looking at dns traces what do we know about resolvers
play

Looking at DNS traces: What do we know about resolvers? lafur Gu - PowerPoint PPT Presentation

Mar 07, 2023 •417 likes •623 views

Looking at DNS traces: What do we know about resolvers? lafur Gu mundsson Shinkuro Ogud@shinkuro.com Motivation: Open Questions What is the market share for resolver X What can we deduct from traces to a subset of authorative

  1. Looking at DNS traces: What do we know about resolvers? Ólafur Gu � mundsson Shinkuro Ogud@shinkuro.com

  2. Motivation: Open Questions � What is the “market share” for resolver X � What can we deduct from traces to a subset of authorative servers ? � Can we predict the effect of adding/deleting a server in location Y ? � Do resolvers behave according to the RFC’s? � Or more generally how do they behave? Oarc-SF-Mar-2011 ogud@shinkuro.com 2 March 13, 11

  3. Case #1: CCTTL adds foreign DNS servers by a commercial operator � The new operator is supposed to answer questions from outside the country. � The new operator charges per query answered. � The CCTLD operator did their homework and predicted what percentage of queries are “foreign” � The bills were higher than predicted � Is the operator over charging? � Is the operator “stealing” traffic from inside the country? � Was the model wrong? Oarc-SF-Mar-2011 ogud@shinkuro.com 3 March 13, 11

  4. Case #2: DNS operator change I was asked to document a procedure that allowed transfer of a DNSSEC signed domain to a new operator � Questions: � In what sequence to perform operations � How long to wait for information to propagate before next step � How do resolvers treat repeated information, such as NS set in authority section � Do they modify the TTL of the stored NS set ? � Which NS set do resolvers use ? � Important during change and when Parent or Child differ � Resolver that uses the Child set � and “stretches” the TTL � And asks question to the domain often enough o � may not discover an operator change Oarc-SF-Mar-2011 ogud@shinkuro.com 4 March 13, 11

  5. Case #3: What % of resolvers support DNAME ? � This question was raised in the context of D+C proposal � Quick survey showed less deployment of DNAME support than expected by looking at well known implementations � supported DNAME, � BIND, Unbound, WindowsDNS, Nominum � did not � Power Recursor, DJBdns/OpenDNS, Google, � How about all the other resolvers? Oarc-SF-Mar-2011 ogud@shinkuro.com 5 March 13, 11

  6. Case #4: DNSSEC validation in the wild � I have been working with traces from .ORG to try to find out how much validation is going on. � Org. DNSKEY TTL is 15 minutes � Org. DS TTL is 1 day � 50 minute long traces � I look for DNSKEY and DS queries from an resolver. � If a resolver asks for � DNSKEY twice (at least 15 minutes apart) � or for a DS for a signed domain � it is validating Oarc-SF-Mar-2011 ogud@shinkuro.com 6 March 13, 11

  7. ORG DNSSEC validation study issues � I only have traces for the DNS server that Afilias operates for .org. � Afilias operates 2/3 of NS records � PCH operates 1/3 of NS records � PCH has more sites � Afilias sees about 50% of query traffic � My first questions: � what is the probably that my traces see a DNSKEY or DS query? � What kind resolvers do I see and why ? � Does the probably of seeing an interesting query depend on how busy the resolver is ? Oarc-SF-Mar-2011 ogud@shinkuro.com 7 March 13, 11

  8. Transfer work: � Are resolvers parent or child centric? � Do sticky resolvers exist? � What is the percentage of each ? � Simple experiments: � Set up a zone and with one server is only in one NS set � Works if all resolvers are queried with identical probability � Set up zone with two sets of authoritative server(s) � One set referenced in parent the other one in children Oarc-SF-Mar-2011 ogud@shinkuro.com 8 March 13, 11

  9. Sticky Resolver detection Zone setup Parent Child-C Child-P Child-C Child-P Blue-C Red-C Blue Red Oarc-SF-Mar-2011 ogud@shinkuro.com 9 March 13, 11

  10. How good a sample of resolvers are open recursive resolvers ? � I got a list of 856 open recursive resolvers � 136 did not answer queries (16%) � I probed the other 720 servers every 3 seconds 20 times for the record and recorded answer and TTL. � NS records TTL 17 � TXT record TTL 7 � I asked the servers a final question: � “version.bind. TXT CH” Oarc-SF-Mar-2011 ogud@shinkuro.com 10 March 13, 11

  11. What should answers look like � I process answers based on where answer comes from � P == Parent referenced server � C == Child referenced server. � Child Centric non sticky: � PPPCCCPPPCCCPPPCCCPP � Child Centric sticky � PPPCCCCCCCCCCCCCCCCC � Parent Centric � PPPPPPPPPPPPPPPPPPPP Oarc-SF-Mar-2011 ogud@shinkuro.com 11 March 13, 11

  12. What answers look like � 130 different patterns � Top 10 are 536 or 74.4 % � 172 PPPCCCPPPCCCPPPCCCP � Child Centric � 108 PPPCCCCCCCCCCCCCCCC � Child Sticky 15% � 49 PPPCCCPPPCCCCCPPPCC � 42 PPPCCCCCPPPCCCPPPCC � 38 PPCCCCCCPPPCCCPPPCC � 34 PPPCCCPPPCCCPPCCCCC � 33 PPPCCCPPPCCCPPPCCCC � 26 PPPCCCPPCCCCCCPPPCC � 23 PPPPPPPPPPPPPPPPPPP � Parent Centric 3% � 11 PPPCCCCCPPPCCCCCPPP Oarc-SF-Mar-2011 ogud@shinkuro.com 12 March 13, 11

  13. Closer look � Most of resolvers are child centric and do not stretch, but some stretch some of the time � Child Sticky 15 % (108) � Parent Centric 3% (23) � Child Centric (517) 72% � 345 do not follow exact pattern 48% � 172 exact pattern 24% � Mostly Child Centric 10% (72 ) � Partial sticky, relaxed handling of TTL, answer caching and reuse, …… Oarc-SF-Mar-2011 ogud@shinkuro.com 13 March 13, 11

  14. Behavior by implementations? 151 different version strings � All Bind releases 9.3 and later are child centric � � 9.2.3 and up are Child Centric � Older are Child sticky Bind 9.x shows up 305 times or 42% � � 18 Parent Centric or mostly PC � 74 Child Sticky but only 7 say 9.2.1 or 9.2.1 � 186 Mostly Child Centric � 25 Other � 62 Bind-9.6…. Only 12 behave according to my freshly compiled copy. But: 1 PPPCCCPPPPPPCCCPPPP 1 PPPCPCPCPPPPCCPCCPC 1 PPPPCCCCCCCCCCCCCCC 1 PPPPCPCPPPCPPPCCPPP 1 PPPPPCPCPCCCCPPCPPP 1 PPPPPPCCCPPPCCCPPPP 1 PPPPPPPCPCPCCCPPPPC 1 PPPPPPPCPPPCPPPPPPC 1 PPPPPPPPCCPPPPPCPPP 1 PPPPPPPPPPPPCCCPPPP Only 8 claim to be Bind 8.x � none Bind 4.x � Oarc-SF-Mar-2011 ogud@shinkuro.com 14 March 13, 11

  15. Concerns ? � Nominum and Google DNS are Parent centric � DNSCache and OpenDNS are Child Sticky � There seem to be many cases where resolvers are not going to authority as expected: � Going through forwarder � Out of band synchronization � Minimum TTL enforcement � Or I’m asking any cast server cluster Oarc-SF-Mar-2011 ogud@shinkuro.com 15 March 13, 11

  16. Resolver query patterns � How do Resolvers scatter queries ? � If a resolver discovers a domain and does not know about the name servers: it will ask a random resolver, � second query will go to DIFFERENT address � After all are probed queries will be concentrated inside a “band” of distance. � How often do resolvers “forget” about closest authorative server. � What is the market share of busy resolvers vs sporadic ones � Depends on the domain being queried e.g. ISP resolver in Brazil will likely show up as sporadic at a.nic.cz but busy at a.dns.br � Does Address == resolver � We see many cases of multiple recursive resolvers behind NAT’s Oarc-SF-Mar-2011 ogud@shinkuro.com 16 March 13, 11

  17. Resolver query patterns: effects � Sporadic resolver will send DNSKEY query to the servers I see 66.7% of the time � Busy resolver is likely to send none or all DNSKEY or DS query to servers I see � Busy resolver that is “tied” to PCH site(s) will show up as Sporadic at Afilias sites and vice versa. � How different are the query patterns at different sites? � Does prevalence of DNSSEC validation depend on regions? Oarc-SF-Mar-2011 ogud@shinkuro.com 17 March 13, 11

  18. Depressing Summary � We do not know a lot about � Resolver NS set usage � Resolver query scattering � Resolver Market share, � Geographical differences � We can not build reliable models of using DNS samples to answer basic questions � What can be done to improve things? � Can we look at big collections and build models. � How can models evolve over time � For example: Bind-9.8 changed RTT banding from prior versions. Oarc-SF-Mar-2011 ogud@shinkuro.com 18 March 13, 11

  19. Positive ways forward � What Models are needed: � List of models � Can we find answers in existing traces � Documentation as what to look for and how � Experiments to expose resolvers from the consumer side. � What do we want to know and how can we “trick” resolvers to expose their behavior ? � Revisit the design and implementation choices for query scattering ? Oarc-SF-Mar-2011 ogud@shinkuro.com 19 March 13, 11

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

DNS Resolvers Considered Harmful Kyle Schomp, Mark Allman, and Michael Rabinovich 2 DNS

DNS Resolvers Considered Harmful Kyle Schomp, Mark Allman, and Michael Rabinovich 2 DNS

DNS Resolvers Considered Harmful Kyle Schomp, Mark Allman, and Michael Rabinovich 2 DNS resolvers abstract complexity and offer the possibility of improved performance and better scalability . Why are they harmful? 3 Resolvers Are Vulnerable

618 views • 34 slides
Eligibility Traces Chapter 12 Eligibility traces are Another way of interpolating between MC and

Eligibility Traces Chapter 12 Eligibility traces are Another way of interpolating between MC and

Eligibility Traces Chapter 12 Eligibility traces are Another way of interpolating between MC and TD methods A way of implementing compound -return targets A basic mechanistic idea a short-term, fading memory A new style of algorithm

881 views • 31 slides
Capture, conversion, and analysis of an intense NFS workload uating newer storage systems because

Capture, conversion, and analysis of an intense NFS workload uating newer storage systems because

the analysis or simulation. about 750 million operations per day. In comparison, the vironment than prior traces, we limit our comparisons Since our traces were captured in such a different en- convert, and analyze the traces. quired us to

366 views • 14 slides
CS371m - Mobile Computing Content Providers And Content Resolvers Content Providers One of

CS371m - Mobile Computing Content Providers And Content Resolvers Content Providers One of

CS371m - Mobile Computing Content Providers And Content Resolvers Content Providers One of the four primary application components: activities content providers / content resolvers services broadcast receivers 2 Android

728 views • 50 slides
Modeling interaction traces of an online panel From raw interaction traces to actionable

Modeling interaction traces of an online panel From raw interaction traces to actionable

Modeling interaction traces of an online panel From raw interaction traces to actionable indicators: lessons learned 8th European Survey Research Association conference July 2019, Zagreb Simon DELLAC Elodie PETORIN (both CDSP, Sciences Po)

435 views • 18 slides
Hoda Rohani Anastasios Poulidis Supervisor: Jeroen Scheerder System and Network Engineering

Hoda Rohani Anastasios Poulidis Supervisor: Jeroen Scheerder System and Network Engineering

Hoda Rohani Anastasios Poulidis Supervisor: Jeroen Scheerder System and Network Engineering July 2014 DNS Main Components Server Side: Authoritative Servers Resolvers (Recursive Resolvers, cache) Client Side: Stub resolvers

429 views • 30 slides
Probing for Open DNS Resolvers John Kristoff jtk@depaul.edu Midwest Security Workshop jtk

Probing for Open DNS Resolvers John Kristoff jtk@depaul.edu Midwest Security Workshop jtk

Probing for Open DNS Resolvers John Kristoff jtk@depaul.edu Midwest Security Workshop jtk (jtk@depaul.edu) DNS Probing September 30, 2006 1 / 9 Open Resolvers Recursive - open access to a full resolver Forwarder - proxy access to a

371 views • 9 slides
Traces Exist (Hypothetically)! Carl Pollard Structure and Evidence in Linguistics Workshop in

Traces Exist (Hypothetically)! Carl Pollard Structure and Evidence in Linguistics Workshop in

Traces Exist (Hypothetically)! Carl Pollard Structure and Evidence in Linguistics Workshop in Honor of Ivan Sag Stanford University April 28, 2013 Carl Pollard Traces Exist (Hypothetically)! Traces in Transformational Grammar (1/2) Traces

411 views • 28 slides
Shrug Daemon Doing DNS the Hard Way Since 2015

Shrug Daemon Doing DNS the Hard Way Since 2015

Shrug Daemon Doing DNS the Hard Way Since 2015 https://en.wikipedia.org/wiki/Ayn_Rand#/media/File:Objectivist1.jpg Problem Statement RIPE Atlas probes have 2 DNS resolvers: Resolver local to probe RIPE Atlas central resolvers

713 views • 6 slides
DNS Rex Do you need an aggressive benchmark? Alex Rousskov The Measurement Factory DNS Rex At a

DNS Rex Do you need an aggressive benchmark? Alex Rousskov The Measurement Factory DNS Rex At a

DNS Rex Do you need an aggressive benchmark? Alex Rousskov The Measurement Factory DNS Rex At a Glance A performance test tool for DNS resolvers. Born 2009 A.D. (Cenozoic Era). Designed to intimidate powerful resolvers. Could

713 views • 22 slides
Two 2-traces Simon Willerton University of Sheffield f Tr ( f ) := V

Two 2-traces Simon Willerton University of Sheffield f Tr ( f ) := V

Two 2-traces Simon Willerton University of Sheffield f Tr ( f ) := V Tr ( f ) := V f Traces What is a trace? Tr ( f g ) = Tr ( g f ) Tr ( f ) = Tr ( a f a 1 ) Traces in a monoidal

651 views • 13 slides
In Inferring the Deployment of f In Inbound Source Address Validation Using DNS Resolvers

In Inferring the Deployment of f In Inbound Source Address Validation Using DNS Resolvers

In Inferring the Deployment of f In Inbound Source Address Validation Using DNS Resolvers Maciej Korczyski*, Yevheniya Nosyk*, Qasim Lone , Marcin Skwarek*, Baptiste Jonglez*, and Andrzej Duda* *Universit Grenoble Alpes, CNRS, Grenoble

546 views • 16 slides
LN-10 Searching for traces of Norwegian economic thought Intro When trying to find the traces of

LN-10 Searching for traces of Norwegian economic thought Intro When trying to find the traces of

LN-10 Searching for traces of Norwegian economic thought Intro When trying to find the traces of Norwegian economic thought, we should be aware that most economic questions until very recently were dealt with within a framework of religious,

409 views • 39 slides
ELLIPSOID : traces on the coordinate planes are ellipses 2 2 2 x 2 y 2 z 2 = 1 a b c

ELLIPSOID : traces on the coordinate planes are ellipses 2 2 2 x 2 y 2 z 2 = 1 a b c

ELLIPSOID : traces on the coordinate planes are ellipses 2 2 2 x 2 y 2 z 2 = 1 a b c ELLIPTIC PARABOLOID : traces are ellipses and parabolas z = x 2 + y 2 y = x 2 + z 2 HYPERBOLIC PARABOLOID : traces are hyperbolas and parabolas. z =

254 views • 3 slides
Caching in with Resolvers Norman Walsh http://www.sun.com/ XML Conference & Exposition 2003

Caching in with Resolvers Norman Walsh http://www.sun.com/ XML Conference & Exposition 2003

Caching in with Resolvers Norman Walsh http://www.sun.com/ XML Conference & Exposition 2003 07-12 December 2003 Version 1.0 Introduction Using URIs The Problem Solutions Catalog-based Resolution Proxy Caches

1.26k views • 47 slides
On The Fidelity of 802.11 Packet Traces Aaron Schulman, Dave Levin, Neil Spring University of

On The Fidelity of 802.11 Packet Traces Aaron Schulman, Dave Levin, Neil Spring University of

On The Fidelity of 802.11 Packet Traces Aaron Schulman, Dave Levin, Neil Spring University of Maryland, College Park PAM - April 2008 On The Fidelity of 802.11 Packet Traces 1 Uses of 802.11 packet traces MAC Layer (Mahajan et al, Jardosh

1.26k views • 78 slides
ANALYZING PERCEPTION SURVEYS Two Prongs of Assessment LAUNCHING THE COMPREHENSIVE CURRICULUM

ANALYZING PERCEPTION SURVEYS Two Prongs of Assessment LAUNCHING THE COMPREHENSIVE CURRICULUM

ANALYZING PERCEPTION SURVEYS Two Prongs of Assessment LAUNCHING THE COMPREHENSIVE CURRICULUM NEEDS ASSESSMENT. Goal: The needs assessment will provide a vehicle to gain teacher insight around our current instructional materials. HOW WILL

210 views • 9 slides
Bienvenue a 2015 Contemporary Scholars Conference D IVERSITY U

Bienvenue a 2015 Contemporary Scholars Conference D IVERSITY U

Bienvenue a 2015 Contemporary Scholars Conference D IVERSITY U NDERSTANDING E XPERIENCE I NNOVATION L EADERSHIP F RIENDSHIP F ELLOWSHIP N ETWORKING N etworking U nderstanding F riendship F ellowship I

614 views • 36 slides
Arbutus Greenway Public Feedback Workshop on the Temporary Pathway Todays Purpose

Arbutus Greenway Public Feedback Workshop on the Temporary Pathway Todays Purpose

Arbutus Greenway Public Feedback Workshop on the Temporary Pathway Todays Purpose Share information about the temporary pathway and get community feedback on its design Agenda Welcome Presentation on the temporary path

407 views • 19 slides
THE LEAN ENTERPRISE Trevor Owens CEO, Javelin.com @TO Biz Stone Founder, Twitter X-Google

THE LEAN ENTERPRISE Trevor Owens CEO, Javelin.com @TO Biz Stone Founder, Twitter X-Google

THE LEAN ENTERPRISE Trevor Owens CEO, Javelin.com @TO Biz Stone Founder, Twitter X-Google Employees Process Structure Process Strategy Structure Process Strategy Structure Process $30M 100 PPL 10 7.5 5 2.5 0 1 2 3 4 5 6

1.29k views • 92 slides
Instructional & Student Success Resource Space February 24 th , 2020 Introductions Who is in

Instructional & Student Success Resource Space February 24 th , 2020 Introductions Who is in

Instructional & Student Success Resource Space February 24 th , 2020 Introductions Who is in the Room? AGENDA 1. Kick-off Question 2. Master Plan Structure: Strategic Asset Management 3. Enrollment Profile & Scenarios 4. Instructional

716 views • 53 slides
Global Service-Learning Reconsidered Renee Sedlacek, Director, Community Engaged Learning Maria

Global Service-Learning Reconsidered Renee Sedlacek, Director, Community Engaged Learning Maria

Global Service-Learning Reconsidered Renee Sedlacek, Director, Community Engaged Learning Maria Rohach, Assistant Director, Drake Administered Programs Abroad Carlyn Crowe, Visiting Assistant Professor and Internship Coordinator, SJMC Bryan

357 views • 21 slides
Step 1 Summary of Project This blog post covers the steps I took to create a presentation that

Step 1 Summary of Project This blog post covers the steps I took to create a presentation that

What makes a great presentation? Why are some presenters more engaging than others? We will begin to explore these questions with this project. Below you will find the steps and examples each component of the project. Step 1 Summary of

306 views • 4 slides
Needs Assessment Development Module 5: Presentation of the Needs Assessment [Presenter Names]

Needs Assessment Development Module 5: Presentation of the Needs Assessment [Presenter Names]

Needs Assessment Development Module 5: Presentation of the Needs Assessment [Presenter Names] [Date] 2 About us: [Insert name and role of facilitator and supporting organization here] 2 Meet the Presenters Name Name Name Title

278 views • 26 slides

More recommend