Quantifying and improving DNS availability

The Domain Name System (DNS) is one of the components most critical to Internet functionality. Nearly all Internet applications rely on the DNS for name-to-address translation. The ubiquity of the DNS necessitates both the accuracy and availability of responses. In this dissertation we present a model of DNS name resolution from which the availability of a domain name can be quantified in the context of its deployment. Using this model, DNS administrators will better understand the complex processes required to resolve domain names and quantitatively improve the robustness of their DNS configurations, from a perspective of availability.;We begin our analysis by providing relevant background on the DNS. We summarize protocol details surrounding name resolution, protocol and implementation vulnerabilities, and security extensions (DNSSEC).;Next we formalize a model for identifying DNS dependencies, based on DNS specification and server implementation. Using this model we introduce metrics to quantify the diversity of the namespace affecting the name resolution of a domain name. We observe that out of the set of zones influencing resolution of a domain name an average of 92% were explicitly configured by DNS administrators. However, certain resolver caching behaviors increase the likelihood that a domain name is influenced by third parties.;We further our DNS dependency model to describe DNS availability, a measure of the resolvability of a domain name. We derive a model and metrics for measuring availability and identify weaknesses in deployments. We identify specific misconfigurations that degrade the availability of a domain name and quantify their impact. In our analysis of production DNS data we observe that 14% of domain names exhibit lower redundancy than that which administrators have explicitly configured. We also observe that 6.7% of domain names required queries to more than an optimal number of servers to obtain an answer.;Our final analysis pertains to misconfigurations affecting availability in DNSSEC deployments. Because DNSSEC deployment is still new to administrators, many deployments have suffered from server misconfiguration or maintenance neglect which ultimately render a domain name unresolvable, even if servers are responsive. We introduce metrics for improving availability, and we present methodology for increased name resolution robustness in the presence of DNSSEC misconfiguration. In our survey of production signed zones, we observe that 31% of the validation errors detected might be mitigated using the technique proposed in our research.;The models and metrics presented in this dissertation can assist DNS administrators in better understanding their DNS deployments and avoiding name resolution failure through proper design and maintenance of DNS.