Falling Trees or If a DNS Server is Lame but Nobody Queries It, Should You Send an ?

Similar documents
Lameness in Reverse DNS

This video will look at how to create some of the more common DNS records on Windows Server using Remote Administration Tools for Windows 8.

Measuring IPv6 Deployment

Reverse DNS Project Update

Packet Traces from a Simulated Signed Root

DNSreport for icharter.org

DNS. Introduction To. everything you never wanted to know about IP directory services

DNS Anycast Statistic Collection

Managing DNS Firewall

RIPE NCC DNS Update. Wolfgang Nagele DNS Services Manager

Measuring IPv6 at web clients and caching resolvers

Domain Name System (DNS) Session-1: Fundamentals. Joe Abley AfNOG Workshop, AIS 2017, Nairobi

6to4 reverse domain delegation in ip6.arpa

Internet Engineering. DNS Message Format. Contents. Robert Elz.

Implementation Of Lame Delegation Policy. Ray Plzak ARIN

CNAME-based Redirection Design Notes

Evaluation and consideration of multiple responses. Kazunori Fujiwara, JPRS OARC 28

Measuring the IPv6 Internet by active DNS and HTTP measurements (work in progress)

page 1 Plain Old DNS WACREN, DNS/DNSSEC Regional Workshop Ouagadougou, October 2016

Measuring IPv6 Deployment

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration. Chapter 5 Introduction to DNS in Windows Server 2008

IPv6 at Google. a case study. Angus Lees Site Reliability Engineer. Steinar H. Gunderson Software Engineer

Keeping DNS parents and children in sync at Internet Speed! Ólafur Guðmundsson

Measurements of traffic in DITL 2008

QNAME minimisation. Ralph Dolmans (NLnet Labs) March 2016 Stichting NLnet Labs

RIPE Labs. Operators Tools, Ideas and Analysis. Mirjam Kühne, RIPE NCC. RIPE Network Coordination Centre. IETF 78 - Juy 2010.

The term "router" in this document refers to both routers and Layer 3 switches. Step Command Remarks. ipv6 host hostname ipv6-address

Introduction to Network. Topics

Measuring IPv6 at web clients and caching resolvers

Lesson 9: Configuring DNS Records. MOAC : Administering Windows Server 2012

6to4 reverse domain delegation ip6.arpa

The impact of DNSSEC on k.root-servers.net and ns-pri.ripe.net

Is Your Caching Resolver Polluting the Internet?

Table of Contents DNS. Short history of DNS (1) DNS and BIND. Specification and implementation. A short history of DNS.

Data and measurement tools from the RIPE NCC. Robert Kisteleki RIPE NCC R&D

NIC Chile Secondary DNS Service History and Evolution

DNS Session 2: DNS cache operation and DNS debugging. Joe Abley AfNOG 2006 workshop

RFC 2181 Ranking data and referrals/glue importance --- new resolver algorithm proposal ---

Domain Name System (DNS) Session 2: Resolver Operation and debugging. Joe Abley AfNOG Workshop, AIS 2017, Nairobi

Figure 1: DNS server properties and the DNS server icon

Re-engineering the DNS One Resolver at a Time. Paul Wilson Director General APNIC channeling Geoff Huston Chief Scientist

Domain Name System (DNS) Session-1: Fundamentals. Computers use IP addresses. Why do we need names? hosts.txt does not scale

IPv6 Support in the DNS. Athanassios Liakopoulos 6DEPLOY IPv6 Training, Skopje, June 2011

Managing Caching DNS Server

Domain Name System (DNS) DNS Fundamentals. Computers use IP addresses. Why do we need names? hosts.txt does not scale. The old solution: HOSTS.

Table of Contents DNS. Short history of DNS (1) DNS and BIND. Specification and implementation. A short history of DNS. Root servers.

Update on experimental BIND features to rate-limit recursive queries

Documentation for: MTA developers

DNS(SEC) client analysis

DNS DNS DNS Summer Days 2013 Copyright

Measuring IPv6 Deployment

ECE 650 Systems Programming & Engineering. Spring 2018

Configuring DNS. Finding Feature Information

Hands-On Microsoft Windows. Chapter 8 p Managing Windows Server 2008 Network Services

SOFTWARE ARCHITECTURE 9. NAME RESOLUTION.

Agha Mohammad Haidari General ICT Manager in Ministry of Communication & IT Cell#

Open Resolvers in COM/NET Resolution!! Duane Wessels, Aziz Mohaisen! DNS-OARC 2014 Spring Workshop! Warsaw, Poland!

DNS. dr. C. P. J. Koymans. September 16, Informatics Institute University of Amsterdam. dr. C. P. J. Koymans (UvA) DNS September 16, / 46

A versatile platform for DNS metrics

Network Working Group

Outline NET 412 NETWORK SECURITY PROTOCOLS. Reference: Lecture 7: DNS Security 3/28/2016

DNS Level 100. Rohit Rahi November Copyright 2018, Oracle and/or its affiliates. All rights reserved.

Response Differences between NSD and other DNS Servers

Measuring Global DNS Propagation Times Using RIPE Atlas. Bachelor Thesis by Tim Wattenberg RIPE Regional Meeting Almaty, Kazakhstan

DPU TDC 463. Scanning, Probing, and Surveying for Internet Hosts and Services. TDC463 Fall 2017 John Kristoff DePaul University 1

DNS Fundamentals. Steve Conte ICANN60 October 2017

ARIN Support for DNSSEC and RPKI. ION San Diego 11 December 2012 Pete Toscano, ARIN

RIPE Network Coordination Centre. IPv6 at RIPE NCC. Erik Romijn. Erik Romijn. Tuesday, June 9, 2009

BIND-USERS and Other Debugging Experiences. Mark Andrews Internet Systems Consortium

DNS Session 1: Fundamentals. Based on Brian Candler's materials ISOC CCTLD workshop

RIPE Network Coordination Centre. IPv6 at RIPE NCC. Mark Dranse Erik Romijn

Hands-on DNSSEC with DNSViz. Casey Deccio, Verisign Labs RIPE 72, Copenhagen May 23, 2016

Configuration of Authoritative Nameservice

Introducing the Global Site Selector

Organisation-LIR Clarification in IPv6 Policy

Configuring IPv6 DNS. Introduction to IPv6 DNS. Configuring the IPv6 DNS client. Configuring static domain name resolution

DNS Load Balancing in ONTAP

Test cases for domain checks a step towards a best prac5ce. Mats Du(erg,.SE Sandoche Balakrichenan, AFNIC

Table of Contents DNS. Short history of DNS (1) DNS and BIND. Specification and implementation. A short history of DNS. Root servers.

Reverse DNS Overview

FIRMS: a Future InteRnet Mapping System

Goal of this session

DNS/DNSSEC Workshop. In Collaboration with APNIC and HKIRC Hong Kong. Champika Wijayatunga Regional Security Engagement Manager Asia Pacific

Purpose. Review existing policies. Identify areas where new or modified. Provide feedback to community Make recommendations. Operational experience

DNS & DHCP CONFIGURATION

RSSAC Activities Update. Lars Johan Liman and Tripti Sinha RSSAC Chair ICANN-54 October 2015

Sicurezza dei sistemi e delle reti

Internet Engineering Task Force (IETF) Request for Comments: Category: Best Current Practice ISSN: March 2017

Root Servers. Root hints file come in many names (db.cache, named.root, named.cache, named.ca) See root-servers.org for more detail

Managing Zones. Staged and Synchronous Modes CHAPTER. See Also

Expiration Date: May 1997 Randy Bush RGnet, Inc. November Clarifications to the DNS Specification. draft-ietf-dnsind-clarify-02.

RIPE Network Coordination Centre RIPE Labs Nathalie Trenaman UKNOF 17 - Sept

DNS Session 2: DNS cache operation and DNS debugging. How caching NS works (1) What if the answer is not in the cache? How caching NS works (2)

Objectives. Upon completion you will be able to:

Local DNS Attack Lab. 1 Lab Overview. 2 Lab Tasks (Part I): Setting Up a Local DNS Server. SEED Labs Local DNS Attack Lab 1

Based on Brian Candler's materials ISOC CCTLD workshop

Local DNS Attack Lab. 1 Lab Overview. 2 Lab Environment. 2.1 Install and configure the DNS server. SEED Labs Local DNS Attack Lab 1

You can specify IPv4 and IPv6 addresses while performing various tasks in this feature. The resource

In rdns We Trust Revisiting rdns Use by Clients on the Internet

Introducing the Global Site Selector

Transcription:

Falling Trees or If a DNS Server is Lame but Nobody Queries It, Should You Send an E-mail? Shane Kerr <shane@isc.org> DNS Working Group, RIPE 59 Lisbon, 2009-10-08

Background The RIPE NCC implemented a system which checks for lame DNS servers in the part of the reverse DNS tree they maintain. I thought maybe we should check to see if lameness is a real problem. The RIPE NCC asked me if I would be willing to investigate this.

Co-operation The RIPE NCC DNS department provided data & explanation OARC provided the system to hold the data & perform analysis

Methodology RIPE NCC runs checks 1.Resolve NS to A/AAAA record 2.SOA lookup of zone at A/AAAA RIPE NCC captures traffic At RIPE NCC's master, ns-pri.ripe.net For a set of 1-hour periods Compare actual traffic with lame zones

On the Checking of Traffic Parse each reply to get NS RRSET A very small mismatch with data sets Lameness check run at different time than packet captures 3 NS in an hour of packet captures If no NS, stop NXDOMAIN, SOA query, errors, If NS, check for errors

Skinning Cats or, There's More Than One Way to Make a Lame DNS Server 1.The NS entry may not resolve to an A or AAAA record. example.org NS ns1.example.cmo NS ns2.exmaple.info 2.Nothing at the IPv4 or IPv6 address answers. ns.example.net A 0.0.1.16

Diagrammatically Explained or Explained Diagrammatically 66.6.0.193.in-addr.arpa Query NS ns-sec.ripe.net NS evil-ns1.example.info NS evil-ns2.example.info Answer NS RRSET 193.0.0.196 good 2001:610:240:0:53::4 good 193.0.6.66 bad Server response ns-sec.ripe.net 193.0.0.196 2001:610:240:0:53::4 evil-ns1.example.info 193.0.6.66 evil-ns2.example.info XXX NS to A/AAAA

Impact of Bad NS in RRSET Might be an immediate failure ns.exxample.org gives NXDOMAIN Might be a set of timeouts All NS in the RRSET may fail Current data does not distinguish

Chance of Using a Bad NS Two NS, one bad 50% chance bad NS is chosen 1 st Three NS, one bad 33% chance bad NS is chosen 1 st Three NS, two bad 66% chance bad NS is chosen 1 st 50% chance bad NS is chosen 2 nd And so on...

Impact of Bad Servers Server at IP address does not answer Set of timeouts Delay for the user! Logic about chance of using a bad server same as for using a bad NS...

Applicability Statement An Aside Before the Results If anyone running a delegation-only server wants to perform similar analysis on their domains, you can have the code or work with me to perform similar analysis.

The Numbers Total packets scanned: 16618986 Replies sent from server: 8309072 Unparsable replies: 9350 Packets with non-0 RCODE: 3165031 Packets with stale NS: 17839 Packets with NS in RRSET: 5096414 Estimate about 25030.984 lookups have NS lookup failures Estimate about 39303.618 NS lookup failures Estimate about 64100.080 lookups use non-answering IP Estimate about 77258.599 queries to non-answering IP

A Carta Parse Error Stale NS in RRSET NS lookups with failures (estimate) Queries to nonanswering servers (estimate) Non-0 RCODE Success (estimate)

Results 0.3% of queries had bad NS 0.8% of queries had an A/AAAA resulting in a DNS lookup failure About 1% of queries affected by lameness

Caveats Results do not account for caching Code based on IP, rather than IP+domain (oops) Effects of bad NS very uncertain Effects of bad servers slightly uncertain

Discussion But 5% of servers lame! Unused lame servers don't get fixed Used lame servers DO get fixed 1% is still a bit much... DNSMON error rate for ns-pri was 0.3% Average DNSMON error rate is 0.8%

Proposals 1.No more blanket e-mails 2.Annual report to LIRs? 3.Targeted e-mails to most-impacted users?

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback