TikTok DNS Queries Spike After Platform Launches Feature to Combat Fake News
by Serena Raymond on Mar 5, 2021 12:00:00 AM
TikTok has been growing in popularity steadily since 2019 despite concerns over its security in the US. It’s been downloaded over 2 billion times and hit 1 billion active monthly users as of February 2021. For context, competitor app Instagram (owned by Facebook) had 1 billion active monthly users back in 2018. And TikTok seems poised to take the No. 1 spot in 2021.
We’ve been monitoring the growth of TikTok popularity on our network, as we’re curious about the app’s increased usage. DNSFilter is a product used primarily by other businesses, so we’ve been surprised by the use of TikTok on corporate networks.
In March 2020, TikTok DNS queries accounted for under .5% of our entire network traffic. By the end of July, it made up 1.3% of our network traffic—that was a 7x increase when looking at the number of queries. To put this into perspective, the entire category of shopping sites on our network at the end of July 2020 made up 2% of our entire network.
I should note: There are over 14,000 companies that route their traffic through DNSFilter and we see roughly 12 billion DNS queries daily. So while our network does not allow us to view internet traffic as a whole, we are able to see overall trends.
In early February 2021, we noticed another major spike in traffic to TikTok:
Prior to February 3, our network was resolving around 6.3 million TikTok queries daily (that number had held relatively steady since July 2020). The day of the spike, we saw 11.96 million queries. And as of February 25, we’ve seen as high as 15.15 million queries in a day.
This made us ask the question: Did TikTok really see a 100% increase in traffic overnight? Or is there something else happening?
Many domains, one application
Before we go any further, I want to explain why one application is usually comprised of more than one domain. Applications like TikTok don’t use a single domain for all of the content on their service. Under the TikTok umbrella, there might be hundreds of domains.
The reason for all of these domains varies. One domain might be responsible for the TikTok site content, as in tiktok.com. Another domain might be a Content Delivery Network (CDN), a place to host files (such as the video content users host) that the application then “calls” for when someone wants to view that content. And then there might be service domains to host API endpoints.
Depending on their setup, they may use different hostnames for geographic scaling or simply as a method of distributing load. Not all applications do it this way, but it is one possibility. Doing it this way would mean those 1.5 billion TikTok users are served different domains based on their geolocation.
The ability to block and allow entire applications (as opposed to individual domains) is actually something we’re working on at DNSFilter for our DNS filtering service. It's part of why we were able to identify this TikTok growth in the first place. Keep an eye on our roadmap for updates.
Researching TikTok’s domain growth: Real or not?
There is no doubt that starting February 3 there were more DNS queries accessing TikTok. The question is: What is the purpose of these queries?
Were these additional queries generated by users who are just using the site more? Were these queries initiated by TikTok or another service that uses them?
So with that, Domain Intelligence Lead Peter Lowe and I started digging into these questions.
Before looking into the actual queries, we first wanted to rule out any changes to caching or TTL (time to live). TTL is the lifespan of how long a domain name record is cached for. If the TTL has a shorter time out period, it will look like there are more requests to a domain. However, this didn’t seem to be the case for TikTok.
Next, we looked at the queries themselves. Of the domains under the umbrella of the TikTok application, which ones were requested the most?
Here, we got a clear answer: tiktokcdn[dot]com was responsible for this large spike in traffic. Here’s a comparison of the main TikTok domain to the tiktokcdn domain:
This domain was single handedly responsible for the spike in DNS queries.
Now that we knew the main domain making these queries, we could do a comparison between February 3 (the day of the spike) and January 27 (one week before). The reason we’d look at one week before as opposed to the day before is that domain queries generally tend to follow a pattern based on the day of the week. This way, we’re comparing apples to apples (or Wednesdays to Wednesdays).
We compared the total number of organizations and networks that accessed TikTok during this time—the numbers were essentially the same. In fact, January 27 actually had a few more organizations (and networks) connecting to TikTok than February 3.
Definitively, this spike was not based on new usage. It is based on new queries.
That this domain literally includes “CDN” in its name tells us it’s very likely a CDN domain. Though we can’t rule out that TikTok’s domain naming convention is purposefully meant to conceal the actual goal of the domain—but I promise we won’t get into conspiracy theories today.
Going with the assumption that this tiktokcdn[dot]com domain is actually a CDN domain where static files are hosted by TikTok, this still doesn’t answer the question of who is initiating these queries. An increase in CDN queries could mean users are suddenly requesting the same content as before (just more often), that the app itself is requesting content more frequently, or that another service (possibly owned by TikTok) is now using TikTok domains to serve content.
If you’re wondering how that third option would work, I’ll use the app Goodreads as an example. Goodreads is owned by Amazon. When I open up my Goodreads app and then look in DNSFilter’s query log, I’ll see that I’ve accessed domains containing both “goodreads” and “amazon” in the domain names. In fact, in just a few minutes of clicking through my Goodreads history within the app, the application generates roughly 40 DNS queries: 32 of them include “Amazon” in the domain or subdomain name and only 8 actually include “Goodreads.”
What happened on February 3?
Our CEO, Ken Carnesi, is the one who first noticed the TikTok spike. He also found that on February 3 TikTok released an update. The only context he could find in the release notes for TikTok version 18.5.0 was a single line: “Share your favorite effects with friends.”
Could the purpose of these new queries be tied to this new “share your favorite effects” feature?
But there was another TikTok update on the same day that got a little more attention. This particular update was all about flagging unsubstantiated content to help fight fake news—something that’s been plaguing social platforms in recent years. According to TikTok, sometimes fact checks on videos that are flagged as misinformation are inconclusive. Rather than take the content down the content in question, TikTok released a new banner that would appear on possibly misleading information with the warning: “Caution: Video flagged for unverified content.”
This new feature would alert content creators who receive a warning label on their video, load a warning label over said video, and if a user were to share a video they would be prompted with a message asking “Are you sure you want to share this video?”
All of these changes within the app would likely be served by a CDN. Next up was to test our hypothesis that one of these updates was linked to the increase in DNS queries.
How many queries does TikTok generate?
Applications generate a lot of queries.
Browsing on Instagram for 5 minutes can generate upwards of 300 queries—especially if you’re searching for new content. Applications like Fitbit run in the background and send queries regularly. While browsing Instagram for 5 minutes, Fitbit will likely send 4 DNS queries. And after just a minute of using the Fitbit app, I found nearly 100 queries in the DNS filtering query log.
Fitbit generates more queries than Instagram because it’s using DNS to lookup server IPs it's constantly sending data to, from my Fitbit device and app. Instagram might need to communicate with servers where files are hosted, but otherwise it’s not sending DNS queries to external devices.
Between 1:30 - 4:00, I had TikTok downloaded on my phone. In that time, I generated nearly 2,000 DNS queries—76% of them included “CDN” in the domain name.
But this isn’t that rare. Of the Fitbit queries I mentioned earlier, 73% of them were CDN domains. And 77% of the Instagram domain queries were CDN domains.
To dive into where these CDN queries were most active, I tracked usage across the app and would spent a period of time performing a single action. These were:
- Scrolled through recommended videos
- Used the search feature
- Flagged videos as misinformation
- Clicked on videos with some type of warning
- Favorited effects
Of all of these actions, favoriting filters and sounds connected to CDN domains more than the rest—92% of queries during the period I favorited those items were CDN domains. Surprisingly, flagging misinformation and clicking on videos with warning resulted in the lowest number of CDN queries.
What could be driving TikTok queries?
Based on the CDN usage of just favoriting effects, it seems reasonable that sharing the effect would generate a large number of DNS queries. Considering there was an update on February 3, it’s possible that update is causing this prolonged spike in queries because it needs to communicate with CDN servers more often.
But we still have other theories.
Because the total number of DNS queries generated by TikTok and its competitor Instagram are similar (browsing TikTok for 5 minutes generated 196 queries while browsing Instagram generated 258), I think it’s possible that there is an external application using the tiktokcdn[dot]com domain. This could be a sister app of TikTok’s, like Douyin, or it could be another service that’s enabling users to post TikTok videos. In both cases, they’d need to refer to TikTok’s CDN servers.
Peter Lowe, our Domain Intelligence Lead, doesn’t think that’s the case. TikTok popularity is real, and because the spike in usage is so big, he believes that the DNS queries are coming from inside the app. It seems unlikely that this big increase could come from another source as it would mean another app (or apps) are matching TikTok’s current usage—something that currently Facebook outpaces.
What Peter believes is generating these queries is the new unsubstantiated content alert. The reasoning here is that TikTok will likely need to make calls to content servers more often to check if any videos have been flagged as “fake news”. It’s also fair to reason that TikTok would only want to release a feature like marking content as unsubstantiated if it will be done quickly. TikTok offers a fast-paced user experience, and those using the app are accustomed to taking action quickly. More frequent DNS calls to the CDN servers likely allows them to respond to flagged content more swiftly.
There's still more research we'd like to do, and if we find anything more we'll be sure to share it on our blog.
Applying these insights to your network
Your company network has plenty of data that can give you insight into how users are behaving on your network. Not only can you see the domains that users are visiting, but you can see what threats they’re being exposed to and what domains are being blocked by your content filtering policies.
And sometimes you might notice trends like a spike in the number of visits to TikTok. But it’s worth digging deeper and examining: Is this an issue with employees visiting TikTok more often, or a case of TikTok changing the way their app works?
Start examining these trends on your network and sign up for a trial of DNSFilter today.
The impending Cisco Umbrella RC End-of-Life has many Umbrella users concerned about their next steps and questioning which protective DNS solution might be able to fill the gap for their organization.
Industry State of the Art
This month there was a high level of focus on compliance issues spanning several focus areas from governments and oversight agencies around the world. And while there were actions taken with regard to specific vulnerabilities, a larger spotlight was placed on bigger picture security considerations in a more general context.
TL;DR: SASE is broadening—it is about more than just access! It is about endpoint protection and user-based access…and it's called Security Service Edge (SSE). All of the aspects of the joint NSA and CISA guidance on Protective DNS (PDNS) and user-level policies are part of the secure category, originally launched by Gartner in January 2022. Regardless, it’s been interesting to see the NSA and CISA create guidance recognizing the breadth of cyber...