• HOME
  • About
  • Program Plan
  • Annual Report
  • Joining CAIDA
  • Staff
  • Jobs
  • Legal Agreements
  • How-To
  • Blog
  • Contact Us
• CATALOG
  • Datasets
  • Media
  • Papers
  • Recipes
  • Software
• RESEARCH
  • Topology
  • Security
  • Traffic Analysis
  • Economics and Policy
  • Visualization
• DATA
  • Overview
  • Data Sharing
  • Distribution Statistics
  • How-to
  • Data Usage FAQ
  • Papers using CAIDA Data
  • Acceptable Use Agreement
• TOOLS
  • Overview
• SERVICES
  • AS Rank
  • AS Rank API
  • BGPStream
  • BGPStream API
  • HI-CUBE (login required)
  • IODA
  • MANIC
  • MANIC API
  • Vela
  • Vela web API
  • Vela MIDAR API
  • Vela aliasq API
• PUBLICATIONS
  • Papers
  • Presentations
  • Blog
  • Visualizations
  • - Animations
  • - Posters
  • Networking Bibliography
• WORKSHOPS
  • Overview
  • AIMS
  • DUST
  • IMAPS
  • KISMET
  • WIE
  • WOMBIR
  • Collaborative
  • Archive
• PROJECTS
  • Ark
  • KISMET
  • MANIC
  • Macroscopic Topology
  • Spoofer
  • Network Telescope
  • IMPACT (PREDICT)
• FUNDING
  • PANDA
  • FANTAIL
  • PENMAN
  • SLAM
  • Censorship Outages
  • MapKIT
  • STARDUST
  • MADDVIPR
  • Program Plan

Has your DNS server received a probe from a CAIDA host?

We have a number of DNS surveys that may have generated a query to your DNS nameserver or host IP address.

Our Open Resolvers survey identifies nameservers that provide recursive name resolution for clients outside of their administrative domains. Such open resolvers often get used in widespread DDoS attacks and increase the likelihood of cache poisoning. We report open resolvers on the DNS Survey: Open Resolvers page which links to an archive of daily reports showing the number of open resolvers for each Autonomous System number as well as the most recent report.

Our DNS Cache Poisoner survey looks for DNS servers that are susceptible to, and help spread, DNS cache poison. When a nameserver's cache becomes poisoned, it gives incorrect answers. The majority of cache poisoning seems to be unintentional, but attackers may be able to intentionally insert incorrect data into the cache of a vulnerable DNS server.

We also run surveys approximately every year that are designed to count the number of nameservers on the Internet, and to characterize the DNS software in use. This survey is relatively broad. We try to probe 5% of the addresses listed in a current routing table. Thus, you may see probes to addresses that you are not using (aka "darkspace") and/or addresses that you know are not running DNS nameservers. The purpose of these surveys is to find out:

• How many nameservers are out there?
• What software do they run?
• Do they openly provide recursion?

Finally, we also perform some surveys against known authoritative nameservers. Here, we start with a list of existing DNS names and find their authoritative servers. Our queries to these nameservers are intended to find out:

• How many nameservers advertise their software version?
• How many nameservers allow recursion?
• How many nameservers allow a zone transfer?
• Are nameservers topologically dispersed?
• Do delegations match authoritative NS records?
• Do all nameservers return the same TTL for NS records?
• Are SOA values within their suggested ranges?
• Do serial numbers for a zone match?
• How many zones have a lame server?

To answer these questions, our software sends version.bind queries and attempts zone transfers. You may see such traffic coming from addresses in the 192.172.226.0/24 netblock. Some DNS server administrators may view these as abusive activity. We hope you understand that our intentions are not malicious. We intend to discover how many nameservers are configured as described above.

If you have questions, complaints, or concerns, please feel free to contact us at info at caida.org. If you feel strongly that you wish not to receive such queries, please specify in your message that you wish us to include your domain in our no-probe list.