resilience of the domain name system a case study for nl
play

Resilience of the Domain Name System: A case study for .nl Lars - PowerPoint PPT Presentation

Sep 08, 2023 •135 likes •525 views

Resilience of the Domain Name System: A case study for .nl Lars Bade | Radboud University Nijmegen, SIDN 21 March 2016, ICT.Open Agenda 1. Research question 2. Domain Name System 3. Methodology & Results 4. Conclusion 5. Time for asking

  2. Resilience of the Domain Name System: A case study for .nl Lars Bade | Radboud University Nijmegen, SIDN 21 March 2016, ICT.Open

  3. Agenda 1. Research question 2. Domain Name System 3. Methodology & Results 4. Conclusion 5. Time for asking questions

  4. Research question What is the impact on the availability of the .nl-zone and underlying second level domains for the users of the Internet when parts of the DNS infrastructure become unavailable? Goal: 1. Develop a method to measure the resilience of a DNS zone 2. Apply this method on the .nl-zone NB: Research performed on autonomous system (AS) level

  5. Domain Name System (DNS) Initially used to translate domain names into IP addresses • IP addresses are hard to remember • IP addresses do change from time to time Crucial part of the Internet’s infrastructure Nowerdays DNS can hold arbitrary data Distributed database to query for information on a name

  6. DNS: Resolution Domain name is resolved from root zone to authoritative name server Name server of root zone hard-coded in resolver Caching at resolver reduces traffic on name servers

  7. Research Methodology 1. Map domain names onto the ASs their name servers are located in 2. Obtain graph representing network topology 3. Identify locations of most commonly used resolvers 4. Generate reachability baseline for domain names from the viewpoint of the identified resolver locations 5. Simulate failure of ASs and connections in the topology 6. Analyze impact of the simulated failures on reachability of domains N.B.: All used data was generated in the first week of June 2016

  8. Step 1: Map domain names onto ASs Obtain a list of domain names • Full .nl-zone provided by SIDN Obtain IP addresses of name servers per domain • Resolve NS records of domain names • Resolve A records of the obtained name server names Map IP addresses of name servers onto ASs • Public data set provided by MaxMind (and other parties)

  9. Step 2: Obtain graph representing network topology Lot of research done in this field, lots of problems: • No Internet authority • Inference of connections depends on local knowledge • Backup routes may be invisible Eventually used data set provided by CAIDA: • Most complete dataset known, ~45.000 ASs, ~500.000 connections • Aggregated information from various sources: RIPE RIS, CAIDA ark monitors, Routeviews project

  10. Step 3: Identify most common resolver locations Necessary to define a clear scope and keep calculations feasible Investigation of incoming DNS requests at the authoritative name servers of .nl (powered by ENTRADA) Two approaches: 1. Analysis of human-generated requests (top 30) • Excluding resolvers sending disproportionately many requests • Classification not very accurate 2. Analysis of all requests (top 30)

  11. Step 3: Combining both lists Concatenate both lists and thereby investigate both, most queries and most human-generated queries Remove duplicates Result: • List of 39 most commonly used resolver locations • Contains ISPs, hosting providers, search engines, content providers, ..

  12. Step 4: Baseline generation Even in full topology, not all authoritative name servers can be reached from all resolvers Find valid paths between resolver locations and name server locations using breadth-first-search Per resolver location calculate: • #Unreachable ASs • #Unreachable domains • Mean length of shortest path between resolver and name server

  13. Step 5: Simulation of failure scenarios Scenarios selected with maximal (negative) impact in mind Failure of ASs (ISPs): • Simulated by removing the AS from the topology • Selection based on ASs hosting the most domain names (top 20) • Selection based on ASs providing most transit traffic on baseline (top 20) Failure of connections: • Simulated by removing the connection from the topology • Selection based on connections used for most transit traffic on baseline (top 20) Failure of IXP (AMS-IX): • Simulated by removing all peering connections between members

  14. Step 6: Analysis of simulation results Find (valid) paths between resolver locations and name server locations using breadth-first-search with some optimizations: Per resolver locations calculate: • #Unreachable ASs • #Unreachable domains • Mean length of shortest path to domains

  15. Results: Failure of ASs Failure of hosting ASs • Mostly only that AS unavailable • Example shown for AS60781 (LeaseWeb) Failure of transit ASs • Also other ASs unavailable • Example shown for AS174 (Cogent Communications)

  16. Results: Failure of connections Impact limited to single resolver or name server locations Example shown for the connection between AS2914 (NTT) and AS5432 (Proximus) Mostly no impact on availability Mean shortest path length increases for single resolver location

  17. Conclusion Impact of failure scenario highly dependent on resolver location Most problems solved by using name servers located in multiple ASs Some network bottlenecks, e.g. ASs with single connections • Most of them only influence connectivity of some ASs

  18. Are there any questions?

  19. Follow us SIDN.nl Thank you for your attention! @SIDN SIDN

  20. Research question (elaborated) What is the impact on the availability of the .nl-zone and underlying second level domains for the users of the Internet when parts of the DNS infrastructure become unavailable? Subquestions: • How are domain names within the .nl-zone distributed over autonomous systems? • How are autonomous systems serving parts of DNS data within the .nl-zone interconnected? • Where in the network topology do the majority of DNS requests originate from? • How does the reachability of autonomous systems change when connections or even whole ASs become unavailable? And what is the impact hereof for the reachability of authoritative name servers?

  21. Border Gateway Protocol (BGP) Protocol for exchanging routing information between autonomous systems (ASs) AS: • Collection of IP address ranges under the same administrative boundary • Identified by Autonomous System Number (ASN) Basic working: • Router announces his IP addresses to connected routers of neighboring ASs • After receiving an announcement it is stored and possibly propagated to neighboring routers

  22. Border Gateway Protocol (BGP) (2) Global (constantly changing) routing table Relationships between ASs classified according to contractual agreements: • customer-to-provider (provider-to-customer) • peer-to-peer • sibling-to-sibling

  23. BGP: valid paths for traffic flow Valid paths between ASs follow a fixed pattern: 1. 0+ customer-to-provider links 2. 0-1 peer-to-peer links 3. 0+ provider-to-customer links General rule: no transit AS that does not get paid by either of its neighbors on the path

  24. BGP: valid paths for traffic flow (2)

  25. DNS: Hierarchy Domain namespace is built up in a tree structure Domain names are formed by concatenating labels in the tree from leaf to root Multiple (redundant) name servers per zone • Root zone: 13 name servers • .nl-zone: 7 name servers

  26. DNS: Resource Records Name servers store information in resource records that consist of multiple fields: • owner : The domain name • type : The type of the stored data A (IPv4 address) • • AAAA (IPv6 address) • NS (name server name) • MX (mail server name) • CNAME (name pointer, alias) TXT (arbitrary text) • • … • class: mostly IN (Internet) • TTL: Time to live, time to cache record • RDATA: The data

  27. BGP: Internet Exchanges (IXPs) Network facility that enables exchange of traffic between more than two independent ASs Imagine this as a giant switch where members can connect to peer with each other Largest IXPs handle the same amount of traffic as the largest Tier-1 ISPs

  28. Obtain ASN of name servers per domain 1. Resolve NS records of domain names 2. Resolve A records of the obtained name server names 3. Map IP addresses of name servers onto ASN

  29. Obtain ASN of name servers per domain (2) 5,262,381 domain names in zonefile - 259,364 NS record unresolvable - 2,229 A record of name server unresolvable 5,364,788 domain names investigated Configuration errors: • 16,394 NS sets in the zonefile do not match the NS set received when querying an authoritative name server of the domain

  30. ENTRADA Developed by SIDNLabs Database containing all incoming DNS requests at 4 of the authoritative name servers of .nl 100 billion queries in the last 2 years, 800 million new queries per day SQL interface to investigate these requests: Time of receipt • • Resolver IP address • Domain name • Query type • IP version ... •

  31. Step 3.1: Analysis of human-generated requests Motivation: • Some resolvers send more queries than others (increase performance, absence of caching, DNSSEC validation, ...) • Some resolvers used for scanning the zone (research, profit) Resolvers should be excluded from the analysis Measures: • Percentage of NxDomain responses per resolver • Percentage of distinct domain names queried

  32. Percentage of NxDomain responses per resolver • Human users query mainly existing domain names • Typos only occur occasionally • Two categories of resolver usage: • High percentage  scan (brute- force), botnets • Low percentage  human users Normal behaviour: <10% NxDomain responses

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

INTENSIVE CARE UNITS: A CASE STUDY FOR RESILIENCE CASE STUDY FOR RESILIENCE Jean Paris

INTENSIVE CARE UNITS: A CASE STUDY FOR RESILIENCE CASE STUDY FOR RESILIENCE Jean Paris

IAEA Technical Meeting on MANAGING THE UNEXPECTED FROM THE PERSPECTIVE OF THE INTERACTION BETWEEN INDIVIDUALS, TECHNOLOGY AND ORGANIZATION Vienna International Centre 25 to 29 June 2012 le SAS France INTENSIVE CARE UNITS: A CASE STUDY

266 views • 16 slides
Multi-Site Vs. Domain A Commerce Case Study May 7, 2019 Page 1 | Multi-Site Vs Domain: A

Multi-Site Vs. Domain A Commerce Case Study May 7, 2019 Page 1 | Multi-Site Vs Domain: A

Multi-Site Vs. Domain A Commerce Case Study May 7, 2019 Page 1 | Multi-Site Vs Domain: A Commerce Case Study John E. Picozzi Senior Drupal Architect Drupal Providence 401-228-7660 oomphinc.com 72 Clifford Street, oomph.is/jpicozzi

585 views • 29 slides
Focusing the Core Domain Model A Domain-Driven Design Case Study, Eric Evans, Domain Language

Focusing the Core Domain Model A Domain-Driven Design Case Study, Eric Evans, Domain Language

Focusing the Core Domain Model A Domain-Driven Design Case Study, Eric Evans, Domain Language @ericevans0 #dddesign #yow13 Thirsty Fern FLLC A Mostly True Story About Strategic Design and Focusing the Core Domain with Established

720 views • 33 slides
Image Processing A case study for a domain decomposed MPI code Domain Decomposition 1

Image Processing A case study for a domain decomposed MPI code Domain Decomposition 1

Image Processing A case study for a domain decomposed MPI code Domain Decomposition 1 Starting with a big array: 2 Domain Decomposition 2 Split it into pieces: 3 Domain Decomposition 3 Assign pieces to processors: 4 Domain

123 views • 10 slides
Speaking Points 1. Case Study IKEA and Fairway The Resilience Dividend 2. Disaster Risk in

Speaking Points 1. Case Study IKEA and Fairway The Resilience Dividend 2. Disaster Risk in

Speaking Points 1. Case Study IKEA and Fairway The Resilience Dividend 2. Disaster Risk in Rockport-Fulton 3. Business Continuity Planning Investing in Disaster Resilience Investing in Disaster Resilience Speaking Points 1. Case Study

371 views • 19 slides
Case study 2 Case study 2 Case study 2 Case study 2 Former Industrial Site, London: How has

Case study 2 Case study 2 Case study 2 Case study 2 Former Industrial Site, London: How has

Case study 2 Case study 2 Case study 2 Case study 2 Former Industrial Site, London: How has innovation helped to produce a cost effective remedial design? Challenging contaminant profile Taken a traditional / well understood remedial

910 views • 4 slides
Chicagoland Collaborative: Models for Climate Resilience A Case Study in Cross-Agency

Chicagoland Collaborative: Models for Climate Resilience A Case Study in Cross-Agency

Chicagoland Collaborative: Models for Climate Resilience A Case Study in Cross-Agency Collaboration metroplanning.org @metroplanners Sharing Exercise What are the climate change impacts that your region is grappling with? Have you identified

851 views • 44 slides
AADL : a radar case study Back to radar case study Goal: to model a simple radar system

AADL : a radar case study Back to radar case study Goal: to model a simple radar system

AADL : a radar case study Back to radar case study Goal: to model a simple radar system Let us suppose we have the following requirements System implementation is composed by physical devices (Hardware entity): 1. antenna + processor +

589 views • 10 slides
Using SPARQL and SPIN A Case Study for the Tourism Domain Antonino Lo Bue, Alberto Machi

Using SPARQL and SPIN A Case Study for the Tourism Domain Antonino Lo Bue, Alberto Machi

Open Data Integration Using SPARQL and SPIN A Case Study for the Tourism Domain Antonino Lo Bue, Alberto Machi ICAR-CNR Sezione di Palermo, Italy Research funded by Italian PON SmartCities Dicet-InMoto-Orchestra project EU Digital Agenda

219 views • 17 slides
Case Study Insight on Interventions to Promote Energy and Community Resilience in Malawi Aran

Case Study Insight on Interventions to Promote Energy and Community Resilience in Malawi Aran

Case Study Insight on Interventions to Promote Energy and Community Resilience in Malawi Aran Eales Energy for development Research Group University of Strathclyde May 2019 Sustainable energy powers education and health systems, new

276 views • 15 slides
Photobioreactor system case-study Tom a s Stan ek Tom a s Stan ek

Photobioreactor system case-study Tom a s Stan ek Tom a s Stan ek

Photobioreactor system case-study Tom a s Stan ek Tom a s Stan ek Photobioreactor system case-study Tom a s Stan ek Photobioreactor system case-study Overal description Various devices with some autonomous logic and

920 views • 48 slides
Using Domain Specific Languages for Modeling and Simulation: ScalaTion as a Case Study John A.

Using Domain Specific Languages for Modeling and Simulation: ScalaTion as a Case Study John A.

Using Domain Specific Languages for Modeling and Simulation: ScalaTion as a Case Study John A. Miller Jun Han Maria Hybinette Department of Computer Science The University of Georgia Conceptual Model vs. Simulation Program What is the

419 views • 20 slides
Domain Name System (DNS) Smith College, CSC 249 Feb 6, 2017 1 TODAY: Domain Name System q The

Domain Name System (DNS) Smith College, CSC 249 Feb 6, 2017 1 TODAY: Domain Name System q The

Domain Name System (DNS) Smith College, CSC 249 Feb 6, 2017 1 TODAY: Domain Name System q The directory system for the Internet v Used by other application layer protocols v via socket programming q Maps a hostname to an IP address v Host

431 views • 19 slides
Andes: A case study Sasikumar M C-DAC Mumbai About Andes Domain: College physics. Quantitative

Andes: A case study Sasikumar M C-DAC Mumbai About Andes Domain: College physics. Quantitative

Andes: A case study Sasikumar M C-DAC Mumbai About Andes Domain: College physics. Quantitative problems. For students of naval academy. Only help with homework so need to change the curricula or teaching strategy for adoption. Provides a

808 views • 38 slides
Domain System Threat Landscape Pablo Rodriguez Nic.pr Janelle McAlister - MarkMonitor

Domain System Threat Landscape Pablo Rodriguez Nic.pr Janelle McAlister - MarkMonitor

Domain System Threat Landscape Pablo Rodriguez Nic.pr Janelle McAlister - MarkMonitor Agenda n History n Nic.PR Case Study q Registrar Perspective q Registry Perspective n Future solutions History n Over the past few years

643 views • 26 slides
CS 557 Domain Name System Development of the Domain Name System Mockapetris and Dunlap, 1988

CS 557 Domain Name System Development of the Domain Name System Mockapetris and Dunlap, 1988

CS 557 Domain Name System Development of the Domain Name System Mockapetris and Dunlap, 1988 Impact of Configuration Errors on DNS Robustness V. Pappas, Z. Xu, S. Lu, D. Massey, A. Terzis, and L. Zhang, 2004 Spring 2013 The Story So Far .

481 views • 29 slides
Internet Infrastructure Security Internet Infrastructure Security Simon Fraser University Scott

Internet Infrastructure Security Internet Infrastructure Security Simon Fraser University Scott

Internet Infrastructure Security Internet Infrastructure Security Simon Fraser University Scott Wakelin 4/27/2004 1 Road Map Road Map Project Goals and Overview Project Status Network Infrastructure ISP Topology ISP

554 views • 30 slides
Network Attacks I Yongdae Kim KAIST Two Planes Data Plane: Actual data delivery Control

Network Attacks I Yongdae Kim KAIST Two Planes Data Plane: Actual data delivery Control

Network Attacks I Yongdae Kim KAIST Two Planes Data Plane: Actual data delivery Control Plane To support data delivery (efficiently, reliably, and etc.) Routing information exchange In some sense, every protocol except data

751 views • 51 slides
Information meeting on Ipad/Tablets. 5 th February 2018. Programme Schools experience to date

Information meeting on Ipad/Tablets. 5 th February 2018. Programme Schools experience to date

Information meeting on Ipad/Tablets. 5 th February 2018. Programme Schools experience to date and proposal for this year and the future. Presentation by teachers: Ms Fogarty, Mr. McGinn. Students View: Alex OFarrell.

466 views • 25 slides
Prepping for Ransomware in 2017 Risks change, and so should you. THM Group &amp; Infrascale

Prepping for Ransomware in 2017 Risks change, and so should you. THM Group &amp; Infrascale

Prepping for Ransomware in 2017 Risks change, and so should you. THM Group &amp; Infrascale ABOUT THM GROUP Providing custom end-to-end voice &amp; data solu4ons At a Glance Key Focus Founded: 20 years ago HQ: Barrie, Ontario Businesses

691 views • 38 slides
Simulating Routing Schemes on Large- Scale Topologies Luc Hogie (INRIA, Fr), Dimitri

Simulating Routing Schemes on Large- Scale Topologies Luc Hogie (INRIA, Fr), Dimitri

Simulating Routing Schemes on Large- Scale Topologies Luc Hogie (INRIA, Fr), Dimitri Papadimitriou (A-L Bell Labs, Be), Issam Tahiri (INRIA, Fr), Frederic Majorczyk (Univ.Bordeaux/LaBRI, Fr) IEEE PADS Workshop Atlanta Georgia Tech. May

741 views • 28 slides
Glo lobal Routing Security and it its im impact on Policy Development Aftab Siddiqui Senior

Glo lobal Routing Security and it its im impact on Policy Development Aftab Siddiqui Senior

February 2019 Glo lobal Routing Security and it its im impact on Policy Development Aftab Siddiqui Senior Manager, Internet Technology siddiqui@isoc.org Lets understand the problem.. What is the connection between routing security

346 views • 19 slides
MaxLength Considered Harmful to the RPKI Yossi Gilad, Omar Sagga , Sharon Goldberg Boston

MaxLength Considered Harmful to the RPKI Yossi Gilad, Omar Sagga , Sharon Goldberg Boston

MaxLength Considered Harmful to the RPKI Yossi Gilad, Omar Sagga , Sharon Goldberg Boston University Outline Background How does BGP work? How does RPKI work? What is the maxLength? How maxLength causes problems

741 views • 34 slides
How Netflix directs 1/3rd of Haley Tucker QCon San Francisco Mohit Vora Nov 16, 2015 Playback

How Netflix directs 1/3rd of Haley Tucker QCon San Francisco Mohit Vora Nov 16, 2015 Playback

How Netflix directs 1/3rd of Haley Tucker QCon San Francisco Mohit Vora Nov 16, 2015 Playback Overview DATA PLANE NETFLIX STREAM DEVICE (CDN) CONTROL PLANE Project 366 #59; 280212 Days Gone By..., CC BY-SA, Pete 2012, Flickr VIDEO

1.26k views • 112 slides

More recommend