Existing DNS configuration verification tools suffer from low efficiency and lack support for incremental verification. Method: This paper introduces a behavior-partitioned query-space data structure that models DNS server query processing as table-matching operations; designs a full-coverage symbolic execution algorithm; and incorporates a low-overhead incremental verification mechanism. The approach integrates distributed data-plane verification principles to enable precise semantic modeling and efficient analysis of DNS configurations. Contribution/Results: Experiments on real-world datasets demonstrate that our method achieves up to 255.7× speedup in verification time and reduces the number of equivalence-checking (LEC) queries by up to 6,046× compared to state-of-the-art tools. These improvements significantly enhance verification efficiency, scalability, and practical applicability.

Existing DNS configuration verification tools face significant issues (e.g., inefficient and lacking support for incremental verification). Inspired by the advancements in recent work of distributed data plane verification and the resemblance be- tween the data plane and DNS configuration, we tackle the challenge of DNS misconfiguration by introducing Janus, a DNS verification tool. Our key insight is that the process of a nameserver handling queries can be transformed into a matching process on a match-action table. With this insight, Janus consists of (1) an efficient data structure for partition query space based on the behaviors, (2) a symbolic execution algorithm that specifies how a single nameserver can efficiently cover all possible queries and ensure the accuracy of verification, (3) a mechanism to support incremental verification with less computational effort. Extensive experiments on real-world datasets (with over 6 million resource records) show that Janus achieves significant speedups, with peak improvements of up to 255.7x and a maximum 6046x reduction in the number of LECs.