Resolvers (e.g., recursive name servers) are intermediaries that interface between clients and authoritative name servers in the ecosystem of the Domain Name System (DNS). Resolvers have access to more specific information about individual client behavior than authoritative name servers. One reason for this advantage is that resolvers can act on behalf of a community of users, and send lookup requests to authoritative name servers originating from their own Internet Protocol (IP) addresses, rather than from the IP addresses of the actual clients (although there are situations in which part of a client's IP address can be included in the lookup request). Another reason is that resolvers can maintain caches or databases of previously resolved queries, and can make lookup requests when a cache entry has expired, rather than at a time contemporaneous to the corresponding request from the client. Because of this “filtering” process by resolvers, an authoritative name server can identify general trends about client behavior, but not individual client behavior.
The DNS ecosystem includes millions of resolvers. Some clients interface with a resolver operated by an Internet Service Provider (ISP); others interface with a resolver operated on an enterprise network; and others interface with a public resolver operated as a cloud service. A given resolver's direct information about individual client behavior is generally limited to the clients that interface with that resolver. An authoritative name server, in contrast, has comprehensive information about the overall population of clients, because each client in the overall population ultimately interacts (via some resolver—or in less common cases, directly) with the authoritative name server with respect to a given “zone” of domain names. It follows that general trend information for a zone is available in a more comprehensive way at the zone's authoritative name server than at any given resolver. The trend information is centralized at the authoritative name server (e.g., by the collection of name server instances managed as a single service acting on behalf of this zone).
Individual client behavior, on the other hand, is observable in a more specific way at resolvers than at any given authoritative name server. Moreover, the client behavior observable at a resolver encompasses all zones. However, the observations for the overall population of clients are distributed across the overall population of resolvers (with the exception of those clients that interact directly with the authoritative name servers, for which the resolvers may have no insight at all). Because the global population of resolvers is by design not managed as a single service, resolvers do not automatically obtain comprehensive trend information across all clients, even though they collectively have more visibility into client behavior than do the authoritative name servers.
It is increasingly common that parties in an information technology ecosystem exchange security threat indicators with other parties based on an expectation that a collective defense will be more effective than an individual one. One such information sharing framework is Trusted Automated eXchange of Indicator Information (TAXII), which defines a set of services and exchanges to “enable sharing of actionable cyber threat information across organization and product/service boundaries.” A related framework for sharing security incident information is the Managed Incident Lightweight Exchange (MILE).
“Passive DNS” technology is a method for improving the understanding of the state of the DNS by observing the responses that multiple resolvers receive from authoritative name servers. The technology, in its basic form, enables the construction of replicas of the zone files managed by authoritative name servers without the direct involvement of authoritative name server operators or zone administrators. General properties of the zone files, such as the configuration or use of various zones, and some general trends about client behavior, can be made available to researchers through analysis of the responses. In a more advanced form of the Passive DNS technology, sensors deployed across the population of resolvers provide data that can be analyzed for additional purposes, such as insight into security threats via the Security Information Exchange (SIE). This provides further visibility into overall client behavior. In addition to the responses received from authoritative name servers, other information about client behavior can be shared, including real-time information. Passive DNS technology and its enhancements thus enable a collective view of DNS activity at the resolver level.
Operators of authoritative name servers have also developed mechanisms for analyzing general trends to understand both security threats and domain name industry metrics. Based on these mechanisms, for example, Verisign® Labs researchers have analyzed requests to the DNS root zone to understand the potential impact of changes to that zone. This research has provided valuable insight into the risks of “name collisions” where the addition of a proposed top-level domain (TLD) to the root zone may conflict with assumptions made by installed systems that the TLD is not part of the global DNS and can, therefore, be employed privately, e.g., within an enterprise network. Because of established design features of the DNS, requests that include a presumably private TLD are often sent to the authoritative name server for the root zone with the expectation that the response from the root server will be that the TLD does not exist in the global DNS. The addition of such a TLD to the root zone would change the response. Understanding the impact of the change requires an analysis of the general trends of these requests. The more detail available to the root servers, the more insight they can provide into the name collisions and other risks. Authoritative name server operators may also analyze DNS requests in order to understand and thereby balance traffic among multiple service instances; to optimize responses to meet service-level agreements (SLAs); and/or to improve their business operations.
The inventive techniques and concepts described herein use the DNS as an exemplary resolution system, but it is not an exclusive environment wherein the present invention may be applied.