Co-authors of the original paper: Agung Septiadi, Hassan Habibi Gharakheili and Vijay Sivaraman.
Every time we type a domain name (for example, ato.gov.au for Australian taxation) in our browser, this human-readable domain name is translated into an IP address that hosts the website on the Internet. The yellow pages for the Internet services, named the Domain Name System (DNS), is arguably the most critical (and vulnerable) node on the Internet.
Disrupted DNS services that lead to unresolvable domain names have caused large-scale (such as continental) outages of Internet services in the past. Within the DNS system, each domain name has its authoritative DNS infrastructure serving as the only source of truth for its IP addresses.
In this post, I discuss our recent work that models and analyses the resilience of authoritative DNS infrastructure that supports individual domain names on the Internet. Full details can be found in this paper (or the preprint version), which has been accepted to ACM SIGMETRICS 2026.
The complexity of authoritative DNS infrastructure for a domain
Authoritative DNS infrastructure for a domain is more complex than we initially thought, especially when it comes to understanding the resilience against diversified factors such as cyberattacks, natural disasters, manual configuration mistakes, and geopolitical tensions. One may think that the authoritative DNS function for a domain is just on a server storing the domain name and its IP addresses. However, as shown in Figure 1, the infrastructure is logically built with a three-layer complexity.
The first (functional) layer consists of a primary nameserver function that keeps the only source of truth (zone file) to be fetched by the authoritative nameserver function that handles queries from clients. The second layer goes to individual servers identified by their names, such as ‘mainNS.domain.gov.<CC>’ and ‘ns1.domain.gov.<CC>’. The third layer is specific to each instance of the servers identified by their unique IP addresses.
Authoritative DNS setup, operation, and resilience
After knowing the three-layered complexity of authoritative DNS infrastructure, we look at its resilience from the perspective of network operational processes, that is, how does a domain manager get its authoritative DNS up and keep it running continuously from scratch? We summarize these three phases.
The first phase, infrastructure placement, defines which organization operates a server instance, where it is located, and which IP addresses it uses. Remember that a server instance is at the lowest infrastructure layer, which inherently introduces complexity when we try to give a single short answer for infrastructure placement at the overall domain level.
The second phase, service configuration, describes how each server instance is configured for network accessibility and redundancy, both of which affect its resilience to unexpected incidents.
After physical and logical set up, each primary or authoritative server instance is operated to deliver the zone file or answer client queries. Data security mechanisms (such as AXFR and DNSSEC) can be enforced to protect the services from integrity-based attacks.
As shown in Figure 2, we systematically defined attributes to describe specific operational practices in the three phases, which are algorithmically aggregated from the lowest instance layer to the overall infrastructure and above. The details can be found in our paper for interested readers.
A glance at the authoritative DNS resilience for government services in Australia
We developed a scoring scheme to quantify the resilience provided by each attribute shown in Figure 2. Using data collected from public sources, including authoritative DNS servers, IP registration databases, and third‑party IP intelligence, we assessed 273 online public services operated by Australian federal government departments. Figure 3 presents the results, with each row representing a government domain and columns showing scores for individual attributes and aggregated phases.
Figure 3 shows that most Australian government domains have good resilience in infrastructure placement for both primary and authoritative DNS functions. However, service configuration performs less well. This suggests insufficient redundancy and limited accessibility during network failures or natural disasters. Record distribution from primary to authoritative name servers shows good resilience against data integrity attacks. In contrast, communication from authoritative nameservers to clients is more vulnerable. This is mainly due to missing or incorrect DNSSEC implementation.
By applying a structured, data‑driven framework to government domains, our paper revealed strengths, blind spots, and opportunities for improvement that are often hidden in day‑to‑day operations, enabling policymakers to gain a clearer picture of systemic DNS resilience while providing domain operators with practical guidance to strengthen the foundations of their services. Find more details in our paper.
Minzhao Lyu is a lecturer at the University of New South Wales, Sydney, NSW, Australia, where he received the B.Eng. degree (First Class Hons.) and the PhD degree in 2017 and 2022, respectively. His research primarily focuses on developing network measurement technologies for the security and performance of the Internet, telecommunications networks, and networked critical infrastructures.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.