DNS domains and servers testing Sl Slavko Gajin k G ji slavko.gajin@ rcub.bg.ac.rs AMRES – Academic Network of Serbia RCUB - Belgrade University Computer Center ETF – Faculty of Electrical Engineering
Motivation DNS – first and still basic infrastructural network service Must be always up and running Multi-redundant DNS is “ boring” for netadmins, comparing to other newer services Usually works well, at least nobody complains… y , y p Do ALL our serves work well or work at all? DIG can give all the answers… … but highly difficult to cross-check and analyze lot of textual but highly difficult to cross-check and analyze lot of textual data S olution DNS DNS testing tools: DNS testing tools: DNS S S quish, DNS quish DNS S S leuth DNS leuth, DNS S S tuff, DNS tuff DNS goodies goodies ICmyNet.DNS Automaticaly test all DNS serves involved in resolution for specified domain, including all servers on all parent domains do a , clud g all se ve s o all pa e t do a s Free online service (beta) – live.icmynet.com/icmynet-dns TF-NOC, 11.10.2011
ICmyNet.DNS Checks More then 35 different checks at domain and server level Reported levels Notification – information about normal conditions Warning – minor errors, non-compliant with the standards and recommendations Error – serious but not critical errors – services is still working E i b t t iti l i i till ki Critical – critical errors which cause service misbehavior or interruption TF-NOC, 11.10.2011
Warnings S OA syntax and parameters S OA record has invalid syntax: primary nameserver name is invalid. Refresh interval is not in the recommended range (1200 - 43200s). Retry interval is not in the recommended range (900 - 7200s). Expire time is not in the recommended range (1209600 - 2678400s). Minimum TTL is not in the recommended range (3600 - 10800s). CNAME, A record, PTR record / Mail server server-name has CNAME record. DNS server-name server does not have an A record on the primary server. There is no PTR record for name server name . Reverse name reverse name for server server name has CNAME record Reverse name reverse name for server server name has CNAME record. Mail servers mail server 1 and mail server 2 … and mail server N have the same IP address. AS , subnets, public address All DNS All DNS servers are in the same AS i th AS . All DNS servers are in the same subnet. All DNS servers have the same C class. Mail server does not have public IP address. p NS NS records of the primary server do not match the list of authoritative servers. TF-NOC, 11.10.2011
Errors Public zone transfer – security risk erver supports public zone transfer for domain domain . S Recursion erver supports recursion for domain domain . S No mail servers No mail servers found. A record A d server-name server does not have an A record on the primary server. A Records for servers name1 , name2, … , nameN have the same IP address. There is no A Record on the primary DNS server for mail server mail server . S erver does not have a public IP address. Consistency with the parent servers Consistency with the parent servers S erver server-name is authoritative and parents are referring to it but it is not defined on the primary server (S tealth server). S OA Unable to determine primary DNS Unable to determine primary DNS server server. NS TTL Time to live (TTL) differs from the primary server. TF-NOC, 11.10.2011
Critical errors UDP/ TCP response S erver did not respond over the UDP protocol. S erver did not respond over the TCP protocol. p p S OA S OA version number is different from the primary server. Authority erver is not authoritative for domain domain . i d i S S i t th it ti f d Consistency with the parent servers There is no A Record (Glue Record) for server name at the parent zone. erver server-name is not authoritative but parents are referring to it. S p g erver server-name is authoritative but parents are not referring to it S (S tealth server). A Records from parents and zone for server name do not match. Mail server Mail server MX record has invalid syntax. A Record for mail server differs from the A Record of the server-domain domain's primary server. L Loop number loop(s) found. TF-NOC, 11.10.2011
Example – Healthy domain TF-NOC, 11.10.2011
Example - Stealth servers TF-NOC, 11.10.2011
Example - Unsynchronized SOA TF-NOC, 11.10.2011
Example - Server is not responding TF-NOC, 11.10.2011
Example – non authoritative server TF-NOC, 11.10.2011
Example - Loops TF-NOC, 11.10.2011
What next? Receive and analyze the feedbacks Clean up some bugs I Improve functionality - new tests f ti lit t t New research PhD proj ect – DNS testing portal Testing as many domains as possible Report warnings/ errors/ critical errors to DNS admins Portal for DNS admins change settings, schedule tests, specify reporting check out from the reporting Goals spread awareness about DNS spread awareness about DNS problems before they appear problems before they appear initiate wide DNS clean-up Target group – NREN members support the proj ect by providing a list of domains of NREN members support the proj ect by providing a list of domains of NREN members TF-NOC, 11.10.2011
rcub.bg.ac.rs slavko.gaj in@ Questions TF-NOC, 11.10.2011
Recommend
More recommend
