ABSTRACT: Fast and accurate identi�cation of active recursive domain name servers (RDNS) is a fundamental step to evaluate security risk degrees of DNS systems. Much identi�cation work have been proposed based on network tra�c measurement technology. Even though identifying RDNS accurately, they waste huge network resources, and fail to obtain host activity and distinguish between direct and indirect RDNS. In this paper, we proposed an approach to identify direct
and forward RDNS based on our three key insights on their request-response behaviors, and proposed an approach to identify indirect RDNS based on CNAME redirect behaviors. To work in high-speed backbone networks, we further proposed an online connectivity estimation algorithm to obtain estimated values used in our identi�cation approaches. According to our experiments, we can identify RDNS with a high accuracy by selecting the reasonable thresholds. The accuracy of identifying direct and forward RDNS can reach 89%. The accuracy of identifying indirect RDNS can reach 90%. Moreover, our work is capable of real-time analyzing high speed backbone tra�cs.
Keywords: evaluate security risk degrees, recursive nameservers, connectivity estimation
