Recursives in the Wild: Engineering Authoritative DNS Servers

Transcription

1 Recursives in the Wild: Engineering Authoritative DNS Servers Moritz Müller 1,2, Giovane C. M. Moura 1, Ricardo de O. Schmidt 1,2, John Heidemann 3 1 SIDN Labs The Netherlands 2 University of Twente The Netherlands 3 USC/Information Sciences Institute U.S. IETF99 - IEPG Prague, CZ, July 16th, /19

2 Introduction ns1 ns2 ns3 ns4 ns5 netnod nic.fr isc unicast anycast resolver user Q: example.nl? Which one to choose? Figure: Resolving a Name under.nl TLD 2/19

3 Introduction ns1 ns2 ns3 ns4 ns5 netnod nic.fr isc Figure: Authoritative Servers by Size (sites) - area proportional to number of sites on.nl (June 2016) 3/19

4 Introduction ns1 ns2 ns3 ns4 ns5 netnod nic.fr isc Figure: Authoritative Servers by Size (sites) - area proportional to number of sites on.nl (June 2016) The larger, the more queries it gets, right? 3/19

5 Introduction ns1 ns2 ns3 ns4 ns5 netnod nic.fr isc Figure: Authoritative Servers by Size (sites) ns1 ns2 ns3 ns4 ns5 netnod nic.fr isc Figure: Authoritative Servers by Query Volume (June 2016) 4/19

6 Introduction Why is this hapenning? Meaning: why recursives choose this way how do they behave in the wild? Study goal: analyze how recursives behaves in the wild with the goal with better enginnering authoritative servers Previous work (Yu et al., [1]) was done in 2012, controlled environment Recursives typically prefered low latency authoritatives 5/19

7 Approach 1. Set up an authoritative server infrastructure at 2LD (ourtestdomain.nl), using 7 Amazon AWS datacenters, IPv4 2. VPs: Ripe Atlas probes VP = probe id + IP of local recursive 3. We vary the number/location of servers (NS records) and measure how VPs choose authoritatives 4. We use TXT records to determine which server responded to each probe/recursive e.g: similar to chaos queries Every 2min, for 1 hour NS record TTL of 5 seconds (to ensure cold cache) 5. We also look at the root and.nl auth data 6/19

8 Setup unicast anycast AT1 AT2 AT3 AT4 R 1 R 2 R 3... R n MI 1 MI 2 MI 3 CL 1 CL 2 CL 3 AT: authoritative MI: middlebox R: recursive CL: client Figure: TLD Setup, Recursives, Middleboxes and Clients. 7/19

9 Setup ID locations (airport code) VPs 2A GRU (São Paulo, BR), NRT (Tokyo, JP) 8,702 2B DUB (Dublin, IE), FRA (Frankfurt, DE) 8,685 2C FRA, SYD (Sydney, AU) 8,658 3A GRU, NRT, SYD 8,684 3B DUB, FRA, IAD (Washington, US) 8,693 4A GRU, NRT, SYD, DUB 8,702 4B DUB, FRA, IAD, SFO (San Francisco, US) 8,689 Table: Combinations of authoritatives we deploy and the number of VPs they see. 8/19

10 Do recursives query all authoritatives? 30 # of queries after first query A (96.0%) 2B (95.5%) 2C (82.4%) 3A (91.3%) 3B (84.8%) 4A (94.7%) authoritative combination 4B (75.2%) Figure: Queries to probe all authoritatives, after the first query. Yes! Most query all! 9/19

11 How are queries distributed over time? RTT (ms) queries share FRA DUB IAD SFO GRU NRT SYD location 2A 2B 2C 3A 3B 4A 4B authoritatives combination Figure: Median RTT (top) and query distribution (bottom) for combinations of authoritatives. Confirming [1], but now in the wild 10/19

12 How do recursives distribute queries? AF AS EU 1.0 NA OC SA 2A fraction of queries 2B NRT GRU DUB FRA 2C SYD FRA Recursives (x100) Figure: Recursive queries distribution for authoritative combinations 2A (top), 2B (center) and 2C (bottom). Solid and dotted horizontal lines mark VPs with weak and strong preference towards an authoritative. 11/19

13 How do recursives distribute queries? 59-69% of resolvers have a a week preference for an auth (60% of queries to one auth) 10-37% have strong pref to one auth (90% of queries to one auth) Distribution is inversily proportional with median RTT 12/19

14 How do recursives distribute queries? What happens when Auth are more less the same? fraction of queries EU NA 0.4 AF AS SA OC 0.2 DUB FRA RTT (ms) Figure: RTT sensitivity of 2B EU VPs get to FRA faster (13ms) Thus they prefer FRA slightly over DUB Asian VPs divide more equaly (despite 20.3ms diff!!) RTT influence decreases for far away resolvers 13/19

15 How query frequency affects the results? 1 fraction of queries query interval (minutes) AF AS EU NA OC SA Figure: Fraction of queries to FRA (remainder go to SYD, configuration 2C), as query interval varies from 2 to 30 minutes. Higher frequency, higher preference (infra-cache) 14/19

16 What about production zones? (root and.nl)? Figure: Distribution of queries of recursives with at least 250 queries across 10 out of 13 Root letters (top) and across 4 out of 8 name servers of.nl (bottom). 15/19

17 Conclusions and Recommendations Main conclusion: Worst-case latency limited by the least anycasted authoritative recursives use all authoritatives, query more often the better performing one (but diversity is important for them) We (.nl) see 23% of incoming traffic in NL-based auth servers from the US, because of this (we re moving to anycast on all NSes) Recommendation: Use Anycast on all your NS, and peer them very well, with multiple sites[2] also important for DDoS[3] 16/19

18 Questions? Contact details Giovane C. M. Moura Download our paper and data at: 17/19

19 Bibliography I Y. Yu, D. Wessels, M. Larson, and L. Zhang, Authority server selection in dns caching resolvers, SIGCOMM Comput. Commun. Rev., vol. 42, no. 2, pp , Mar [Online]. Available: R. d. O. Schmidt, J. Heidemann, and J. H. Kuipers, Anycast latency: How many sites are enough? in Proceedings of the Passive and Active Measurement Workshop. Sydney, Australia: Springer, Mar. 2017, pp [Online]. Available: 18/19

20 Bibliography II G. C. M. Moura, R. de O. Schmidt, J. Heidemann, W. B. de Vries, M. Müller, L. Wei, and C. Hesselman, Anycast vs. DDoS: Evaluating the November 2015 root DNS event, in Proceedings of the ACM Internet Measurement Conference, Nov [Online]. Available: 19/19