DNS to the rescue: discerning content and services in a tangled web

Quantified Score

Visualization

Abstract

A careful perusal of the Internet evolution reveals two major trends - explosion of cloud-based services and video streaming applications. In both of the above cases, the owner (e.g., CNN, YouTube, or Zynga) of the content and the organization serving it (e.g., Akamai, Limelight, or Amazon EC2) are decoupled, thus making it harder to understand the association between the content, owner, and the host where the content resides. This has created a tangled world wide web that is very hard to unwind, impairing ISPs' and network administrators' capabilities to control the traffic flowing in their networks. In this paper, we present DN-Hunter, a system that leverages the information provided by DNS traffic to discern the tangle. Parsing through DNS queries, DN-Hunter tags traffic flows with the associated domain name. This association has several applications and reveals a large amount of useful information: (i) Provides a fine-grained traffic visibility even when the traffic is encrypted (i.e., TLS/SSL flows), thus enabling more effective policy controls,(ii) Identifies flows even before the flows begin, thus providing superior network management capabilities to administrators, $(iii)$ Understand and track (over time) different CDNs and cloud providers that host content for a particular resource, (iv) Discern all the services/content hosted by a given CDN or cloud provider in a particular geography and time interval, and (v) Provides insights into all applications/services running on any given layer-4 port number. We conduct extensive experimental analysis and show results from real traffic traces (including FTTH and 4G ISPs) that support our hypothesis. Simply put, the information provided by DNS traffic is one of the key components required for understanding the tangled web, and bringing the ability to effectively manage network traffic back to the operators.