ConfiDNS's protection-by-agreement depends on how many sites receive the same IP address for each name. The number of IP addresses returned per hostname is less important than their pattern. If a domain has two data centers with addresses IP and IP, and returns one IP based on which data center it believes is closer to the DNS resolver, we say that the hostname has two regions. From our 40K name list, we find that 91.5% return the same single IP address to all queries. Another 4.2% return multiple IP addresses, but return the same set of IP addresses to all queries. The specific order of IPs may vary to aid in load balancing, but the contents of the set are the same.
The remaining 4.3% of hostnames are not automatically out of reach for ConfiDNS - if they have relatively few regions, we may have enough ConfiDNS peers in a region to reach agreement. CDNs with many regions may use the same region continuously for a particular ISP, so the rate-of-change of name-to-IP mappings may be low.
The breakdown of the 1738 hostnames with two or more regions is shown in Figure 2(a), divided into those served by Akamai (347 hostnames) and the rest (1391 hostnames). The difference between the Akamai and non-Akamai region counts are quite sharp. Most non-Akamai hostnames have only two regions, and few have more than 10 regions, while most Akamai-served hostnames have 80-90 regions, as seen from our 150 vantage points.
By comparing the number of sites in each region versus how many would appear in perfectly-balanced regions, we calculate a region imbalance factor for each multi-regioned name in our trace. Given the set of regions with the number of nodes per region, we calculate a geometric mean of a series of terms, where each term is either the ratio of actual region size to average region size, or its inverse, whichever is larger. For example, if a hostname has three regions with 15, 55, and 80 sites, its imbalance ratio is . This calculation is designed to identify names that have gross imbalances in the sizes of their regions. While most names have region sizes that are within a factor of 2-4 of being fully balanced, we see a spike where the imbalance ratio exceeds 12 - in these cases, only one site disagrees over the IP address, and all of the other sites form a second region.
To get a sense of the origins of these heavily-imbalanced regions, we counted how often a site disagreed with all others, and show the daily average for the top ten sites in Figure 2(c). The worst site has an average of 469 hostnames per day whose lookups differ from all others. This set of names is fairly stable, and an examination of their contents suggests that it is policy-driven censorship, since they are resolved to IP addresses that provide no responses. Users will be able to seemingly resolve the name, but will be unable to contact any machine at the address, and may conclude the server does not exist. The second-worst site appears to have a traffic-sniffing virus checker working in conjunction with the local DNS resolver. When it activates, all lookups from the client are directed to a local Webserver with a message warning that your client is infected. Unfortunately, the virus sniffer returns false positives, and indicated that our Linux-based boxes were infected with Windows viruses. The third-worst site appeared to be having sporadic failures, and was randomly returning the IP address of the school's main Web server for queries, with no discernible pattern to its behavior. The remaining sites show no strong patterns of poisoning, with most of the imbalances stemming from slowly-deployed changes in name-to-IP mappings. In all of these cases, any multi-site agreement policy in ConfiDNS would automatically prevent these sites from poisoning the lookup results.