An Update on Anomalous DNS Behavior

Transcription

1 An Update on Anomalous DNS Behavior Duane Wessels, and CAIDA October 23

2 Motivation Why are root servers getting slammed? Are caching/forwarding DNS servers doing the right thing? How does a caching nameserver distribute its load to multiple nameservers? Do some implementations abuse the system more than others?

3 The Setup

4 A Test Network Root TLDs SLDs (authoritative) Simulated WAN with packet loss and delays Cache User

5 Workload Hostnames taken from 12 hours worth of caching proxy logs 5,532,641 Million DNS requests 17,777 unique hostnames 7,365 second-level domains 431 top-level domains 1 Root

6 Synthetic Zone Files Root & TLD zones use real values for: Number of nameservers NS, glue TTLs SLD zones use random values derived from sample of real zone data for: Number of A records per name A, NS, CNAME TTLs Each SLD zone has two nameservers (ns, ns1) Global 35% probability that a name is a CNAME record

7 Example SLD Zone $ORIGIN 864 IN SOA org. root.org. ( IN NS ns.org IN NS ns1.org IN NS ns2.org IN NS ns3.org IN NS ns4.org IN NS ns5.org IN NS ns6.org IN NS ns7.org IN NS ns8.org. ns 5184 IN A ns IN A ns IN A ns IN A ns IN A ns IN A ns IN A ns IN A ns IN A $ORIGIN 3 IN NS ns.-vip.org. 3 IN NS ns1.-vip.org. ns 2143 IN A ns IN A $ORIGIN 144 IN NS ns.xdeadbeef.org. 144 IN NS ns1.xdeadbeef.org. ns 864 IN A ns1 864 IN A $ORIGIN 3 IN NS ns.1traveltips.org. 3 IN NS ns1.1traveltips.org. ns 864 IN A ns1 864 IN A $ORIGIN 144 IN NS ns.1128.org. 144 IN NS ns org. ns 9 IN A ns1 9 IN A

8 Caching NS Software Tested BIND BIND DJBDNS 1.5 (a.k.a. dnscache) Windows 2 (v ) Windows 23 (v ) Root, TLD, SLD servers always run BIND

9 Test Configurations 1. No delay, no packet loss 2. 1ms delay, no packet loss 3. Linear delays, no packet loss 4. Linear delays, 5% packet loss 5. Linear delays, 25% packet loss 6. No delay, 1% packet loss Delays and packet loss are implemented using FreeBSD s Dummynet. They are placed on the Root, TLD, and SLD servers.

10 Linear Delays 16 Packet Delays, milliseconds A B C D E F G H I J K L M Nameserver

11 Some Results

12 No delays, no packet loss Millions of queries sent (cumulative) delay-loss +SLDs +TLDs bind8 bind9 djbdns w2 w23 Software For example, BIND 9 sent 548,671 total queries, 55,329 to the Roots, 144,723 to the TLDs, and 348,619 to the SLDs.

13 Linear delays, 5% packet loss Millions of queries sent (cumulative) delaylinear-loss5 +SLDs +TLDs bind8 bind9 djbdns w2 w23 Software About the same as the previous slide; just slightly higher in most categories.

14 BIND 8 Sends The Most Queries Sends A, AAAA, and A6 queries to Roots, SLDs, and TLDs for expired NS addresses. Forwards cache misses for pending hits. (djbdns, w2, w23 do this too)

15 Forwarding Cache Misses for Pending Hits 16:43: USER.1756 > BIND8.53: 7+ A? 16:43: USER.1756 > BIND8.53: 11+ A? 16:43: BIND8.141 > ROOT.11.53: A? 16:43: BIND8.141 > ROOT.11.53: A? 16:43: ROOT > BIND8.141: /13/14 16:43: ROOT > BIND8.141: /13/14 16:43: TLD > BIND8.141: /2/3 16:43: BIND8.141 > TLD.3.53: 2135 A? 16:43: TLD.3.53 > BIND8.141: /2/3 16:43: BIND8.141 > SLD : A? 16:43: BIND8.141 > SLD : A? 16:43: USER.1756 > BIND8.53: 13+ A? 16:43: SLD > BIND8.141: 55782*- 1/2/3 A :43: SLD > BIND8.141: 39986*- 1/2/3 A :43: BIND8.141 > SLD : 3869 A? 16:43: USER.1756 > BIND8.53: 16+ A? 16:43: SLD > BIND8.141: 3869*- 1/2/3 A :43: SLD > BIND8.141: 3869*- 1/2/3 A :43: BIND8.53 > USER.1756: 7* 1/2/2 A :43: BIND8.53 > USER.1756: 11* 1/2/2 A :43: BIND8.53 > USER.1756: 13* 1/2/2 A :43: BIND8.53 > USER.1756: 16 1/2/2 A

16 Why So Many BIND 9? bind9 re-queries for expired glue starting at the root. Sends A and A6 queries for both SLD nameservers. 21:18: BIND9.141 > ROOT.1.53: A? ns.iastate.edu. 21:18:36.52 BIND9.141 > ROOT.1.53: 7798 A6? ns.iastate.edu. 21:18: BIND9.141 > ROOT.1.53: 5191 A? ns1.iastate.edu. 21:18: BIND9.141 > ROOT.1.53: A6? ns1.iastate.edu. Real-world: ;; ANSWER SECTION: microsoft. 1H IN NS dns1.cp.msft.net. microsoft. 1H IN NS dns1.sj.msft.net. microsoft. 1H IN NS dns1.tk.msft.net. microsoft. 1H IN NS dns3.uk.msft.net. ;; ADDITIONAL SECTION: dns1.cp.msft.net. 1H IN A dns1.sj.msft.net. 1H IN A dns1.tk.msft.net. 1H IN A dns3.uk.msft.net. 1H IN A

17 djbdns Also has a lot of Root Queries djbdns re-queries for expired glue starting at the root. But only for first nameserver Only A queries djbdns does not trust additional answers with TTL and re-queries for them starting at the root. 2:33: USER.185 > DJBDNS.53: 295+ A? www3.kwyjibo. 2:33: DJBDNS.741 > TLD.9.53: 126 A? www3.kwyjibo. 2:33: TLD.9.53 > DJBDNS.741: 126- /2/2 2:33: DJBDNS.138 > ROOT.13.53: 2361 A? ns.kwyjibo. 2:33: ROOT > DJBDNS.138: /13/13 2:33: DJBDNS.5244 > TLD.12.53: A? ns.kwyjibo. 2:33: TLD > DJBDNS.5244: /2/2 A SLD.67 2:33: DJBDNS.67 > SLD.68.53: A? ns.kwyjibo. 2:33: SLD > DJBDNS.67: 19539*- 1/2/2 A SLD.67 2:33: DJBDNS > SLD.68.53: 3676 A? www3.kwyjibo. 2:33: SLD > DJBDNS.44857: 3676*- 1/2/2 A :33: DJBDNS.53 > USER.185: 295 1// A

18 BIND 8 Millions of queries sent (cumulative) bind8 +SLDs +TLDs / 1/ linear/ linear/5 linear/25 test (delays/pktloss) BIND8 actually sends slighly fewer queries in harsher conditions. For example, 383,995 TLD queries in ms/% test, but only 344,628 in linear/5% test.

19 BIND 9 Millions of queries sent (cumulative) bind9 / 1/ linear/ linear/5 linear/25 test (delays/pktloss) +SLDs +TLDs Unaffected by delays, only by loss.

20 DJBDNS Millions of queries sent (cumulative) djbdns +SLDs +TLDs / 1/ linear/ linear/5 linear/25 test (delays/pktloss)

21 Windows 2 Millions of queries sent (cumulative) w2 +SLDs +TLDs / 1/ linear/ linear/5 linear/25 test (delays/pktloss)

22 Windows 23 Millions of queries sent (cumulative) w23 +SLDs +TLDs / 1/ linear/ linear/5 linear/25 test (delays/pktloss)

23 No delays, 1% packet loss Millions of queries sent (cumulative) delay-loss1 +SLDs +TLDs bind8 bind9 djbdns w2 w23 Software Wow!

24 No delays, 1% packet loss 25 2 bind8 bind9 djbdns w2 w23 user Queries per second Time, seconds Most software amplifies the user query rate, but BIND9 attenuates.

25 DNS servers on the other hand track RTTs for query responses and really *know* which server is the fastest rather than guess based on third hand routing information. Iljitsch van Beijnum, 18 Sep 23

26 Distribution of Queries to Nameservers A B C D E F G H I J K L M

27 BIND 8 ms/% 1ms/% ms/1% e+6 4.5e e+6 4e e+6 3.5e e+6 3e e+6 2e+6 1.5e+6 2.5e+6 2e+6 1.5e e+6 1e A B C D E F G H I J K L M A B C D E F G H I J K L M A B C D E F G H I J K L linear/% linear/5% linear/25% A B C D E F G H I J K L M A B C D E F G H I J K L M A B C D E F G H I J K L M

28 BIND 9 ms/% 1ms/% ms/1% A B C D E F G H I J K L M A B C D E F G H I J K L M A B C D E F G H I J K L linear/% linear/5% linear/25% A B C D E F G H I J K L M A B C D E F G H I J K L M A B C D E F G H I J K L M

29 DJBDNS ms/% 1ms/% ms/1% e+6 1e A B C D E F G H I J K L M A B C D E F G H I J K L M A B C D E F G H I J K L linear/% linear/5% linear/25% A B C D E F G H I J K L M A B C D E F G H I J K L M A B C D E F G H I J K L M

30 Windows 2 ms/% 1ms/% ms/1% e e e e+6 2e e+6.2 A B C D E F G H I J K L M A B C D E F G H I J K L M A B C D E F G H I J K L M linear/% linear/5% linear/25% A B C D E F G H I J K L M A B C D E F G H I J K L M A B C D E F G H I J K L M Seems to always choose first nameserver.

31 Windows 23 ms/% 1ms/% ms/1% e+6 6e e+6 5e e+6 4e e+6 2e+6 3e+6 2e e+6 1e+6 1 A B C D E F G H I J K L M A B C D E F G H I J K L M A B C D E F G H I J K L linear/% linear/5% linear/25% A B C D E F G H I J K L M A B C D E F G H I J K L M A B C D E F G H I J K L M

32 Scientists at the San Diego Supercomputer Center found that 98% of the Slashdot comments at the root level are unnecessary. Anonymous Coward

33 Punchline from Last Year s Talk Type Count Percent Repeated QNAME 68,61, Repeat Query 38,838, Unknown TLD 19,165, A for A 1,739, Referral Not Cached 6,653, Legitimate 3,284, Nonprintable in QNAME 2,962, rfc1918 PTR 2,452, Unused Query Class 36,313.24

34 Run Simulations Through Earlier Root Server Analysis Tools What happens when we run one of the simulated Root server traces through the tools used to analyze real root server activity in last year s talk? bind8 bind9 djbdns w2 w23 unknown-tld repeated-query repeated-qname referral-not-ca legit oops. Learned that some software always goes back to the for expired NS addresses.

35 Run Simulations Through Earlier Root Server Analysis Tools What happens if we exclude queries for (expired) NS addresses? bind8 bind9 djbdns w2 w23 unknown-tld repeated-query repeated-qname referral-not-ca legit oops? Some TLDs have short TTLs on NS addresses. Earlier study assumed TLD TTLS 24 hours or greater. But is it as simple as that?

36 Conclusions Balancing BIND 8 can latch on to a single nameserver in low loss/latency conditions, but we didn t determine the threshold. DJBDNS uses uniform distribution among nameservers regardless of conditions. W2 server selection sucks. W23 server selection only slightly better.

37 Conclusions Abuse A6 and AAAA queries on IPv6-enabled machines may be abusing Root, TLD, SLD nameservers. BIND9 does not forward cache misses for pending hits. cool. BIND9 is the only software tested that attenuates the user queries in the event of 1% packet loss. Need to improve our models for analyzing root server abuse. Must consider BIND9 and DJBDNS s techniques to prevent cache poisoning.

38 The End