A Root DNS Server. Akira Kato. Brief Overview of M-Root. WIDE Project

Similar documents
Testing IPv6 address records in the DNS root

RIPE Network Coordination Centre. K-root and DNSSEC. Wolfgang Nagele RIPE NCC.

Root Server Operated by ICANN. DNS Engineering DNS Symposium Madrid May 2017

Chapter 19. Domain Name System (DNS)

DNS. dr. C. P. J. Koymans. September 16, Informatics Institute University of Amsterdam. dr. C. P. J. Koymans (UvA) DNS September 16, / 46

ROOT SERVERS MANAGEMENT AND SECURITY

IPv6 How-To for a Registry 17th CENTR Technical Workshop

DNS root server deployments. George Michaelson DNS operations SIG APNIC17/APRICOT 2004 Feb KL, Malaysia

Root DNS Anycast in South Asia

IPv6 Support in the DNS. Athanassios Liakopoulos 6DEPLOY IPv6 Training, Skopje, June 2011

Domain Name System.

Networking Applications

K-Root Name Server Operations

Packet Traces from a Simulated Signed Root

Re-engineering the DNS One Resolver at a Time. Paul Wilson Director General APNIC channeling Geoff Huston Chief Scientist

Is Your Caching Resolver Polluting the Internet?

Preparation Test AAAA and EDNS0 support Share Your Results Results Reported Testing Period

Writing Assignment #1. A Technical Description for Two Different Audiences. Yuji Shimojo WRTG 393. Instructor: Claudia M. Caruana

f.root-servers.net ISOC cctld Workshop Nairobi, Kenya, 2005

K-Root Nameserver Operations

Lecture 4: Basic Internet Operations

DNS. Introduction To. everything you never wanted to know about IP directory services

IPv6 Support in the DNS

CS519: Computer Networks. Lecture 6: Apr 5, 2004 Naming and DNS

Internet Engineering Task Force (IETF) Request for Comments: Category: Best Current Practice ISSN: March 2017

Table of Contents DNS. Short history of DNS (1) DNS and BIND. Specification and implementation. A short history of DNS.

Table of Contents DNS. Short history of DNS (1) DNS and BIND. Specification and implementation. A short history of DNS. Root servers.

Response Differences between NSD and other DNS Servers

Internet Engineering Task Force (IETF) Request for Comments: 7706 Category: Informational ISSN: November 2015

DNS Survival Guide. Artyom Gavrichenkov

Information Network I: The Application Layer. Doudou Fall Internet Engineering Laboratory Nara Institute of Science and Technique

Root Servers. Root hints file come in many names (db.cache, named.root, named.cache, named.ca) See root-servers.org for more detail

RSSAC Activities Update. Lars Johan Liman and Tripti Sinha RSSAC Chair ICANN-54 October 2015

RIPE NCC DNS Update. Anand Buddhdev Oct 2016 RIPE 73

Introduction to Network. Topics

Improving DNS Security and Resiliency. Carlos Vicente Network Startup Resource Center

DNS & Iodine. Christian Grothoff.

ECE 435 Network Engineering Lecture 7

CSC 574 Computer and Network Security. DNS Security

Higher layer protocols

Objectives. Upon completion you will be able to:

Distributed Systems. Distributed Systems Within the Internet Nov. 9, 2011

IPv6 support in the DNS

DNS/DNSSEC Workshop. In Collaboration with APNIC and HKIRC Hong Kong. Champika Wijayatunga Regional Security Engagement Manager Asia Pacific

Managing Caching DNS Server

Domain Name System (DNS) Session-1: Fundamentals. Joe Abley AfNOG Workshop, AIS 2017, Nairobi

BIG-IP DNS Services: Implementations. Version 12.0

Domain Name System (DNS) DNS Fundamentals. Computers use IP addresses. Why do we need names? hosts.txt does not scale. The old solution: HOSTS.

DNSSEC DNS SECURITY EXTENSIONS INTRODUCTION TO DNSSEC FOR SECURING DNS QUERIES AND INFORMATION

Domain Name System - Advanced Computer Networks

DNS Anycast Statistic Collection

Domain Name System (DNS)

BIND-USERS and Other Debugging Experiences. Mark Andrews Internet Systems Consortium

Independent Submission Request for Comments: ISSN: January 2014

2008 DNS Cache Poisoning Vulnerability Cairo, Egypt November 2008

2017 DNSSEC KSK Rollover. DSSEC KSK Rollover

Recursives in the Wild: Engineering Authoritative DNS Servers

Computer Networks. Domain Name System. Jianping Pan Spring /25/17 CSC361 1

Internet Content Distribution

DNS and DNSSEC Management and Monitoring Changes Required During A Transition To DNSSEC. Wes Hardaker

IPv6: Are we really ready to turn off IPv4? Geoff Huston APNIC

IPv6: An Introduction

4. Performance Specifications. 4.1 Goals and intentions of Service Level Agreements and Public Service Monitoring. Goals of Service Level Agreements:

Domain Name System (DNS) Session-1: Fundamentals. Computers use IP addresses. Why do we need names? hosts.txt does not scale

Outline. CS5984 Mobile Computing. Host Mobility Problem 1/2. Host Mobility Problem 2/2. Host Mobility Problem Solutions. Network Layer Solutions Model

DNS and BGP. CS642: Computer Security. Professor Ristenpart h9p:// rist at cs dot wisc dot edu. University of Wisconsin CS 642

Computer Network 2015 Mid-Term Exam.

Outline. CS6504 Mobile Computing. Host Mobility Problem 1/2. Host Mobility Problem 2/2. Dr. Ayman Abdel-Hamid. Mobile IPv4.

Measuring the effects of DNSSEC deployment on query load

Domain Name System (DNS) Session 2: Resolver Operation and debugging. Joe Abley AfNOG Workshop, AIS 2017, Nairobi

BIG-IP DNS Services: Implementations. Version 12.1

USING TRANSACTION SIGNATURES (TSIG) FOR SECURE DNS SERVER COMMUNICATION

MIP4 Working Group. Generic Notification Message for Mobile IPv4 draft-ietf-mip4-generic-notification-message-16

More Internet Support Protocols

DNS Sessions. - where next? OARC 27 San Jose, Sep Sep 2017, San Jose. DNS OARC 27

Is Your Caching Resolver Polluting the Internet?

Putting it all together

A Security Evaluation of DNSSEC with NSEC Review

IPv6: Are we really ready to turn off IPv4?

CSCE 463/612 Networks and Distributed Processing Spring 2018

page 1 Plain Old DNS WACREN, DNS/DNSSEC Regional Workshop Ouagadougou, October 2016

The term "router" in this document refers to both routers and Layer 3 switches. Step Command Remarks. ipv6 host hostname ipv6-address

Is Your Caching Resolver Polluting the Internet?

A Look at RFC 8145 Trust Anchor Signaling for the 2017 KSK Rollover

KENIC-AFRINIC IPv6 Workshop 17th 20th June 2008

An Update on Anomalous DNS Behavior

DNS and BGP. CS642: Computer Security. Professor Ristenpart h9p:// rist at cs dot wisc dot edu. University of Wisconsin CS 642

Introduction to the Domain Name System

Domain Name Service. DNS Overview. October 2009 Computer Networking 1

Internet Engineering Task Force (IETF) Category: Informational. B. Carpenter Univ. of Auckland March 2012

Measuring IPv6 Adoption

DNSSEC KSK-2010 Trust Anchor Signal Analysis

Understanding and Characterizing Hidden Interception of the DNS Resolution Path

Network Security Part 3 Domain Name System

Applications & Application-Layer Protocols: (SMTP) and DNS

Defeating DNS Amplification Attacks. UKNOF Manchester Central, UK January Ralf Weber Senior Infrastructure Architect

CS101 Lecture 6: Internetworking: Internet Protocol, IP Addresses, Routing, DNS. John Magee 8 July Some images courtesy Wikimedia Commons

DNS and SMTP. James Walden CIT 485: Advanced Cybersecurity. James WaldenCIT 485: Advanced Cybersecurity DNS and SMTP 1 / 31

This time. Digging into. Networking. Protocols. Naming DNS & DHCP

DNS. A Massively Distributed Database. Justin Scott December 12, 2018

Transcription:

A Root DNS Server Akira Kato WIDE Project kato@wide.ad.jp Brief Overview of M-Root Assumes basic knowledge on DNS Dr. Tatsuya Jinmei has introduced in Nov 19, 2004

What s Root Servers? Start point of the DNS name resolution process Root servers serves the top node of name tree "." All DNS servers offering caching service Need to know all Root Servers Names of each server IP address of each server Otherwise bootstrap problem happens No DNS names are resolvable! Root servers only provide information of Root servers TLD servers in-addr.arpa servers When queries are sent to a Root Server? At bootstrap (priming in bind terminology) DNS (bind) queries up-to-date list of Root Servers Equivalent to the following command % dig @[a-m].root-servers.net. ns Their IP addresses are described in "root.cache" file It might be obsoluted Old Root still responds correctly or no response Select the destination at random When got a query with an uncached TLD TLDs of Valid queries are likely in the cache Invalid TLD are likely subjects for Root query Queries with Typo in the TLD portion.local/.domain/...

Brief History 1987 7 servers with 10 IP addresses, all in U.S. 1990 8 servers with 11 IP addresses, one in SE 1995 9 servers with 9 IP addresses Renamed to [A-I].root-servers.net to allow maximum compression 1997 Jan J/K introduced at NSI (InterNIC) 1997 May L/M introduced at ISI (IANA) K moved to London operated by RIPE/NCC 1997 Aug M moved to Tokyo operated by WIDE Number of Root Servers DNS transport depends on UDP UDP doesn t need circuit setup Prompt response Message size is limited to 512bytes UDP/IP headers are extra Priming response must fit into 512byte SZ = 33 + 15*NS + 16*A With 13 NS, 13 A, response size is 436bytes 15 is the absolute maximum number 76bytes remaining with 13 Roots This is a valuable space for AAAA records SZ = 33 + 15*NS + 16*A + 28*AAAA

To serve better Number of Root servers is limited Too small to install in every country The powerful tool is anycasting Install the server in multiple locations Sharing the same service IP address Provide the same service in all servers Advertise the prefix via BGP Let routing system to choose the destination It is likely to choose the nearest server Anycasting RFC3258 All of the instances are managed by single entity Point of contact is identical among all instances Currently RFC3258 style anycasting is deployed at C/F/I/J/K/M 84 instances from A-M are working now See http://www.root-servers.org/ For M-Root, see http://m.root-servers.org/

Which instance serves you?... To identify, execute the following unix command % dig @m.root-servers.net hostname.bind chaos txt ;; ANSWER SECTION: HOSTNAME.BIND. 0 CH TXT "M-d1" The string "M-d1" indentifies the server instance if not clearly states where it is located Server Selection Which server to use if multiple candidates exist? TinyDNS in DJBDNS chooses one at random BIND chooses one with smallest RTT RTT is decreased slightly for other candidates Eventually be tried to know up-to-date RTT Prefers the nearest server Note that all servers are used, anyway But the frequency may vary very much

Benefit of Anycasting In many cases, it provides smaller RTT Not always a case, unfortunately But BIND prefers other letters in such a case Enhance the total server capacity Multiple servers are working in parallel Limit the holizon of DDoS attack Only a fraction of the instances get affected Nearest ones of DDoS sources Other instances work as usual Issue of Anycasting Anycasting may breaks in TCP A TCP session involes multiple packets Some packets may delivered to other instances Yielding the TCP session breaks When the routing topology changes This rarely happens in short-live TCP sessions When ISP performs per-packet load-balancing TCP performance get suffered due to re-oder This is highly discouranged in general

Future enhancements IPv6 transport support July 2004 root zone includes AAAA glues for TLD servers No AAAA for Root server is defined B/F/H/K/M is ready to respond in IPv6 But they are totally useless No AAAA is defined in root-servers.net zone The way to include more than 2 AAAA is undefined Need to evaluate the method carefully DNSSEC It is highly required for additional security in DNS Packet size is also an issue BIND9.3 supports DNSSEC based on latest spec Need to evaluate its performance as well

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback