MSc Thesis Defense: Batuhan Kertmen, A LARGE-SCALE MEASUREMENT STUDY OF DNS ROOT SERVER INTERCEPTION: ROUTING CAUSES, AND MIDDLEBOX BEHAVIOR, Date & Time: 22 July, 2026 – 10:00 AM, Place: FENS L065
A LARGE-SCALE MEASUREMENT STUDY OF DNS ROOT SERVER INTERCEPTION: ROUTING CAUSES, AND MIDDLEBOX BEHAVIOR
Batuhan Kertmen
Cyber Security, MSc Thesis, 2026
Thesis Jury
Asst. Prof. Orçun Çetin (Thesis Advisor)
Prof. Albert Levi
Prof. Kemal Bıçakçı
Date & Time: 22th July, 2026 – 10:00 AM
Place: FENS L065
Keywords : DNS, DNS Interception, Root Server, Traceroute, Middlebox
Abstract
The Domain Name System (DNS) is one of the most critical components of the Internet. Yet DNS traffic is prone to interception by on-path middleboxes. We investigate the underlying routing and infrastructure factors that enable interception exposure. We present a large-scale, 29-month measurement study of DNS root server interception using over 15 K RIPE Atlas probes. We combine DNS-level interception detection with autonomous system (AS) relationship traceroute analysis to identify not only which networks intercept root-bound traffic, but why interception varies across paths. We use change-point detection to relate these patterns to root server deployment events over time. Our results show that anomalous root-bound routing is concentrated in a small number of networks. Among paths whose penultimate AS has no documented relationship with root servers (a set we treat as an upper bound on interception), the top 10 penultimate autonomous systems account for 74.7% of intercepted paths in IPv4 and 76.6% in IPv6. These no-relationship paths exhibit 21–23% lower destination RTTs than documented-relationship paths, consistent with traffic terminating closer to the probe than legitimate root servers. Interception is largely path-dependent rather than nationally uniform, with probes in the same country exhibiting divergent rates. We find no reliable evidence that deploying new root server instances influences interception rates. Likewise, interception change points show no statistically significant association with deployment events. Where interception does drop near a deployment, it coincides with an upstream routing change, motivating path-aware deployment planning as a direction for future work.