dnswitness recent developments and the new passive monitor
play

DNSwitness: recent developments and the new passive monitor St - PowerPoint PPT Presentation

Jan 17, 2023 •19 likes •689 views

DNSwitness: recent developments and the new passive monitor St ephane Bortzmeyer AFNIC bortzmeyer@nic.fr RIPE 59 - Lisbon - October 2009 1 DNSwitness: recent developments and the new passive monitor / Where are we in the talk? Reminder

  1. DNSwitness: recent developments and the new passive monitor St´ ephane Bortzmeyer AFNIC bortzmeyer@nic.fr RIPE 59 - Lisbon - October 2009 1 DNSwitness: recent developments and the new passive monitor /

  2. Where are we in the talk? Reminder about DNSwitness 1 Measurements based on passive observations 2 Preliminary Results 3 Future work 4 Measurements based on active queries 5 2 DNSwitness: recent developments and the new passive monitor / Reminder about DNSwitness

  3. What is AFNIC AFNIC is the registry for the TLD “ .fr ” (France) . 54 employees, 1.5 million domain names and a R&D department. 3 DNSwitness: recent developments and the new passive monitor / Reminder about DNSwitness

  4. Motivation A DNS registry has a lot of information it does not use. Our marketing team or the technical team ask for all sorts of things (“How many of our domains are used for e-mail only?”) for which we may have the answer. 4 DNSwitness: recent developments and the new passive monitor / Reminder about DNSwitness

  5. More specific motivation Getting information about the deployment of new techniques like IPv6 We focus on things that we can obtain from the DNS because we are a domain name registry. 5 DNSwitness: recent developments and the new passive monitor / Reminder about DNSwitness

  6. More specific motivation Getting information about the deployment of new techniques like IPv6 We focus on things that we can obtain from the DNS because we are a domain name registry. Possible surveys: IPv6, SPF, DNSSEC, EDNS0, Zonecheck. . . Let’s build a multi-purpose platform for that! 5 DNSwitness: recent developments and the new passive monitor / Reminder about DNSwitness

  7. Other aims 1. Versatile , able to do many different surveys (most known tools deal only with one survey), 2. Works unattended (from cron, for instance), for periodic runs, 3. Stores raw results, not just aggregates, for long-term analysis, 4. Designed to be distributable, 5. Designed to be usable by small and medium actors (“ send the program to the users, not the data to a centralized analysis fabric ”). 6 DNSwitness: recent developments and the new passive monitor / Reminder about DNSwitness

  8. What we can learn from the DNS (and beyond) ◮ What we send out : active DNS queries sent to domain name servers. Active measurements. (Presented at the RIPE 57 meeting in Dubai.) 7 DNSwitness: recent developments and the new passive monitor / Reminder about DNSwitness

  9. What we can learn from the DNS (and beyond) ◮ What we send out : active DNS queries sent to domain name servers. Active measurements. (Presented at the RIPE 57 meeting in Dubai.) ◮ What comes in : DNS queries received by authoritative name servers, passively monitored (“Who knocks at the door and what are they asking for?”). Passive measurements. 7 DNSwitness: recent developments and the new passive monitor / Reminder about DNSwitness

  10. What we can learn from the DNS (and beyond) ◮ What we send out : active DNS queries sent to domain name servers. Active measurements. (Presented at the RIPE 57 meeting in Dubai.) ◮ What comes in : DNS queries received by authoritative name servers, passively monitored (“Who knocks at the door and what are they asking for?”). Passive measurements. We work on both, study the long-term evolution and publish results. 7 DNSwitness: recent developments and the new passive monitor / Reminder about DNSwitness

  11. Where are we in the talk? Reminder about DNSwitness 1 Measurements based on passive observations 2 Preliminary Results 3 Future work 4 Measurements based on active queries 5 8 DNSwitness: recent developments and the new passive monitor / Measurements based on passive observations

  12. Passive observation of queries It works by passive monitoring of the “ fr ” name servers. We are talking about long-term monitoring, not just the quick glance that DSC offers. The idea is to address the needs of the R&D or of the marketing, not just the needs of the NOC. 9 DNSwitness: recent developments and the new passive monitor / Measurements based on passive observations

  13. Passive observation of queries It works by passive monitoring of the “ fr ” name servers. We are talking about long-term monitoring, not just the quick glance that DSC offers. The idea is to address the needs of the R&D or of the marketing, not just the needs of the NOC. It works mostly by Ethernet port mirroring. 9 DNSwitness: recent developments and the new passive monitor / Measurements based on passive observations

  14. Expected uses of the passive measurements It allows us to survey things like: 10 DNSwitness: recent developments and the new passive monitor / Measurements based on passive observations

  15. Expected uses of the passive measurements It allows us to survey things like: ◮ Percentage of servers without SPR (Source Port Randomisation, see “ .at ” publications). 10 DNSwitness: recent developments and the new passive monitor / Measurements based on passive observations

  16. Expected uses of the passive measurements It allows us to survey things like: ◮ Percentage of servers without SPR (Source Port Randomisation, see “ .at ” publications). ◮ Percentage of queries done over IPv6 transport (unlike DSC, we will be able to study long-term trends). 10 DNSwitness: recent developments and the new passive monitor / Measurements based on passive observations

  17. Expected uses of the passive measurements It allows us to survey things like: ◮ Percentage of servers without SPR (Source Port Randomisation, see “ .at ” publications). ◮ Percentage of queries done over IPv6 transport (unlike DSC, we will be able to study long-term trends). ◮ Percentage of queries with EDNS0 or DO. 10 DNSwitness: recent developments and the new passive monitor / Measurements based on passive observations

  18. Expected uses of the passive measurements It allows us to survey things like: ◮ Percentage of servers without SPR (Source Port Randomisation, see “ .at ” publications). ◮ Percentage of queries done over IPv6 transport (unlike DSC, we will be able to study long-term trends). ◮ Percentage of queries with EDNS0 or DO. ◮ Top N domains for which there is a NXDOMAIN reply. 10 DNSwitness: recent developments and the new passive monitor / Measurements based on passive observations

  19. Expected uses of the passive measurements It allows us to survey things like: ◮ Percentage of servers without SPR (Source Port Randomisation, see “ .at ” publications). ◮ Percentage of queries done over IPv6 transport (unlike DSC, we will be able to study long-term trends). ◮ Percentage of queries with EDNS0 or DO. ◮ Top N domains for which there is a NXDOMAIN reply. ◮ But the list is open. . . 10 DNSwitness: recent developments and the new passive monitor / Measurements based on passive observations

  20. Sampling Packet trace files can grow very large Dozens of gigabytes are very common. And, to process such humongous data, you need a lot of RAM! 11 DNSwitness: recent developments and the new passive monitor / Measurements based on passive observations

  21. Sampling Packet trace files can grow very large Dozens of gigabytes are very common. And, to process such humongous data, you need a lot of RAM! Sampling is often the only solution, unless you have a lot of disk and machine power 11 DNSwitness: recent developments and the new passive monitor / Measurements based on passive observations

  22. A framework for sampling ◮ RFC 5474, A Framework for Packet Selection and Reporting (the general framework and the concepts) ◮ RFC 5475, Sampling and Filtering Techniques for IP Packet Selection (actual techniques) ◮ RFC 5476, Packet Sampling (PSAMP) Protocol Specifications (not used by DNSmezzo) Among the sampling techniques listed by RFC 5475: systematic count-based, systematic time-based, random (with various distributions), . . . 12 DNSwitness: recent developments and the new passive monitor / Measurements based on passive observations

  23. Limits of sampling Sampling makes sampling errors . If a phenomenon is rare, sampling can make it disappear completely. . . or promote it if it falls in the sampling window! 13 DNSwitness: recent developments and the new passive monitor / Measurements based on passive observations

  24. Limits of sampling Sampling makes sampling errors . If a phenomenon is rare, sampling can make it disappear completely. . . or promote it if it falls in the sampling window! Do not forget to plot the error bars. 13 DNSwitness: recent developments and the new passive monitor / Measurements based on passive observations

  25. Limits of sampling Sampling is not suitable for many security studies: the attack can be just between the sampled packets. Example: BIND dynamic update DoS attack of 2009 where one packet was enough. References: section 9 of RFC 5475 and S. Goldberg, J. Rexford, ”Security Vulnerabilities and Solutions for Packet Sampling”, IEEE Sarnoff Symposium, Princeton, NJ, May 2007 http://www.cs. princeton.edu/~jrex/papers/psamp-security07.pdf . 13 DNSwitness: recent developments and the new passive monitor / Measurements based on passive observations

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Hand arm Vibration & Hand-arm Vibration & Recent Developments Recent Developments

Hand arm Vibration & Hand-arm Vibration & Recent Developments Recent Developments

Hand arm Vibration & Hand-arm Vibration & Recent Developments Recent Developments Stuart McGregor & Bruce Appleton Noise & Vibration Specialists p Health & Safety Executive What we are going to talk about What we are

415 views • 28 slides
Macroeconomic Overview of India: Recent Trends and Developments Recent Trends and Developments

Macroeconomic Overview of India: Recent Trends and Developments Recent Trends and Developments

Macroeconomic Overview of India: Recent Trends and Developments Recent Trends and Developments Mathew Joseph Senior Consultant, ICRIER India-Taiwan Relations ICRIER-CIER Joint Feasibility Study New Delhi 1 7 January 2011 1 Structure 1. An

505 views • 18 slides
The use of passive samplers to monitor effectiveness of AC amendment to contaminated sediments

The use of passive samplers to monitor effectiveness of AC amendment to contaminated sediments

The use of passive samplers to monitor effectiveness of AC amendment to contaminated sediments Amy M.P. Oen, Elisabeth M.L. Janssen, Gerard Cornelissen, Gijs D. Breedveld, Espen Eek and Richard G. Luthy NORDROCS 2012 Oslo, Norway 18-21

215 views • 20 slides
Recent Economic Developments Recent Economic Developments January, 2 0 0 9 Published by

Recent Economic Developments Recent Economic Developments January, 2 0 0 9 Published by

REPUBLIC OF INDONESIA Recent Economic Developments Recent Economic Developments January, 2 0 0 9 Published by Investors Relations Unit Republic Indonesia Address Bank Indonesia International Directorate / Division of Foreign Debt Analysis

1.65k views • 115 slides
Malaysia Economic Monitor The Quest for Productivity Growth 1 Contents RECENT ECONOMIC

Malaysia Economic Monitor The Quest for Productivity Growth 1 Contents RECENT ECONOMIC

Malaysia Economic Monitor The Quest for Productivity Growth 1 Contents RECENT ECONOMIC DEVELOPMENTS AND OUTLOOK External environment Domestic economic developments Outlook THE QUEST FOR PRODUCTIVITY GROWTH Productivity

734 views • 56 slides
Fuel Poverty - recent developments and next steps 13 th November 2013 Recent developments

Fuel Poverty - recent developments and next steps 13 th November 2013 Recent developments

Fuel Poverty - recent developments and next steps 13 th November 2013 Recent developments Announcement on definition Fuel Poverty Changing the Framework for Measurement: Government response Steps to amend the fuel poverty target

183 views • 15 slides
NTRU Cryptosystem: Recent Developments Ron Steinfeld School of IT Monash University, Australia

NTRU Cryptosystem: Recent Developments Ron Steinfeld School of IT Monash University, Australia

Introduction NTRU Cryptosystem: Review NTRU Security: Recent Developments NTRU Applications: Recent Developments NTRU Cryptosystem: Recent Developments Ron Steinfeld School of IT Monash University, Australia (partly based on joint work with

1.29k views • 76 slides
Background and involvement in passive seismic Passive Seismic in the Literature World Oil

Background and involvement in passive seismic Passive Seismic in the Literature World Oil

Background and involvement in passive seismic Passive Seismic in the Literature World Oil Article Geo Expo Article AAGP Explorer Article Basic Equipment Gear and ATV Seismometer Data Recorder Monitor Hookup Problems Problems Wind

733 views • 42 slides
FDI Recent changes in Policy, Sectoral and other developments CA Shabbir Motorwala 22

FDI Recent changes in Policy, Sectoral and other developments CA Shabbir Motorwala 22

FDI Recent changes in Policy, Sectoral and other developments CA Shabbir Motorwala 22 December 2018 CTC - Intensive study course on FEMA Mumbai 1 Conten Co ents Overview of FEMA Inbound Investment Recent Developments FEMA 20

593 views • 35 slides
Public procurement law recent developments Christopher Brown cbrown@matrixlaw.co.uk

Public procurement law recent developments Christopher Brown cbrown@matrixlaw.co.uk

Public procurement law recent developments Christopher Brown cbrown@matrixlaw.co.uk @CBrownMatrix Overview The reform agenda Recent CJEU developments Recent domestic litigation The reform agenda December 2011: Commission

240 views • 11 slides
Data Protection in Israel Overview & Recent Developments in Financial Sector David

Data Protection in Israel Overview & Recent Developments in Financial Sector David

Data Protection in Israel Overview & Recent Developments in Financial Sector David Mirchin Head of Technology Transactions Group 2009 2 2010-2011 Bad luck 3 Topics 1. Context: Recent Developments 2. EU: Israel Adequately

534 views • 28 slides
Recent Developments in Disjunctive Programming Egon Balas Carnegie Mellon University Recent

Recent Developments in Disjunctive Programming Egon Balas Carnegie Mellon University Recent

Recent Developments in Disjunctive Programming Egon Balas Carnegie Mellon University Recent Developments in Disjunctive Programming 01.09.17 1 / 56 Recent Developments in Disjunctive Programming 1. Background and basic results 2.

886 views • 56 slides
Graphical Causal Models for Time Series Econometrics: Some Recent Developments and Applications

Graphical Causal Models for Time Series Econometrics: Some Recent Developments and Applications

Introduction SVAR GMs Application to SVAR Recent Developments Graphical Causal Models for Time Series Econometrics: Some Recent Developments and Applications Alessio Moneta Max Planck Institute of Economics, Jena 10 December 2009

900 views • 60 slides
Recent developments in Resource Adequacy in California Karl Meeusen, PhD Senior Advisor

Recent developments in Resource Adequacy in California Karl Meeusen, PhD Senior Advisor

Recent developments in Resource Adequacy in California Karl Meeusen, PhD Senior Advisor Infrastructure and Regulatory Policy WECC Market Interface Committee June 27, 2019 Overview Overview Recent developments at the CPUC

453 views • 8 slides
Disclaimer As we continue to monitor the developments surrounding Coronavirus (COVID-19), this

Disclaimer As we continue to monitor the developments surrounding Coronavirus (COVID-19), this

Texas Apartment Association, Inc. Title slide design to come FAQs on COVID-19 and the Texas Rental Housing Industry March 27, 2020 1 Disclaimer As we continue to monitor the developments surrounding Coronavirus (COVID-19), this seminar

259 views • 5 slides
Some recent developments in gravitational lensing to

Some recent developments in gravitational lensing to

Some recent developments in gravitational lensing to professors Toshi Futamase, Hideo Kodama and Misao Sasaki Matthias Bartelmann, Heidelberg University, Institute for Theoretical Astrophysics JGRG22,

614 views • 25 slides
DNS Security in the Broadest sense Some good news, some bad Bert Hubert PowerDNS.COM / Fox-IT

DNS Security in the Broadest sense Some good news, some bad Bert Hubert PowerDNS.COM / Fox-IT

DNS Security in the Broadest sense Some good news, some bad Bert Hubert PowerDNS.COM / Fox-IT Agenda DNS is scary & complex DNS is everywhere Embedded 1984 vintage code Threats: Availability, integrity, code exploitation

510 views • 35 slides
DNS Requirements Large domain registrar A few hundred thousand domains using our DNS.

DNS Requirements Large domain registrar A few hundred thousand domains using our DNS.

Scaling DNS Requirements Large domain registrar A few hundred thousand domains using our DNS. Nearly a million domains Still growing Need fast updates on the authoritative servers Especially when a new domain is added

557 views • 21 slides
FloCon 2018 Tucson AZ Analysis of DNS Traffic on the Network EDGE, and In Motion. Fred Stringer

FloCon 2018 Tucson AZ Analysis of DNS Traffic on the Network EDGE, and In Motion. Fred Stringer

x January 2018 FloCon 2018 Tucson AZ Analysis of DNS Traffic on the Network EDGE, and In Motion. Fred Stringer 1 Key M Messages es Distributed Analysis (at the collection points) enables scale, flexibility and timely indicators.

364 views • 11 slides
Domain Name System (DNS) Session-1: Fundamentals Michuki Mwangi AfNOG Workshop, AIS 2018, Dakar

Domain Name System (DNS) Session-1: Fundamentals Michuki Mwangi AfNOG Workshop, AIS 2018, Dakar

Domain Name System (DNS) Session-1: Fundamentals Michuki Mwangi AfNOG Workshop, AIS 2018, Dakar Computers use IP addresses. Why do we need names? Names are easier for people to remember Computers may be moved between networks, in which

462 views • 29 slides
Non Profit Lobbying What is lobbying? Is it the proverbial, sinister behind-the-scenes

Non Profit Lobbying What is lobbying? Is it the proverbial, sinister behind-the-scenes

Non Profit Lobbying What is lobbying? Is it the proverbial, sinister behind-the-scenes handshake agreement? Or is it something not so sinister? What do you think? Lobbying is Political to be political, as per the IRS, means to engaged in

214 views • 5 slides
Operators Deep Dive Graham Hayes / HP Ron Rickard / eBay Inc. Graham Hayes - HP Cloud Ron

Operators Deep Dive Graham Hayes / HP Ron Rickard / eBay Inc. Graham Hayes - HP Cloud Ron

Operators Deep Dive Graham Hayes / HP Ron Rickard / eBay Inc. Graham Hayes - HP Cloud Ron Rickard Sr. Cloud Engineer, eBay Inc. rrickard@ebaysf.com irc.freenode.net: rjrjr Agenda Designate Overview Designate REST API Designate and Neutron

571 views • 33 slides
DISSECTING DNS STAKEHOLDERS IN MOBILE NETWORKS 2 CoNEXT 2017, Seoul/Incheon WHY TO STUDY

DISSECTING DNS STAKEHOLDERS IN MOBILE NETWORKS 2 CoNEXT 2017, Seoul/Incheon WHY TO STUDY

Mario Almeida, Alessandro Finamore, Diego Perino, Narseo Vallina-Rodriguez, Matteo Varvello CoNEXT 2017 - Seoul/Incheon, South Korea DISSECTING DNS STAKEHOLDERS IN MOBILE NETWORKS 2 CoNEXT 2017, Seoul/Incheon WHY TO STUDY DNS IN MOBILE

476 views • 28 slides
The Other 95%: The Unsecure Internet You Dont Know About Internet Protocol Manipulations

The Other 95%: The Unsecure Internet You Dont Know About Internet Protocol Manipulations

The Other 95%: The Unsecure Internet You Dont Know About Internet Protocol Manipulations Sharon Goldberg BGP : Border Gateway Protocol DNS : Domain Name System BGP manipulation from July 2013 Abroad USA Qwest/ Centurylink Endpoint in

381 views • 11 slides

More recommend