Who are querying for me? Measuring the dependency and centralization in recursive resolution

IF 4.8 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security Pub Date : 2025-05-11 DOI:10.1016/j.cose.2025.104501

Meng Luo , Qiuyun Wang , Jianrong Zhang , Cheng Yu , Kai Zhou , Baojiang Cui , Zhengwei Jiang

{"title":"Who are querying for me? Measuring the dependency and centralization in recursive resolution","authors":"Meng Luo , Qiuyun Wang , Jianrong Zhang , Cheng Yu , Kai Zhou , Baojiang Cui , Zhengwei Jiang","doi":"10.1016/j.cose.2025.104501","DOIUrl":null,"url":null,"abstract":"<div><div>In the DNS resolution, a recursive resolver receives requests from clients and queries the authoritative name servers to resolve domain names. In real networks, some recursive resolvers work as the ingress resolvers, which receive client requests but rely on egress resolvers to communicate with authoritative name servers. This dependency on egress resolvers introduces two issues. First, the failure of egress resolvers can delay or disrupt the resolution of ingress resolvers. Second, dependency centralization constrains the DNS system to a limited number of resolvers and organizations, exposing the system to higher risks of availability issues and cascading failures. Understanding the dependencies and centralization of recursive resolvers is essential for comprehending the DNS ecosystem.</div><div>In this work, we investigate the recursive resolution implemented by open resolvers in IPv4 address space to quantify their dependencies. We propose a set of approaches to identify egress resolvers and third-party providers on which open resolvers depend, and we analyze the degree of dependency centralization from multiple perspectives. Our measurements reveal that open resolvers in the wild exhibit widespread and highly concentrated dependencies. Specifically, more than 1.7 million open resolvers depend on about 147,000 egress resolvers. 90% of open resolvers are influenced by 8.41% of egress resolvers, and 36.82% of open resolvers rely on only one egress resolver to perform resolution. Egress resolvers from third-party providers can influence more than 44.40% of the open resolvers. Our work demonstrates that dependencies in recursive resolution are concentrated on a small number of egress resolvers and third-party providers, significantly reducing DNS redundancy and threatening system availability.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"156 ","pages":"Article 104501"},"PeriodicalIF":4.8000,"publicationDate":"2025-05-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computers & Security","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0167404825001890","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

In the DNS resolution, a recursive resolver receives requests from clients and queries the authoritative name servers to resolve domain names. In real networks, some recursive resolvers work as the ingress resolvers, which receive client requests but rely on egress resolvers to communicate with authoritative name servers. This dependency on egress resolvers introduces two issues. First, the failure of egress resolvers can delay or disrupt the resolution of ingress resolvers. Second, dependency centralization constrains the DNS system to a limited number of resolvers and organizations, exposing the system to higher risks of availability issues and cascading failures. Understanding the dependencies and centralization of recursive resolvers is essential for comprehending the DNS ecosystem.

In this work, we investigate the recursive resolution implemented by open resolvers in IPv4 address space to quantify their dependencies. We propose a set of approaches to identify egress resolvers and third-party providers on which open resolvers depend, and we analyze the degree of dependency centralization from multiple perspectives. Our measurements reveal that open resolvers in the wild exhibit widespread and highly concentrated dependencies. Specifically, more than 1.7 million open resolvers depend on about 147,000 egress resolvers. 90% of open resolvers are influenced by 8.41% of egress resolvers, and 36.82% of open resolvers rely on only one egress resolver to perform resolution. Egress resolvers from third-party providers can influence more than 44.40% of the open resolvers. Our work demonstrates that dependencies in recursive resolution are concentrated on a small number of egress resolvers and third-party providers, significantly reducing DNS redundancy and threatening system availability.

查看原文本刊更多论文

谁在找我？测量递归解析中的依赖性和集中性

在DNS解析中，递归解析器接收客户端请求，查询权威域名服务器进行域名解析。在实际网络中，一些递归解析器作为入口解析器工作，入口解析器接收客户端请求，但依赖于出口解析器与权威名称服务器通信。这种对出口解析器的依赖引入了两个问题。首先，出口解析器的故障会延迟或中断入口解析器的解析。其次，依赖集中将DNS系统限制为有限数量的解析器和组织，从而使系统暴露于可用性问题和级联故障的更高风险中。理解递归解析器的依赖关系和集中化对于理解DNS生态系统至关重要。在这项工作中，我们研究了开放解析器在IPv4地址空间中实现的递归解析，以量化它们的依赖关系。我们提出了一组方法来识别出口解析器和开放解析器所依赖的第三方提供商，并从多个角度分析了依赖集中的程度。我们的测量显示，野外开放解析器表现出广泛和高度集中的依赖性。具体来说，超过170万个开放解析器依赖于大约14.7万个出口解析器。90%的开放解析器受到8.41%的出口解析器的影响，36.82%的开放解析器仅依赖一个出口解析器执行解析。来自第三方提供商的出口解析器可以影响超过44.40%的开放解析器。我们的工作表明，递归解析中的依赖关系集中在少数出口解析器和第三方提供商上，大大减少了DNS冗余并威胁到系统可用性。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Computers & Security 工程技术-计算机：信息系统

CiteScore

12.40

自引率

7.10%

发文量

365

审稿时长

10.7 months

期刊介绍： Computers & Security is the most respected technical journal in the IT security field. With its high-profile editorial board and informative regular features and columns, the journal is essential reading for IT security professionals around the world. Computers & Security provides you with a unique blend of leading edge research and sound practical management advice. It is aimed at the professional involved with computer security, audit, control and data integrity in all sectors - industry, commerce and academia. Recognized worldwide as THE primary source of reference for applied research and technical expertise it is your first step to fully secure systems.