Skip to Main Content
The domain name system (DNS) is integral to today's Internet. Name resolution for a domain is often dependent on servers well outside the control of the domain's owner. In this paper we propose a formal model for analyzing the name dependencies inherent in DNS, based on protocol specification and actual implementations. We derive metrics to quantify the extent to which domain names affect other domain names. It is found that under certain conditions, the name resolution for over one-half of the queries exhibits influence of domains not expressly configured by administrators. This result serves to quantify the degree of vulnerability of DNS due to dependencies that administrators are unaware of. The model presented in the paper also shows that the set of domains whose resolution affects a given domain name is much smaller than previously thought. The model also shows that with caching of NS target addresses, the number of influential domains expands greatly, thereby making the DNS infrastructure more vulnerable.