One-day DNS Hosts

    Earlier this year, the Blue Coat Security Labs team launched an experiment whose goal was to obtain statistics on the lifetime of DNS names. As part of this study, over 660 million unique names were analyzed over 90 days. 470 million of them ( 71% ) lasted no more than 24 hours . Such nodes were called "ephemeral."

    Creating short-lived names is a common practice for some Internet services, so there is nothing unusual in the presence of a certain number of such nodes in the sample. But 71 percent! Suddenly, huh? Why are there so many? What are these - erroneous requests to non-existent sites? Or are the subdomains randomly generated by bots used to communicate with C&C servers?

    About 164 million fly-by-days use their IP address as the host name. From the analysis of the AS that announce these addresses, it became clear that most of them belong to ISPs and telecom companies. The remaining two-thirds of the collected name pool have some kind of life, and now it’s just interesting to consider them in more detail.

    The main TLD, in which one-day events appear, is .com . About 70% of such names are created in it, which is 2.5 times more than in all the others combined. Their geographical distribution roughly corresponds to the number of IPv4 addresses allocated to the country. Almost 40% of one-day trips are created in the USA and China , which for two occupy about 44% of the address space. Brazil is among the anomalies(1.1% IP and 3.8% one-day trips) and Russia , which was not included in the Top-10 by the number of IP addresses (1.0% and 2.8%, respectively).

    The authors of the study do not explain these anomalies. I think that at least in part of Russia this imbalance is caused by the presence of powerful local Internet companies (Yandex,, VKontakte) with their own infrastructure. I am new to the Brazilian Internet segment, can someone tell me in the comments?

    An analysis of one-day parent domains shows how widely this technique is used by popular Internet services. Google is the real king of this rating, it owns almost half of the discovered one-day trials. Most of the remaining lines in the list belong either to companies providing CDN services or to large Internet services using their own infrastructure for delivering content.


    CDNs often use names of 3 or more levels to store user data - their name, session ID, or even a specific request. After the session ends, the name used disappears and is no longer used. It seems that this is how most one-day births are born.

    Blogging platforms such as Blogspot, Tumblr, and Wordpress most likely got into the Top 10 undeservedly. The reason is that most of the millions of blogs posted to them have sporadic traffic, which makes them statistically similar to one-day ones.
    No analysis of Internet activity can be considered complete without mentioning the role of pornography. The most popular (according to Wikipedia ) porn site in the world is on the seventh line of the rating.

    Well, what about malware? You won’t have to go far.
    The domain with an unpronounceable name that hosts the botnet's C & C server is in the 12th place in the ranking. During the experiment, 1.3 million names belonging to him were recorded. And he is not alone. Another 20 similar domains got into the Top-50, which in total leaves 22% of this rating for the bad guys.

    As you can see, the modern DNS structure of the Internet is far from classical concepts. I would be glad if in the comments people who support large caching DNS (for example, from the Yandex.DNS or SkyDNS team) tell how this affects the real characteristics of the services.

    Source: “One-day Wonders: Here Today, Gone Tomorrow”

    Also popular now: