A Day in the Life of nic.ch


Ever wondered what the DNS traffic looks like on a usual day on a .ch name server? This article briefly sketches the landscape of systems querying .ch domains. To be exact, the following statistics and statements are based on a small subset of the overall data since the underlying sources just consist of 2 out of 8 name servers, i.e. a.nic.ch and b.nic.ch.  Overall the .ch zone consists of 8 name servers distributed all over the world. While some of them are setup as anycast network, others are set up traditionally as unicast servers located in a single data center.

We capture the DNS traffic as pcaps and subsequently process and store it with the help of Entrada which relies on HDFS and Impala. Currently, we operate a Hadoop cluster with 7 data nodes which provides us with a good basis for future in-depth analysis.

The following sections discuss two statistics that we publish on www.nic.ch in greater detail.

Who queries the name servers?

To start with, let’s have a look at who queries our name servers. Figure 1 shows the top 10 countries in terms of generated DNS traffic observed during week 4 of 2018. Additionally, the share of distinct IP addresses per country is displayed with a second bar. Since the original DNS traffic does not contain explicit information about the country where the query originates from this information is being added by Entrada with the help of the Maxmind database. To have a more representative image of the DNS landscape, Google resolvers and OpenDNS resolvers are excluded from this statistic.  Although from the queries themselves one cannot be sure about the nature of the querying system, for convenience, throughout this article we’ll call those systems resolvers.

top_ten_countries.png
Figure 1

After having briefly explained the origin of the data let’s try to dig a little deeper. What is probably not too striking are the countries appearing in the graph and the order they appear in. The US takes the first place followed by Switzerland, Germany and France. An interesting paper that discusses the name server preference of resolvers can be found here. In general, resolvers tend to use all available authoritative name servers equally over time whereas some resolvers prefer name servers based on latency. The former fact means that the data we use here is a pretty representative excerpt of the overall traffic of the .ch zone.

Another noticeable fact is the difference between the shares in traffic and the shares in distinct IP addresses. There are countries that have a big share in traffic, e.g. Switzerland, and a rather small share in distinct IP addresses and vice versa. Note that caching times of the resolvers should not have a significant impact on this study if the TTLs given by the name servers are respected. To get a deeper insight into this phenomenon the data of the top 3 countries are examined in greater detail.

quartiles_per_country.png
Figure 2

 

When looking at the distribution of the queries per resolver in Figure 2, it can be observed that all countries have quite a long tail of systems that generate rather small amounts of traffic, yet, there are differences. The median for Switzerland is the highest of all three which underlines the fact that there are more ‘heavy’ resolvers in Switzerland that produce a higher percentage of traffic. Those heavy resolvers pull the median upwards. The median for IP addresses located in the US is slightly lower, i.e. half of the resolvers produced less than 12 queries during the one-week observation period. For Germany the median is even lower.

top_as_stats_CH
Figure 3

 

Finally, all Swiss IP addresses have been grouped by AS-numbers and sorted by traffic share. The resulting graph (Figure 3) gives an overview of the most prominent organizations querying the .ch TLD and, again, their shares in traffic and IP addresses. The following table gives a mapping between AS-number and organization as given by whois.

AS Organization
AS3303 Swisscom
AS6830 Liberty Global Operations B.V.
AS559 SWITCH
AS15600 Quickline AG
AS15547 Netplus.ch SA
AS29097 Hostpoint AG
AS21069 METANET AG
AS6730 Sunrise Communications AG
AS1836 Green.ch AG
AS15796 Salt Mobile SA

Query Load

As our statistics web page shows, the average queries/second lies around 1300 for a.nic.ch and 900 for b.nic.ch. We won’t go into detail about the difference in traffic between both name servers, but it is probably related to their order.

traffic_1517529600_1517616000.png
Figure 4

Similarly, to the regularly fluctuating traffic pattern that can be observed in the long-term statistics (i.e. rather heavy during business days and less during the weekends), traffic in Figure 4 rises in the morning and decreases towards the evening. This may be a result of the fact that resolvers sometimes tend to use geographically resp. time-wise closer name servers, which in this case would imply that mainly resolvers located in Europe query our name servers and thus the query pattern matches European business times. However, it seems more probable that .ch domain names in general are mainly queried during daytime in CET. This is confirmed by the fact that the other .ch name servers which are located all over the world exhibit a similar pattern (not shown here). Apart from this expected pattern there is one outstanding peak, but we’ll come to that later. We’ll only say this much: it has been showing up for a while now.

traffic_type_1517529600_1517616000.png
Figure 5

Figure 5 shows the queries/s on b.nic.ch split up into the 6 most prominent qtypes. No surprising numbers here. The biggest share are A queries, followed by AAAA, NS and MX queries.

traffic_rcode_1517529600_1517616000
Figure 6

Figure 6 shows the queries/second sorted by rcode. Here the numbers are not very surprising either, most queries ask for existing domain names (rcode 0) while just a small share generate NXDOMAIN answers (rcode 3). Rcode -1 does not really exist but in this case means that there has been a query that for some reason has no corresponding answer in our database. Regarding the NXDOMAIN responses, a mentionable fact is that  90% of the domainnames that are queried return NXDOMAIN while those queries just account for a small share in traffic.

Finally, let’s have a look at the traffic peak that occurs every day at around 02:15am (UTC). Some more detailed queries reveal that this daily traffic burst is coming from one single IP which is located in the Netherlands. Doing a reverse lookup just results in the name of a bigger hosting provider. Unfortunately, this is not enough to tell who exactly is causing this recurring 3-minute traffic peak. What we do know however is, that during one such peak this server queries around 750000 unique domain names of which 88% are delegated, i.e. return rcode 0. Moreover, all queries coming from that IP are A queries. Overall about 67% of the ch. zone is known to the aforementioned instance. Even more striking is the fact that there are other IP addresses that know around 98% of the zone although it is not made public.