is a single dns vendor enough
play

Is a single DNS vendor enough? How can we make multi-vendor setups - PowerPoint PPT Presentation

May 15, 2023 •373 likes •642 views

Is a single DNS vendor enough? How can we make multi-vendor setups manageable? Petr paek petr.spacek@nic.cz 2019-02-03 Outline A single vendor Selection Why not ... Multiple vendors Recommendations

  1. Is a single DNS vendor enough? How can we make multi-vendor setups manageable? Petr Špaček • petr.spacek@nic.cz • 2019-02-03

  2. Outline ● A single vendor ● Selection ● Why not ... ● Multiple vendors ● Recommendations ● Discussion – common config interface

  3. Selecting a vendor ● Features ● Performance ● SLA ● Price ● ...

  4. Selecting a vendor: Features docID title pages currentStatus obsoleted sections DNSSEC STANDARD DNS64: DNS Extensions for Network Address PROPOSED RFC6147 32 0 core Translation from IPv6 Clients to IPv4 Servers STANDARD PROPOSED RFC6604 xNAME RCODE and Status Bits Clarification 5 0 core STANDARD Elliptic Curve Digital Signature Algorithm (DSA) for PROPOSED RFC6605 8 0 core DNSSEC STANDARD PROPOSED RFC6672 DNAME Redirection in the DNS 22 0 core STANDARD DNS Security (DNSSEC) DNSKEY Algorithm IANA PROPOSED RFC6725 5 0 core Registry Updates STANDARD Improved Recursive DNS Server Selection for Multi- PROPOSED RFC6731 29 0 core Interfaced Nodes STANDARD PROPOSED RFC6761 Special-Use Domain Names 13 0 core STANDARD Clarifications and Implementation Notes for DNS PROPOSED RFC6840 21 0 core Security (DNSSEC) STANDARD INTERNET RFC6891 Extension Mechanisms for DNS (EDNS(0)) 16 0 core STANDARD Applicability Statement: DNS Security (DNSSEC) PROPOSED RFC6944 7 0 core DNSKEY Algorithm Implementation Status STANDARD Signaling Cryptographic Algorithm Understanding in PROPOSED RFC6975 9 0 core DNS Security Extensions (DNSSEC) STANDARD

  5. Selecting a vendor: Performance Response Rate Linux 4.15.0, TLD (1M), (2018-08-01) 2 250k 2 000k 1 750k Answers per second 1 500k 1 250k 1 000k 750k 500k 250k 0k 250k 500k 750k 1 000k 1 250k 1 500k 1 750k 2 000k 2 250k 2 500k 2 750k 3 000k Queries per second BIND 9.12.2 Knot DNS 2.7.0 Knot DNS 2.6.8 NSD 4.1.22 PowerDNS 4.1.3 TLD (1M) Zones: 1 DNSSEC: no RR count: 1M Content: delegations (2 NS) + glue records (A, AAAA) Queries: random QNAME Replies: 100% NOERROR Other sites: Labs | FRED | BIRD | Turris Omnia | CSIRT | Turris | Web scanner powered by

  6. Selecting a vendor: SLA, price, ... Bronze Silver Gold Platinum Response time NBD 12 hours 6 hours 3 hours Resolution time (hours) 96 72 24/48/72 24/48/72 Early notifications yes yes yes yes Prioritized development no no yes yes Phone support no no yes yes Chat support no yes yes yes E-mail support yes yes yes yes Consultancy (hours) – 8 24 72 On-site support no no no yes Yearly fee (EUR) 5 000 10 000 20 000 50 000

  7. Still, you can't avoid ... Segmentation fault (core dumped) 4 4 4 3 3 3 5 5 5 2 2 2 6 6 6 1 1 1 7 7 7 8 8 8 9 9 9 0 0 0 Image attribution: Videoplasty.com

  8. (https://kb.isc.org/docs/aa-01496) 91 failure in rbtdb.c (https://kb.isc.org/docs/aa-01602) 93 2018-5734 (http://cve.mitre.org/cgi- bin/cvename.cgi?name=CVE-2018-5734) A malformed request can trigger an assertion failure in badcache.c (https://kb.isc.org/docs/aa-01562) 92 2017-3145 (http://cve.mitre.org/cgi- bin/cvename.cgi?name=CVE-2017-3145) Improper fetch cleanup sequencing in the resolver can cause named to crash (https://kb.isc.org/docs/aa-01542) 2017-3143 (http://cve.mitre.org/cgi- bin/cvename.cgi?name=CVE-2018-5736) bin/cvename.cgi?name=CVE-2017-3143) An error in TSIG handling can permit unauthorized dynamic updates (https://kb.isc.org/docs/aa-01503) 90 2017-3142 (http://cve.mitre.org/cgi- bin/cvename.cgi?name=CVE-2017-3142) An error in TSIG handling can permit unauthorized zone transfers (https://kb.isc.org/docs/aa-01504) 89 2017-3141 (http://cve.mitre.org/cgi- bin/cvename.cgi?name=CVE-2017-3141) Windows service and uninstall paths are not quoted when BIND is installed Multiple transfers of a zone in quick succession can cause an assertion 2018-5736 (http://cve.mitre.org/cgi- A flaw in the "deny-answer-aliases" feature can cause an INSIST assertion 94 CVE Number Short Description 98 2018-5741 (http://cve.mitre.org/cgi- bin/cvename.cgi?name=CVE-2018-5741) Update policies krb5-subdomain and ms-subdomain do not enforce controls promised in their documentation (https://kb.isc.org/docs/cve-2018-5741) 97 2018-5740 (http://cve.mitre.org/cgi- bin/cvename.cgi?name=CVE-2018-5740) failure in named (https://kb.isc.org/docs/aa-01639) 96 2018-5738 (http://cve.mitre.org/cgi- bin/cvename.cgi?name=CVE-2018-5738) Some versions of BIND can improperly permit recursive query service to unauthorized clients (https://kb.isc.org/docs/aa-01616) 95 2018-5737 (http://cve.mitre.org/cgi- bin/cvename.cgi?name=CVE-2018-5737) BIND 9.12's serve-stale implementation can cause an assertion failure in rbtdb.c or other undesirable behavior, even if serve-stale is not enabled (https://kb.isc.org/docs/aa-01606) # You cannot win with … BIND

  9. You cannot win with … Knot Knot DNS 1.4.0 (2014-01-06) =========================== Bugfixes: --------- - AXFR crash with specific packet

  10. You cannot win with … Microsoft Home / Cisco Security / Security Advisories and Alerts Multivendor Vulnerability Alert Microsoft Windows DNS Server Denial of Service Vulnerability Alert ID: 53604 First Published: 2017 May 9 18:33 GMT Medium Version: 1 CVE-2017-0171 CWE-399 CVSS Score: Base 5.3, Temporal 4.8

  11. Docs (../indexTOC.html) / Security Advisories Security Advisories You cannot win with … PowerDNS All security advisories for the PowerDNS Authoritative Server are listed here. PowerDNS Security Advisory 2018-05: Packet cache pollution via crafted query (powerdns-advisory-2018-05.html) PowerDNS Security Advisory 2018-03: Crafted zone record can cause a denial of service (powerdns-advisory-2018-03.html) PowerDNS Security Advisory 2018-02: Buffer overflow in dnsreplay (powerdns-advisory-2018-02.html) PowerDNS Security Advisory 2017-04: Missing check on API operations (powerdns-advisory-2017-04.html) PowerDNS Security Advisory 2016-05: Crafted zone record can cause a denial of service (powerdns-advisory-2016-05.html) PowerDNS Security Advisory 2016-04: Insufficient validation of TSIG signatures (powerdns-advisory-2016-04.html) PowerDNS Security Advisory 2016-03: Denial of service via the web server (powerdns-advisory-2016-03.html) PowerDNS Security Advisory 2016-02: Crafted queries can cause abnormal CPU usage (powerdns-advisory-2016-02.html) PowerDNS Security Advisory 2016-01: Crafted queries can cause unexpected backend load (powerdns-advisory-2016-01.html) PowerDNS Security Advisory 2015-03: Packet parsing bug can lead to crashes (powerdns-advisory-2015-03.html) PowerDNS Security Advisory 2015-02: Packet parsing bug can cause thread or process abortion (powerdns-advisory-2015-02.html) PowerDNS Security Advisory 2015-01: Label decompression bug can cause crashes or CPU spikes (powerdns-advisory-2015-01.html)

  12. You cannot win with … Unbound

  13. Cloud to the rescue?

  14. You cannot win with … Cloudflare APNIC Labs/CloudFlare DNS 1.1.1.1 Outage: Hijack or Mistake? By Aftab Siddiqui Technical Engagement Manager for Asia-Paci�c At 29-05-2018 08:09:45 UTC, BGPMon (A very well known BGP monitoring system to detect pre�x hijacks, route leaks and instability) detected a possible BGP hijack of 1.1.1.0/24 pre�x. Cloud�are Inc has been announcing this pre�x from AS 13335 since 1st April 2018 after signing an initial 5-year research agreement with APNIC Research and Development (Labs) to o�er DNS services. Shanghai Anchang Network Security Technology Co., Ltd. (AS58879) started announcing 1.1.1.0/24 at 08:09:45 UTC, which is normally announced by Cloud�are (AS13335). The possible hijack lasted only for less than 2min. The last announcement of 1.1.1.0/24 was made at 08:10:27 UTC. The BGPlay screenshot of 1.1.1.0/24 is given below:

  15. You cannot win with … Dyn Post Mortem: Today's Attack To Dyn Standard DNS Nameservers | Dyn Blog For customers utilizing the Dyn Standard DNS platform who were impacted by a DDoS attack on our service today, the following is an account of what happened and steps we’re taking to improve. No outages were observed on the DynECT Managed DNS platform (served using an Anycast network) during the course of the event. 11:52 UTC: The Dyn Operations team began to see traffic increase to various data centers across the network. Over the next 15 minutes, the traffic increased to the point that it was clear there was a Distributed Denial of Service (DDoS) attack against all five Dyn Standard DNS name servers and the team immediately began investigating the issue. The attack brought in a tremendous amount of traffic and caused the name servers to become overwhelmed. It

  16. Turn visitors into customers. Google's brief outage caused a noticeable drop in GoSquared information. Because of this, there was a noticeable drop in the number of pageviews coming into Google.com at the same time – preventing website domains from being resolved and users from searching for Google’s DNS service (8.8.8.8 and 8.8.4.4) went down very briefly today at 11:29am GMT. This took down Simon Tabor on October 13, 2014 avatar Tabor Simon Traffic Google DNS Outage: 4.7% drop in global traffic Learn more about GoSquared Engineering Blog Subscribe Email address... week. Get our latest posts delivered to your inbox every 15,000 people read our newsletter. You cannot win with … Google

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Answer ALL of your Vendor Management Questions. 3 1 10/17/2019 Learning Objectives

Answer ALL of your Vendor Management Questions. 3 1 10/17/2019 Learning Objectives

10/17/2019 Vendor Management Fundamentals Jill Donnelly, Katie Germain, Robert Lehmann, and Karisa Stowell 1 1 Road Map NYS Vendor File Vendor Registration Vendor Maintenance eCommerce Initiative 1099 Reporting

330 views • 19 slides
Is Your Utility Making the Move to Paperless? then a Single-Vendor Cloudsourcing Solution is

Is Your Utility Making the Move to Paperless? then a Single-Vendor Cloudsourcing Solution is

Is Your Utility Making the Move to Paperless? then a Single-Vendor Cloudsourcing Solution is Likely Your Best Path Forward Alliance for Innovation --- eLearning Webinar Presentation Lead by TWI John Schott, President and CEO May 30, 2013 Go

545 views • 33 slides
Optimizing the Agency/Vendor Relationship Katie Germain, Linda Herald, Robert Lehmann 1 1 Road

Optimizing the Agency/Vendor Relationship Katie Germain, Linda Herald, Robert Lehmann 1 1 Road

Optimizing the Agency/Vendor Relationship Katie Germain, Linda Herald, Robert Lehmann 1 1 Road Map Vendor Improvements Vendor Self-Service/Vendor Portal Choosing the correct vendor Location eCommerce Initiative

594 views • 41 slides
How to Become a Certified USDA Vendor Andrea Lang, New Vendor Coordinator Good Afternoon

How to Become a Certified USDA Vendor Andrea Lang, New Vendor Coordinator Good Afternoon

How to Become a Certified USDA Vendor Andrea Lang, New Vendor Coordinator Good Afternoon everyone and thank you for joining us today for our webinar on how to become an approved vendor with USDA, Agricultural Marketing Service, Commodity

650 views • 17 slides
WIC Vendor? Policies and Procedures for WIC Vendor Authorization in T ennessee Presented by

WIC Vendor? Policies and Procedures for WIC Vendor Authorization in T ennessee Presented by

So You Think You Can be a WIC Vendor? Policies and Procedures for WIC Vendor Authorization in T ennessee Presented by Jerry Orenstein WIC Food Delivery Administrator T ennessee Department of Health NWA Technology & Program

516 views • 24 slides
SmartSA Vendor Summit Mobility We plan to keep you moving Cooperative Comprehensive Continuous

SmartSA Vendor Summit Mobility We plan to keep you moving Cooperative Comprehensive Continuous

SmartSA Vendor Summit Mobility We plan to keep you moving Cooperative Comprehensive Continuous Encompassing all Ongoing planning No single agency has responsibility for the transportation modes, should take place to entire transportation

660 views • 16 slides
VENDOR MANAGEMENT AND THIRD PARTY RISK Amy J Butler Legal & General America May 18, 2018

VENDOR MANAGEMENT AND THIRD PARTY RISK Amy J Butler Legal & General America May 18, 2018

VENDOR MANAGEMENT AND THIRD PARTY RISK Amy J Butler Legal & General America May 18, 2018 Todays Presentation ! Definitions ! Why do we need Vendor Risk Management ! Risks Posed by Third Party / Vendor Relationships ! Vendor Risk

346 views • 24 slides
VENDOR DAY RUNWAYS TO BUSINESS VENDOR DAY AGENDA Opening & Welcoming Remarks with Overview

VENDOR DAY RUNWAYS TO BUSINESS VENDOR DAY AGENDA Opening & Welcoming Remarks with Overview

VENDOR DAY RUNWAYS TO BUSINESS VENDOR DAY AGENDA Opening & Welcoming Remarks with Overview of DAS How to register to do business with the City of Dallas (Office of Procurement Services) DBE Documents What is Required (Office of Business

592 views • 33 slides
Vendor Portal Onsite Training Slides August 2017 Version 1.04 Vendor Portal 10.5.3.188

Vendor Portal Onsite Training Slides August 2017 Version 1.04 Vendor Portal 10.5.3.188

Vendor Portal Onsite Training Slides August 2017 Version 1.04 Vendor Portal 10.5.3.188 August 2017 Welcome We ask that you kindly Turn off cell phones and mobile devices Use your laptops for exercises only Please

1.16k views • 84 slides
Submitting your Vendor Showdown Presentation January 2020 exhibitor-support@isc-events.com

Submitting your Vendor Showdown Presentation January 2020 exhibitor-support@isc-events.com

Submitting your Vendor Showdown Presentation January 2020 exhibitor-support@isc-events.com Please note: It is only possible to submit your Vendor Showdown presentation after you submitted your Vendor Showdown speaker information! STEP 1: Log

95 views • 7 slides
PaymentWorks New Vendor Registration Tool October 24, 2018 1 What Is PaymentWorks?

PaymentWorks New Vendor Registration Tool October 24, 2018 1 What Is PaymentWorks?

PaymentWorks New Vendor Registration Tool October 24, 2018 1 What Is PaymentWorks? PaymentWorks is a cloud-based onboarding application for automating the vendor registration process Service center users are able to send email

326 views • 22 slides
How to turn every lead into a client using vendor finance www.owndontrent.com.au | 02 9896 1612

How to turn every lead into a client using vendor finance www.owndontrent.com.au | 02 9896 1612

How to turn every lead into a client using vendor finance www.owndontrent.com.au | 02 9896 1612 Agenda Tonight Introduction: Eleanor Clapham - M arketing and Project M anager, Own Dont Rent Vendor Finance, how it works, how it

394 views • 38 slides
457 Trustee & Recordkeeper Recommendation Leslie Ritter, PHR Director of Human Resources 1

457 Trustee & Recordkeeper Recommendation Leslie Ritter, PHR Director of Human Resources 1

457 Trustee & Recordkeeper Recommendation Leslie Ritter, PHR Director of Human Resources 1 Table of Contents 1. Purpose of Vendor Evaluation 2. Timeline 3. Vendor Search Process 4. Vendor Due Diligence and Ranking Factors 5. Final Rankings

216 views • 10 slides
A A Premier Fina nanc ncial Techno hnology gy Partne tner More than just a vendor, we are

A A Premier Fina nanc ncial Techno hnology gy Partne tner More than just a vendor, we are

A A Premier Fina nanc ncial Techno hnology gy Partne tner More than just a vendor, we are built to add value beyond the scope of a traditional payment mindset. A vendor supplies a product or service to a client. A partner becomes an

589 views • 11 slides
WSLCB Kim Sauer/Susan Harrell Responsible Vendor Program (RVP) Mandatory Alcohol Server Training

WSLCB Kim Sauer/Susan Harrell Responsible Vendor Program (RVP) Mandatory Alcohol Server Training

Responsible Vendor Program Is it the right program for your community? WSLCB Kim Sauer/Susan Harrell Responsible Vendor Program (RVP) Mandatory Alcohol Server Training (MAST) 6-20-2014 Topics to be discussed today: Is the Responsible Vendor

145 views • 12 slides
State of Collaboration Vendor Responsibility and Workers Compensation Requirements 1 TODAY

State of Collaboration Vendor Responsibility and Workers Compensation Requirements 1 TODAY

10/17/2019 State of Collaboration Vendor Responsibility and Workers Compensation Requirements 1 TODAY WHAT SHOULD YOU EXPECT? Identify agency requirement to determine vendor responsibility COURSE Learn how to use key resources

497 views • 25 slides
On Parallel Processing of Aggregate and Scalar Functions in Object-Relational DBMS Michael

On Parallel Processing of Aggregate and Scalar Functions in Object-Relational DBMS Michael

On Parallel Processing of Aggregate and Scalar Functions in Object-Relational DBMS Michael Jaedicke, Bernhard Mitschang ACM SIGMOD 1998, 06/04/1998 Overview: Introduction to user-defined functions Parallel processing of UDFs a

505 views • 18 slides
3. There is no chat or Q&A function during the meeting other than the raise hand function

3. There is no chat or Q&A function during the meeting other than the raise hand function

1. Please note that this webinar is being recorded. 2. All attendees have muted cameras and microphones. There will be a public comment period during the meeting, and at that time we will explain again how attendees can raise their hand in order

471 views • 26 slides
Improving Quality in residential projects using KEY CHARACTERISTICS (KCs) Lessons learned from

Improving Quality in residential projects using KEY CHARACTERISTICS (KCs) Lessons learned from

1/23/2012 Improving Quality in residential projects using KEY CHARACTERISTICS (KCs) Lessons learned from the Manufacturing Industry Andrea Caicedo University of Houston Fall 2011 AGENDA: Problem Statement Background Goals

299 views • 16 slides
Iterative Optimization in the Polyhedral Model: Part II, Multidimensional Time Louis-Nol Pouchet

Iterative Optimization in the Polyhedral Model: Part II, Multidimensional Time Louis-Nol Pouchet

Iterative Optimization in the Polyhedral Model: Part II, Multidimensional Time Louis-Nol Pouchet 1 Cdric Bastoul 1 Albert Cohen 1 John Cavazos 2 1 ALCHEMY group, INRIA Saclay / University of Paris-Sud 11, France 2 Dept. of Computer &

771 views • 34 slides
Operating System Principles: Services, Resources, and Interfaces CS 111 Operating Systems

Operating System Principles: Services, Resources, and Interfaces CS 111 Operating Systems

Operating System Principles: Services, Resources, and Interfaces CS 111 Operating Systems Peter Reiher Lecture 2 CS 111 Page 1 Fall 2016 Outline Operating systems services System service layers and mechanisms Service interfaces

830 views • 69 slides
EECS 373 Design of Microprocessor-Based Systems Prabal Dutta University of Michigan Lecture 2:

EECS 373 Design of Microprocessor-Based Systems Prabal Dutta University of Michigan Lecture 2:

EECS 373 Design of Microprocessor-Based Systems Prabal Dutta University of Michigan Lecture 2: Architecture, Assembly, and ABI September 4, 2014 Slides developed in part by Mark Brehob 1 Announcements Website up

564 views • 52 slides
Goals for Today Learning Objective: Define a taxonomy for virtualization architectures

Goals for Today Learning Objective: Define a taxonomy for virtualization architectures

Goals for Today Learning Objective: Define a taxonomy for virtualization architectures Announcements, etc: Midterm debrief forthcoming (please do not post to piazza yet) C4 summaries due Friday (as always) MP2 due March 18th

549 views • 30 slides
CS 423 Operating System Design: "Virtual" Machines Tianyin Xu CS 423: Operating

CS 423 Operating System Design: "Virtual" Machines Tianyin Xu CS 423: Operating

CS 423 Operating System Design: "Virtual" Machines Tianyin Xu CS 423: Operating Systems Design Yet another level of virtualization? The OS has thus far served as the illusionist, tricking unsuspecting applications into thinking

820 views • 50 slides

More recommend