2007 Day In The Life DNS Root Server Analysis

Size: px

Start display at page:

Download "2007 Day In The Life DNS Root Server Analysis"

Todd Benson
5 years ago
Views:

1 27 Day In The Life DNS Root Server Analysis Duane Wessels Haven Hash The Measurement Factory/CAIDA WIDE+CAIDA Workshop #8 July 21, 27 WIDE+CAIDA #8 The Measurement Factory

2 DITL 27 Day In The Life of The Internet. Okay, two days. 48 hour period: Jan 9 :: to Jan 1 23:59:59 UTC Primary focus is DNS and root servers, but other data was collected as well. We have data from C-, F-, K-, and M-roots, which is the subject of this presentation. Data is 74 GB compressed pcap files. 1,,, DNS queries. WIDE+CAIDA #8 1 The Measurement Factory

3 Terminology Server: a collection of DNS nameservers operating under the same IP address. c.root-servers.net is a server Instance: an anycast instance of a server. k-milan is an instance of k.root-servers.net. Load-balanced nodes are combined into a single instance. c-lax1a and c-lax1b are load-balanced members of the c-root LAX instance. Client: an IP address sending DNS queries. WIDE+CAIDA #8 2 The Measurement Factory

4 Merging Pcaps First step was to create a single, merged pcap stream with all packets in chronological order. Created hour-long chunks for all instances, using tcpdumpjoin and tcpdump-split. Keep only data within the 48-hour DITL period. Queries only. Changed pcap timestamps for instances with known clock skew. Rewrote server IP addresses to encode server and instance. e.g., becomes to represent the 11th instance of F-root. Merged all hour-long instance files into timestamp-sorted files with mergecap. WIDE+CAIDA #8 3 The Measurement Factory

5 Analysis Software C++ program reads pcap files and keeps various counters. Runs at about 4, packets/second, or about 8% the rate of pcap time. i.e., takes 6 hours to analyze 48 hours of data. Needs about 3GB RAM. Data goes into Postgres SQL SELECT statements and perl scripts produce data for ploting with ploticus. WIDE+CAIDA #8 4 The Measurement Factory

6 II 1) Average rates of requests. c ord1a c jfk1a c lax1a c iad1c f ccs1a f dac1a f nbo1a f bcn1a f khi1a f jnb1a f akl1a f yow1a f lcy1a f dxb1a f lax1a f svo1a f eze1a f tlv1a f ord1a f cgk1a f maa1a f prg1a f lga1a f scl1a f bne1a f sel1y f kix1a f yyz1b f cdg1a f lis1a f mty1a f mad1a f tpe1a f hkg1a f gru1a f muc1a f ams1a f pek1a f sfo2 f pao1 k moscow k milan k reykjavik k poznan k geneva k athens k budapest k brisbane k helsinki k delhi k tokyo k frankfurt k miami k amsterdam k london m icn m nrt jpix m sfo m nrt jpnap m nrt dixie m cdg Queries Per Second

7 II 1) Average rates of requests Queries Per Second : 9Jan : 1Jan : 11Jan C F K M

8 2 II 2) The average number of clients per second seen at each instance. 15 c ord1a c jfk1a c lax1a c iad1c f ccs1a f dac1a f nbo1a f bcn1a f khi1a f jnb1a f akl1a f yow1a f lcy1a f dxb1a f lax1a f svo1a f eze1a f tlv1a f ord1a f cgk1a f maa1a f prg1a f lga1a f scl1a f bne1a f sel1y f kix1a f yyz1b f cdg1a f lis1a f mty1a f mad1a f tpe1a f hkg1a f gru1a f muc1a f ams1a f pek1a f sfo2 f pao1 k moscow k milan k reykjavik k poznan k geneva k athens k budapest k brisbane k helsinki k delhi k tokyo k frankfurt k miami k amsterdam k london m icn m nrt jpix m sfo m nrt jpnap m nrt dixie m cdg Clients Seen 1 5

9 16 II 2) The number of clients per second seen at each C root instance Clients Per Second : 9Jan : 1Jan : 11Jan c jfk1a c lax1a c ord1a c iad1c

10 II 2) Zoom in on c ord1a : 9Jan 9: Clients/Sec Queries/Sec

11 The cause?? Date: Thu, 11 Jan 27 1:3:47 + From: Paul Vixie <paul@vix.com> To: wessels@oarc.isc.org Subject: oops #ord1a.c:i386# jobs [1] + Running./tcpdump -s -n -w oarc.tcpd. -z gzip -P 5 host c.root-servers.net #ord1a.c:i386# kill % packets captured packets received by filter packets dropped by kernel [1] Done./tcpdump -s -n -w oarc.tcpd. -z gzip -P 5 host c.root-servers.net i had two tcpdumps running on one of the c-root boxes... WIDE+CAIDA #8 1 The Measurement Factory

12 II 2) The number of clients per second seen at each F root instance Clients Per Second : 9Jan : 1Jan : 11Jan f mty1a f maa1a f ord1a f lax1a f lga1a f pek1a f mad1a f lcy1a f sfo2 f scl1a f tpe1a f cgk1a f dac1a f muc1a f dxb1a f tlv1a f khi1a f lis1a f cdg1a f hkg1a f svo1a f yyz1b f gru1a f sel1y f kix1a f prg1a f eze1a f ccs1a f bne1a f akl1a f ams1a f pao1 f yow1a f jnb1a f bcn1a f nbo1a

13 5 II 2) The number of clients per second seen at each K root instance. 4 Clients Per Second : 9Jan : 1Jan : 11Jan k miami k moscow k poznan k amsterdam k delhi k helsinki k brisbane k geneva k athens k london k milan k budapest k tokyo k frankfurt k reykjavik

14 II. 2) Zoom in on K amsterdam node Clients Per Second : 9Jan 13: K amsterdam

15 3 II 2) The number of clients per second seen at each M root instance Clients Per Second : 9Jan : 1Jan : 11Jan m icn m nrt dixie m sfo m nrt jpnap m nrt jpix m cdg

16 II 3) Topological coverage by ASes. c ord1a c lax1a c jfk1a c iad1c f ccs1a f dxb1a f dac1a f bcn1a f nbo1a f khi1a f jnb1a f lis1a f tpe1a f scl1a f akl1a f maa1a f yow1a f eze1a f tlv1a f lcy1a f mty1a f pek1a f cgk1a f prg1a f ord1a f kix1a f svo1a f gru1a f lax1a f yyz1b f bne1a f hkg1a f mad1a f sel1y f cdg1a f lga1a f ams1a f muc1a f sfo2 f pao1 k reykjavik k moscow k athens k poznan k budapest k milan k helsinki k brisbane k geneva k tokyo k delhi k frankfurt k miami k amsterdam k london m icn m nrt jpix m nrt jpnap m sfo m nrt dixie m cdg Fraction of ASes

17 II 4) Topological coverage by prefixes..5.4 Fraction of prefixes.3 c ord1a c lax1a c jfk1a c iad1c f ccs1a f dxb1a f dac1a f bcn1a f nbo1a f khi1a f jnb1a f lis1a f tpe1a f scl1a f akl1a f maa1a f yow1a f eze1a f tlv1a f lcy1a f mty1a f pek1a f cgk1a f prg1a f ord1a f kix1a f svo1a f gru1a f lax1a f yyz1b f bne1a f hkg1a f mad1a f sel1y f cdg1a f lga1a f ams1a f muc1a f sfo2 f pao1 k reykjavik k moscow k athens k poznan k budapest k milan k helsinki k brisbane k geneva k tokyo k delhi k frankfurt k miami k amsterdam k london m icn m nrt jpix m nrt jpnap m sfo m nrt dixie m cdg.2.1

18 III 1) Clients distribution by RIR for each instance 1.8 Fraction of Clients.6.4 c jfk1a c iad1c c lax1a c ord1a f eze1a f mty1a f gru1a f scl1a f ccs1a f dxb1a f lis1a f svo1a f lcy1a f bcn1a f prg1a f mad1a f ams1a f muc1a f tlv1a f cdg1a f dac1a f khi1a f maa1a f cgk1a f pek1a f akl1a f bne1a f tpe1a f hkg1a f sel1y f kix1a f lax1a f sfo2 f lga1a f pao1 f nbo1a f jnb1a f yyz1b f ord1a f yow1a k frankfurt k athens k budapest k reykjavik k poznan k milan k helsinki k geneva k moscow k brisbane k amsterdam k tokyo k london k delhi k miami m cdg m icn m nrt jpnap m nrt jpix m nrt dixie m sfo.2 RIPE ARIN APNIC LACNIC AFRNIC IANA Unknown

19 IV 1) Distribution of users binned by query rate intervals for C root. 1^7 1^9 1^6 1^5 Number of Clients 1^4 1^3 1^8 Number of Queries ^7 Clients Queries Queries/sec

20 IV 1) Distribution of users binned by query rate intervals for F root. 1^7 1^9 1^6 1^5 Number of Clients 1^4 1^3 1^8 Number of Queries ^7 Clients Queries Queries/sec

21 IV 1) Distribution of users binned by query rate intervals for K root. 1^7 1^9 1^6 1^5 Number of Clients 1^4 1^3 1^8 Number of Queries ^7 Clients Queries Queries/sec

22 IV 1) Distribution of users binned by query rate intervals for M root. 1^7 1^9 1^6 1^5 Number of Clients 1^4 1^3 1^8 Number of Queries ^7 Clients Queries Queries/sec

23 IV 3) Breakdown by query types 1.8 Fraction of Queries C F K M A NS CNAME SOA PTR MX TXT AAA SRV A6 OTHER

24 IV 4) Breakdown by query types for users binned by rate intervals for C root 1.8 Fraction of Queries in each bin Queries/sec A NS CNAME SOA PTR MX TXT AAA SRV A6 OTHER

25 IV 4) Breakdown by query types for users binned by rate intervals for F root 1.8 Fraction of Queries in each bin Queries/sec A NS CNAME SOA PTR MX TXT AAA SRV A6 OTHER

26 IV 4) Breakdown by query types for users binned by rate intervals for K root 1.8 Fraction of Queries in each bin Queries/sec A NS CNAME SOA PTR MX TXT AAA SRV A6 OTHER

27 IV 4) Breakdown by query types for users binned by rate intervals for M root 1.8 Fraction of Queries in each bin Queries/sec A NS CNAME SOA PTR MX TXT AAA SRV A6 OTHER

28 The End

Day In The Life of the Internet 2008 Data Collection Event.

Day In The Life of the Internet 2008 Data Collection Event http://www.caida.org/projects/ditl Duane Wessels The Measurement Factory/CAIDA k claffy CAIDA NANOG 42 February 19, 2008 NANOG 42 0 The Measurement