resolver

I’ve been taking a look at our resolvers and I was surprised by some of the results I found.
I ran a tcpdump for 10 minutes capturing packets sent to one of our resolvers and extracted the names being queried.
During those 10 minutes that particular resolver answered 1,25 million queries for 250 thousand distinct names.
Looking through the list there were many names that result from mis-configured equipment and other mistakes, but that’s on the low end of queries. It’s the higher end, with the most commonly resolved names that actually interests us.
The list is topped by a name that is hard-coded into some of our clients routers. Having several hundred thousand of those devices out in the open making queries does skew the results so I ignored those queries, and just looked at the rest of the names. I ordered them by frequency and here is a brief analysis of the top 50 names.

As one might expect, at the top of the list comes ‘www.facebook.com’ but I was actually surprised to find so many names related to facebook. There are also ‘static.ak.fbcdn.net’, ‘apps.facebook.com’, ‘profile.ak.fbcdn.net’, ‘pixel.facebook.com’, ‘creative.ak.fbcdn.net’, ‘platform.ak.fbcdn.net’, ‘external.ak.fbcdn.net’, ‘static.ak.connect.facebook.com’, ‘photos-g.ak.fbcdn.net’, ‘photos-b.ak.fbcdn.net’, ‘photos-e.ak.fbcdn.net’, ‘static.ak.facebook.com’, ‘photos-c.ak.fbcdn.net’, ‘photos-a.ak.fbcdn.net’, and if I had dug deeper, I would certainly have found more names.
In case you haven’t figured it out fbcdn stands for facebook content delivery network, and ak means Akamai.
Out of the top 50 names queried, 15 belong or are related to Facebook. That is impressive.

The second most popular name being queried was a root server. Not sure I understand why, but there were many, many queries resolving ‘a.root-servers.net’. A close third was Google’s ‘www.google-analytics.com’. No surprise here, as it is probably the most widely used analytics solution today.
Fourth place was used by our own voip proxy, which is always nice to see 🙂
In fifth place we have ‘google.com’, followed by ‘www.youtube.com’, and ‘www.google.com’. Funny that our local ‘www.google.pt’ only made 13th place.
Also related to youtube are some names like ‘i1.ytimg.com’, ‘i2.ytimg.com’, ‘i3.ytimg.com’, ‘i4.ytimg.com’ that show up at the lower end of the 50.
There is also ‘googleads.g.doubleclick.net’, and ‘pagead2.googlesyndication.com’ which are self-explanatory.

Then there are a couple of ntp servers, and at least 1 anti-virus name I recognize.

This was just a trial run, and I found the results pretty interesting.
Maybe I can automate this, and see what other surprises hide lurking in the data.