M3: DNS Root Traffic Analysis

-

The usage of the DNS root servers is tracked by measuring the number of requests to the root for non-existing TLD (M3.1) and the number of requests to the root that would not have been necessary if the DNS resolvers cached the previous replies (M3.2). The number of requests that would be necessary in any case is given by the difference: 100% - M3.1 - M3.2. The causes for "name leaks" is further explained by metrics M3.3. In addition, the characteristics such as usage of EDNS, DNSSEC or QNAME minimizations are tracked by metrics M3.4, M3.5 and M3.6.

In the following table, the current value is the value of the metric for the current month. The average value is the value of that fraction over the 12 months preceeding this one -- or the average since the beginning of measurements if measurements started fewer than 12 months ago.

Metric Current Value Average Value
M3.1 (% No Such Domain queries) - -
M3.2 (% cacheable queries) - -
Core (100% - M3.1 - M3.2) - -

The following graph shows the evolution of M3.1 and M3.2 over time:

Metrics M3.3, analysis of leaks

The number of requests to non-existing TLD, or “leaks”, is further explained by a set of sub-metrics measuring various forms of name leakage, including requests for special-used TLD registered per RFC 6761 (M3.3.1), requests for frequently used name strings (M3.3.2), requests for various forms of automatically generated names (M3.3.3), and all other forms of names, including malformed names (M3.3.4).

In the following table, the current value is the value of the metric for the current month. The average value is the value of that fraction over the 12 months preceeding this one -- or the average since the beginning of measurements if measurements started fewer than 12 months ago.

Metric Current Value Average Value
M3.3.1 (% Queries to RFC 6761 reserved names) - -
M3.3.2 (% Queries to frequently leaked strings) - -
M3.3.3 (% Queries to frequently found name patterns) - -
M3.3.4(% Queries to other types of names) - -

The following tables provide the list of strings or patterns most frequently encountered as part of M3.3.1, M3.3.2, and M3.3.3.

Queries to RFC 6761 reserved names

In the following table, the current value is the fraction of queries to the root directed at RFC 6761 names in the current month. The average value is the value of that fraction over the 12 months preceeding this one -- or the average since the beginning of measurements if measurements started fewer than 12 months ago.

Table M331 not found

Queries to frequently leaked strings

In the following table, the current value is the fraction of queries to the root directed at frequently used strings in the current month. The average value is the value of that fraction over the 12 months preceeding this one -- or the average since the beginning of measurements if measurements started fewer than 12 months ago.

Table M332 not found

Queries to frequently found name patterns

In the following table, the current value is the fraction of queries to the root following a specific name pattern in the current month. The average value is the value of that fraction over the 12 months preceeding this one -- or the average since the beginning of measurements if measurements started fewer than 12 months ago.

Table M333 not found

Characteristics of resolvers seen at the root

Additional metrics characterize the options found in queries sent to the root, such as whether resolvers use extended DNS (M3.4.1), what EDNS options they use (M3.4.2), whether they set the DNSSEC OK bit in queries (M3.5), and whether they appear to enforce QName Minimization (M3.6). The current and average values of these metrics are provided in the following table:

Table M3.4, M3.5 and M3.6 was not initialized.