain-records-says-microsoft/. Accessed: March 16, 2024.
[27]
Zack Whittaker. 2021. A DNS outage just took down a large chunk of the internet. https://techcrunch.com/2021/07/22/a-dns-outage-just-took-down-a-good-chunk-of-the-internet/. Accessed: March 16, 2024.
[28]
Qiao Xiang, Chenyang Huang, Ridi Wen, Yuxin Wang, Xiwen Fan, Zaoxing Liu, Linghe Kong, Dennis Duan, Franck Le, and Wei Sun. 2023. Beyond a Centralized Verifier: Scaling Data Plane Checking via Distributed, On-Device Verification. In Proceedings of the ACM SIGCOMM 2023 Conference. 152–166.
[29]
Tianyin Xu and Yuanyuan Zhou. 2015. Systems approaches to tackling configuration errors: A survey. Comput. Surveys 47, 4 (2015), 1–41.
[30]
Hongkun Yang and Simon S Lam. 2015. Real-time verification of network properties using atomic predicates. IEEE/ACM Transactions on Networking 24, 2 (2015), 887–900.
[31]
Bojan Zdrnja, Nevil Brownlee, and Duane Wessels. 2007. Passive monitoring of DNS anomalies. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. Springer, 129–139.
[32]
Peng Zhang, Xu Liu, Hongkun Yang, Ning Kang, Zhengchang Gu, and Hao Li. 2020. APKeep: Realtime Verification for Real Networks. In 17th USENIX Symposium on Networked Systems Design and Implementation. 241–255.
[33]
Chenyang Zhao, Yuebin Guo, Jingyu Wang, Qi Qi, Zirui Zhuang, Haifeng Sun, Lingqi Guo, Yuming Xie, and Jianxin Liao. 2024. EPVerifier: Accelerating Update Storms Verification with Edge-Predicate. In 21st USENIX Symposium on Networked Systems Design and Implementation. 979–992.

Index Terms

  1. Rethinking DNS Configuration Verification with a Distributed Architecture

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM Other conferences
    APNet '24: Proceedings of the 8th Asia-Pacific Workshop on Networking
    August 2024
    230 pages
    ISBN:9798400717581
    DOI:10.1145/3663408
    Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 03 August 2024

    Permissions

    Request permissions for this article.

    Check for updates

    Author Tags

    1. DNS configuration verification
    2. Distributed verification

    Qualifiers

    • Research-article
    • Research
    • Refereed limited

    Conference

    APNet 2024

    Acceptance Rates

    APNet '24 Paper Acceptance Rate 50 of 118 submissions, 42%;
    Overall Acceptance Rate 50 of 118 submissions, 42%

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • 0
      Total Citations
    • 27
      Total Downloads
    • Downloads (Last 12 months)27
    • Downloads (Last 6 weeks)1
    Reflects downloads up to 27 Dec 2024

    Other Metrics

    Citations

    View Options

    Login options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    HTML Format

    View this article in HTML Format.

    HTML Format

    Media

    Figures

    Other

    Tables

    Share

    Share

    Share this Publication link

    Share on social media