On the DNS Deployment of Modern Web Services Shuai Hao∗y, Haining Wang∗, Angelos Stavrouz, and Evgenia Smirniy ∗University of Delaware, Newark, DE, USA yCollege of William and Mary, Williamsburg, VA, USA zGeorge Mason University, Fairfax, VA, USA Email: fhaos,[email protected], [email protected], [email protected] Abstract—Accessing Internet services relies on the Domain Existing DNS measurements studied the characteristics of Name System (DNS) for translating human-readable names to DNS activities and operations [16], [17], [21], [24], [26], the routable network addresses. At the bottom level of the DNS root or top-level-domain servers [20], [22], [29], [30], [36], or hierarchy, the authoritative DNS (ADNS) servers maintain the actual mapping records and answer the DNS queries. Today, the DNS resolvers [15], [18], [35]. Some works involving the the increasing use of upstream ADNS services (i.e., third-party characteristics of ADNSes mainly focused on the comparison ADNS-hosting services) and Infrastructure-as-a-Service (IaaS) with local DNS (LDNS) servers, but none of them explored clouds facilitates the establishment of web services, and has various ADNS deployments for web services. Complementary been fostering the evolution of the deployment of ADNS servers. to these prior works, we present a large-scale measurement To shed light on this trend, in this paper we present a large- scale measurement to study the ADNS deployment patterns of study in attempt to answer the following questions: (1) how modern web services and examine the characteristics of different do modern web services deploy their ADNS servers? (2) what deployment styles, such as performance, life-cycle of servers, are the characteristics of different ADNS deployment patterns? and availability. Furthermore, we focus specifically on the DNS and (3) in particular, how do the cloud-hosting subdomains deployment for subdomains hosted in IaaS clouds. administer their ADNS servers? We first collect the authoritative DNS server information I. INTRODUCTION for top-ranking websites on Alexa’s list [2] and eliminate the As a hierarchical distributed database system, the Domain redundant domain records. This constructs our dataset with Name System (DNS) is one of the most important components about 2.3 million nameservers for about 0.94 million websites. of Internet infrastructure, providing the mapping between the We then develop a systematic method to explore ADNS server domain names and network-level addresses to direct clients to deployment patterns and perform the geo-distributed probing specific Internet services. In DNS hierarchy, the Root and Top- experiments. In particular, by directly issuing DNS queries to Level-Domain nameservers are mainly used as the querying each ADNS server, we examine their deployment details and referrals, while the authoritative DNS (ADNS) servers, admin- characteristics. Next, we focus on the DNS deployment of web istered by the service providers, are responsible for storing the services whose subdomains are hosted in cloud infrastructure. name-to-address records and returning answers to the clients. We extract the subdomain list from an existing dataset [5], Deploying authoritative nameservers requires extra hard- reproduce the ADNS servers of subdomains for comparing ware resources and additional maintenance support. Also, the with the original results, and examine their deployment. We critical roles of DNS service in web infrastructure make it an summarize our major findings and contributions as follows: attractive target to attackers. Thus, web service providers are increasingly adopting the upstream authoritative DNS servers, • We use a simple heuristic method to determine the ADNS including the top sites (e.g., Amazon and Twitter) that have deployment patterns. In fact, it is fairly easy to recognize the ability to maintain their own ADNS infrastructures. In ad- the pattern for an individual website from its NS records, dition, to save a large amount of investment for infrastructure, but it is much more difficult when looking for millions many of today’s popular web services are directly built upon of websites in such a large-scale study. Infrastructure-as-a-Service (IaaS) clouds such as Amazon EC2 • We validate the use of ADNS proxy infrastructure by and Windows Azure. The traditional web service providers examining the transition delay and the TTL aging. are also migrating extended services into clouds to use the • We first quantify the usage and profile the characteristics “illusively-infinite” computing and storage resources. The IaaS of ADNS servers in terms of the deployment patterns. infrastructure greatly facilitates the establishment of modern • We find that most top-ranked websites deploy their own web services and also promotes the process of delegating DNS servers but emerging popular social sites tend to the authoritative name resolution to third-party ADNS service use the upstream DNS-hosting services. We also observe providers. Besides traditional web-hosting providers such as few servers being used in private deployment. Dyn [6] and Ultradns [14], the Content Delivery Networks • We find that the ADNS deployment patterns remain sta- (CDN) and cloud service providers also offer the ADNS ble. The change of private servers is more frequent than services that integrate the name resolution into their CDNs that of upstream servers. The websites using upstream or cloud infrastructures [1], [4]. services change frequently their hosting domains but have Root Server Top-Level Upstream ADNS Server Domain Server Web Server Web Server ADNS Server Internet Internet 1 2 1 Local/Public 2 3 2 Resolver Internet Web Server 1 (a) Private ADNS Server (b) Upstream ADNS Server 5 4 Local Network Authoritative DNS Server ADNS Upstream Client Web Server Server ADNS Server Resolver 6 Internet 1a Fig. 1. DNS Resolution Process (Iterative query). 2 1b (c) Hybrid ADNS Servers the lowest frequency to change their deployment patterns. • Among the studied patterns (i.e., private, upstream, and hybrid), we observe that upstream achieves the highest Fig. 2. ADNS Deployment for Web Services. performance while hybrid has the highest availability. TABLE I • We quantify the usage of ADNSes for cloud-hosting ADNS DEPLOYMENT OF TOP 15 SITES3 subdomains. We observe a noticeable growth on the usage of cloud-providing DNS service. Domain ADNS google.com google.com The remainder of this paper is organized as follows. We facebook.com facebook.com introduce DNS and ADNS deployment in x2. We describe the youtube.com google.com data sets used and our analysis methods in x3. We present the yahoo.com yahoo.com measurement results and analysis of ADNS deployment for baidu.com baidu.com top-ranking websites in x4. We profile the usage of ADNSes wikipedia.org wikimedia.org amazon.com dynect.net, ultradns4 for cloud-hosting subdomains in x5. We survey related work twitter.com dynect.net in x6, and finally conclude the paper in x7. taobao.com taobao.com qq.com qq.com II. BACKGROUND google.co.in google.com live.com msft.net In this section, we give an overview of DNS and present the sina.com.cn sina.com.cn authoritative DNS deployment patterns for modern web ser- linkedin.com dynect.net, linkedin.com vices. In addition, we specially discuss the DNS deployment weibo.com sina.com.cn of cloud-hosting subdomains. A. DNS Overview • Private ADNS server: The web service owners deploy Figure 1 shows the DNS components and the process of their private authoritative DNS servers only within their 1 name resolution. A resolution routine on the client-end host, own domains. called stub resolver, issues a DNS lookup to a recursive • Upstream ADNS server: The web service owners del- resolver, a local DNS server deployed by the client’s local egate their authoritative name resolution to the upstream network or a public DNS service [8], [10] located in a wide DNS-hosting service providers.2 area network. Without considering the cache effects on the • Hybrid ADNS deployment: The web service owners resolvers and intermediate servers, the recursive resolver will employ both the private DNS servers and the upstream first contact the root server. The root server directs the resolver ADNS servers for their authoritative name resolution. to query a top-level-domain (TLD) server (e.g., the .com TLD server). Similarly, the TLD server responds the resolver’s 1The domains hosting web services and private nameservers may also be query with the address of the authoritative DNS (ADNS) located inside IaaS clouds. In such a case, the service provider runs the ADNS servers with cloud instances. server for the corresponding domain. Next, the resolver queries 2We only consider the ADNS-hosting domains to identify the deployment, the ADNS server for the address of the domain host, and regardless of whether a website itself is hosted in private infrastructure or finally the client can reach the Internet service as the recursive web-hosting companies. 3 resolver returns the answer for name resolution. The ranking is from April 2015. 4The TLDs of Ultradns serving for amazon.com include .net, .org, .info, and .co.uk. Although Amazon offers a public DNS-hosting service B. ADNS Deployment Patterns (Route 53 [4]) for its cloud tenants, it delegates its DNS resolution to upstream providers. We infer that it is a historical reason: Amazon has been running the Figure 2 illustrates the steps of a client accessing the web upstream ADNS for amazon.com since its establishment in 1995 and did services under three different ADNS deployments: not switch to private servers when expanding its business to cloud services. ADNS Server Web Server Upstream DNS Proxy Cloud Subdomain Web Server DNS Proxy ADNS Server ADNS Web Server Web Server 2 Server Internet Cloud Internet 1 4 1 3 Internet 2 1 2a 2b (a) Proxy for Private ADNS (b) Proxy for Upstream ADNS (a) Primary ADNS Fig. 3. DNS Proxy. delegate resolution Cloud Subdomain ADNS DNS Server Web Server Table I lists the domains hosting authoritative DNS servers Web Server Server for the top 15 websites on Alexa’s list [2].