Abstract

While prior research has investigated DNS servers [12, 9, 10, 15, 2] and some DNS use patterns [1, 8, 3, 11, 7] in great detail, little is known about the diversity of DNS recursive resolvers implementations and behaviors. Yet, recursive resolvers are the linchpin of the DNS infrastructure; their (mis) behavior can affect both DNS clients and authoritative servers. Misconfigured recursives can be misused in attacks [13], or introduce delays in responses to clients [1, 4]. Recursives that generate excessive queries to the DNS infrastructure [6, 5, 14] misuse precious resources of authoritative nameservers, possibly for no useful purpose. In part, the lack of insight and understanding into diversity of recursive resolver behaviors have led communities to take leap-of-faith efforts like the DNS Flag Day, which did not go according to plans. Our research seeks to understand, quantify and characterize recursive resolver behaviors, specifically for those that aggressively send DNS queries. As example of the abusive recursive problem, Fig 1 shows the CDF of number of requests received by the root DNS servers from unique IP addresses. This plot has been generated from DNS-OARC DITL 2018 and 2019 datasets1. We can see from this figure that 99% of all recursives send moderate amount of queries. However, the 1% that send aggressively were responsible for sending up to 98% and 93% of all traffic in 2018 and 2019 respectively. Moreover, the 1% of abusive recursives correspond to around 8.3 k recursives in 2018 and over 14k in 2019; which might indicate a growing number of abusive recursives in the Internet, misusing the DNS infrastructure. Within the …

Date

September 13, 2025

Authors

Natália G Knob, Ricardo de O Schmidt, Marco AS Trentin, Jelena Mirkovic, Wes Hardaker, John Heidemann

Journal

DNS and Internet Naming Research Directions