[dns-operations] FYI: Georgia Tech Paper on "Disposable Domain Names"

Robert Edmonds edmonds at mycre.ws
Fri May 2 22:39:04 UTC 2014

Livingood, Jason wrote:
> May be of interest.
> Full disclosure: Uses data from Comcast’s recursive servers and our Tech R&D Fund provided some partial funding of the work.
> See http://www.nctatechnicalpapers.com/Paper/2014/2014-disposable-domains
> By Yizheng Chen, Manos Antonakakis, Wenke Lee
> In recent years DNS has been increasingly leveraged to build and scale highly reliable network infrastructures. In this paper, we will introduce and analyze a new class of domains, which we refer to as disposable domains. Disposable domains appear to be heavily employed by common Internet services (i.e., Search Engines, Social Networks, Online Trackers etc.), and they seem to be automatically generated. They are characterized by a “one-time use” pattern, and appear to be used as a way of “signaling” via DNS. While this is yet another “creative” use of the DNS to enable new Internet applications and efficient scaling of services, little do we know about the size and DNS caching properties of this family of domains.
> To shed light on the pervasiveness and growth of disposable domains, we present a study of their characteristics based on live DNS traffic observed at Comcast, in a city that serves millions of end users. We found that disposable domains increased from 23.1% to 27.6% in all queried domain names, and from 27.6% to 37.2 % among all resolved domain names daily, and more than 60% of all distinct resource records observed daily in modern DNS traffic are related to disposable domains. We discuss the possible negative implications that disposable domains may have on the DNS caching infrastructure, resolvers validating DNSSEC transactions, and passive DNS data collection systems.

According to the paper, "Usually, over 90% of cache hit rates from
disposable domains are zero."  (I think this means that >90% of these
"disposable domains" are only used once, but the wording is not entirely
clear.)  It might be worthwhile investigating whether this warrants
implementing Segmented LRU in DNS caching implementations.  From

    An SLRU cache is divided into two segments, a probationary segment
    and a protected segment. Lines in each segment are ordered from the
    most to the least recently accessed. Data from misses is added to
    the cache at the most recently accessed end of the probationary
    segment. Hits are removed from wherever they currently reside and
    added to the most recently accessed end of the protected segment.
    Lines in the protected segment have thus been accessed at least

Robert Edmonds

More information about the dns-operations mailing list