Recursives in the Wild: Engineering Authoritative DNS Servers IMC - - PowerPoint PPT Presentation

recursives in the wild
SMART_READER_LITE
LIVE PREVIEW

Recursives in the Wild: Engineering Authoritative DNS Servers IMC - - PowerPoint PPT Presentation

Dec 18, 2023 353 likes •685 views

Recursives in the Wild: Engineering Authoritative DNS Servers IMC 2017 | 2017-11-03 | London Moritz Mller 1,2 , Giovane C. M. Moura 1 , Ricardo de O. Schmidt 1,2 , John Heidemann 3 1 SIDN Labs, 2 University of Twente, 3 USC/Information Sciences

slide-1
SLIDE 1

Recursives in the Wild:

Engineering Authoritative DNS Servers

IMC 2017 | 2017-11-03 | London Moritz Müller1,2, Giovane C. M. Moura1, Ricardo de O. Schmidt1,2, John Heidemann3

1SIDN Labs, 2University of Twente, 3USC/Information Sciences Institute

slide-2
SLIDE 2

Introduction

2

ns1 ns3 ns2 isc ns4 ns5

netnod

nic.fr unicast anycast

.nl setup

slide-3
SLIDE 3

Introduction

3

ns1 ns3 ns2 isc ns4 ns5

netnod

nic.fr unicast anycast Recursive Resolver who has example.nl ?

.nl setup

Client

slide-4
SLIDE 4

Introduction

4

ns1 ns3 ns2 isc ns4 ns5

netnod

nic.fr unicast anycast Recursive Resolver who has example.nl ?

.nl setup

?

Client

slide-5
SLIDE 5

Introduction

5

ns1 ns3 ns2 isc

netnod

nic.fr unicast anycast Recursive Resolver

.nl setup

Client

ns4 ns5

slide-6
SLIDE 6

Introduction

6

ns1 ns3 ns2

nic.fr

ns4

ns5

netnod

isc area relative to the number of sites

slide-7
SLIDE 7

Introduction

7

ns1 ns3 ns2

nic.fr

ns4

ns5

netnod

isc

ns1

ns2 ns3 ns4

ns5

netnod

nic.fr

isc

area relative to the number of sites area relative to the number of queries

slide-8
SLIDE 8

ns1 ns3 ns2

nic.fr

ns4

ns5

netnod

isc

Introduction

8

ns1

ns2 ns3 ns4

ns5

netnod

nic.fr

isc

located in the Netherlands multiple sites in the US 23% of queries from the US area relative to the number of sites area relative to the number of queries

slide-9
SLIDE 9

Research Questions

  • How do recursive resolvers select authoritative name servers?
  • [1] says, most implementations prefer faster responding authoritatives
  • but what is the overall behaviour in the wild?
  • To improve performance, how should operators design their authoritatives?

9

[1] Yu, Y., Wessels, D., Larson, M., and Zhang, L. Authority Server Selection in DNS Caching Resolvers. SIGCOMM Computer Communication Review 42, 2 (Mar. 2012), 80–86.

slide-10
SLIDE 10

Measurement Design

10

Setups:

GRU+NRT DUB+FRA FRA+SYD GRU+NRT+SYD DUB+FRA+IAD DUB+GRU+NRT+SYD DUB+FRA+IAD+SFO IPv4 only (for now)

FRA DUB IAD SFO GRU NRT SYD unicast NS

slide-11
SLIDE 11

Measurement Design

11

Setups:

GRU+NRT DUB+FRA FRA+SYD GRU+NRT+SYD DUB+FRA+IAD DUB+GRU+NRT+SYD DUB+FRA+IAD+SFO IPv4 only (for now)

FRA DUB IAD SFO GRU NRT SYD unicast NS RIPE Atlas Probe Recursive

slide-12
SLIDE 12

0.2 0.4 0.6 0.8 1 2A 2B 2C 3A 3B 4A 4B queries share authoritatives combination 100 200 300 400 FRA DUB IAD SFO GRU NRT SYD RTT (ms) location

How do recursives distribute their queries over time?

12

FRA DUB IAD SFO GRU NRT SYD GRU DUB FRA GRU DUB GRU DUB NRT FRA SYD NRT FRA NRT FRA SYD IAD SYD IAD DUB SFO

slide-13
SLIDE 13

0.2 0.4 0.6 0.8 1 2A 2B 2C 3A 3B 4A 4B queries share authoritatives combination 100 200 300 400 FRA DUB IAD SFO GRU NRT SYD RTT (ms) location

How do recursives distribute their queries over time?

  • Authoritatives with similar

latency get similar number of queries

13

FRA DUB IAD SFO GRU NRT SYD GRU DUB FRA GRU DUB GRU DUB NRT FRA SYD NRT FRA NRT FRA SYD IAD SYD IAD DUB SFO

slide-14
SLIDE 14

0.2 0.4 0.6 0.8 1 2A 2B 2C 3A 3B 4A 4B queries share authoritatives combination 100 200 300 400 FRA DUB IAD SFO GRU NRT SYD RTT (ms) location

How do recursives distribute their queries over time?

  • Authoritatives with similar

latency get similar number of queries

  • Larger difference leads to

larger preference

14

FRA DUB IAD SFO GRU NRT SYD GRU DUB FRA GRU DUB GRU DUB NRT FRA SYD NRT FRA NRT FRA SYD IAD SYD IAD DUB SFO

slide-15
SLIDE 15

0.2 0.4 0.6 0.8 1 2A 2B 2C 3A 3B 4A 4B queries share authoritatives combination 100 200 300 400 FRA DUB IAD SFO GRU NRT SYD RTT (ms) location

How do recursives distribute their queries over time?

  • Authoritatives with similar

latency get similar number of queries

  • Larger difference leads to

larger preference

  • Authoritatives that respond

faster are in general preferred

  • Confirms previous work, but

now in the wild

15

FRA DUB IAD SFO GRU NRT SYD GRU DUB FRA GRU DUB GRU DUB NRT FRA SYD NRT FRA NRT FRA SYD IAD SYD IAD DUB SFO

slide-16
SLIDE 16

How do individual recursives distribute their queries?

16

slide-17
SLIDE 17

How do individual recursives distribute their queries?

17

slide-18
SLIDE 18

How do individual recursives distribute their queries?

18

slide-19
SLIDE 19

How do individual recursives distribute their queries?

19

slide-20
SLIDE 20

How do individual recursives distribute their queries?

20

slide-21
SLIDE 21

How do individual recursives distribute their queries?

21

Up to 69% of resolvers have a weak preference (60% to 90% of their queries to one NS)

slide-22
SLIDE 22

How do individual recursives distribute their queries?

22

Up to 37% of resolvers have a strong preference (more than 90% of their queries to one NS)

slide-23
SLIDE 23

How do individual recursives distribute their queries?

23

Some resolvers always prefer the slower NS

slide-24
SLIDE 24

Validation: Authoritatives in Production

24

Root Servers (10 out of 13) .nl Servers (4 out of 8)

  • Root: +60% query at least 6 servers
  • .nl: +90% query at least 4 servers
  • Overall confirms the observations from our test bed
slide-25
SLIDE 25

Measurement Summary

  • Distribution is inversely proportional with the median RTT
  • Recursives prefer faster responding authoritatives
  • But they also query slower authoritatives from time to time
  • Additional findings:
  • Lower RTT becomes more relevant if competing NSes are closer (<150 ms)
  • Stronger preference when querying more frequent (< 10min interval)

25

slide-26
SLIDE 26

Recommendations for DNS Operators

  • The slowest authoritative limits the response time of a DNS service
  • Recommendation:
  • Use anycast on all your name servers
  • Anycast sites need to be well connected with good peering

à Based on this work .nl is replacing unicast NSes with anycast

26

slide-27
SLIDE 27

All data sets (but one) available: https://ant.isi.edu/datasets/dns/index.html#recursives

27

Data Sets

slide-28
SLIDE 28

All data sets (but one) available: https://ant.isi.edu/datasets/dns/index.html#recursives

28

Questions?

Moritz Müller email: moritz.muller@sidn.nl twitter: @moritzcm_

Data Sets

slide-29
SLIDE 29

Additional Slides

29

slide-30
SLIDE 30

Does preference change for distant recursives?

30

0.2 0.4 0.6 0.8 1 50 100 150 200 250 300 350 fraction of queries RTT (ms) DUB FRA EU (6221) NA (1181) AF (215) AS (692) SA (131) OC (245)

  • VPs in EU reach Frankfurt 13 ms faster than Dublin
  • Thus, they clearly prefer Frankfurt
  • VPs in Asia reach Frankfurt 20 ms faster, but distribute their queries almost equally

à Lower RTT becomes more relevant if competing authoritatives are closer to the recursive

slide-31
SLIDE 31

How does query frequency affect the results?

31

  • A higher query frequency leads to a stronger preference
  • However, preference persists even after the default timeout of

resolvers like Bind and Unbound

0.2 0.4 0.6 0.8 1 2 5 10 15 20 30 fraction of queries query interval (minutes) AF AS EU NA OC SA

slide-32
SLIDE 32

Do recursives query all authoritatives?

32

5 10 15 20 25 30 2 A ( 9 6 . % ) 2 B ( 9 5 . 5 % ) 2 C ( 8 2 . 4 % ) 3 A ( 9 1 . 3 % ) 3 B ( 8 4 . 8 % ) 4 A ( 9 4 . 7 % ) 4 B ( 7 5 . 2 % ) # of queries after first query authoritative combination

São Paulo (GRU) Dublin (DUB) Sydney (SYD) GRU

  • Wash. DC

(IAD) GRU San Francisco (SFO) Tokyo (NRT) Frankfurt (FRA) FRA NRT FRA NRT FRA SYD DUB SYD DUB DUB IAD

Yes, the majority of resolvers query every authoritative