DNSwitness: A Generic Platform For DNS-based Measurements

Transcription

1 DNSwitness: A Generic Platform For DNS-based Measurements Journée «Mesures Internet», Paris, 24 April 2012 {Samia.Mtimet, Stephane.Bortzmeyer, Mohsen.Souissi} (at) afnic.fr

2 Overview Motivation Principles & Requirements Architecture Past & Current Uses Some results Conclusion & Prospective work 2

3 Motivation DNS registry is seated on a gold mine of DNS data What does DNS tell us? There is precious information to extract and use Our marketing team, technical team, management ask various questions we may have the answer for: How many of our domains are used for only? What has the penetration rate of IPv6, DNSSEC or phenomenon X evolved over the last N years? Could you assess the technical quality of a given portfolio of DNS zones? We focus on things that we can obtain by starting with the DNS Either from the DNS itself Or by further exploring 3

4 Principles & Requirements Generic Can do many different surveys Most known tools deal only with one survey Automatic Works unattended (from cron, for instance), for periodic runs, Store raw results Not just aggregates For long-term analysis Free Software Usable by small and medium actors Run it yourself, and keep your own data, share aggregated & anonymized results No data to be sent to a centralized analysis fabric 4

5 Global Architecture DNSwitness Platform: 2 main (free) software components DNSdelve, for active measurement What we send out : active DNS queries sent to domains Go on a fishing trip! Typically: sampling in a zone TLD file vs comprehensive walk DNSmezzo, for passive measurement What comes in: DNS queries sent name servers, passively monitored Who s knocking at our door? Sampling by default (might take all the traffic for a given window of time) A database to store results To allow long-term surveys and study the evolution To do benchmark with other partners based on uniform indicators/metrics 5

6 Architecture: Active Measurements Component (DNSdelve) A framework To gather information from the DNS zones delegated by a registry To get start points to explore the Internet for further information Composed of A generic basis: Handles zone file parsing and parallel querying of the zones Modules dedicated for targeted surveys: Perform the actual queries: ask explicit questions to the DNS Examples: IPv6, DNSSEC, SPF modules already available 6

7 Architecture: Passive Measurements Component (DNSmezzo) Capture DNS traffic, analyze content and store in a Database By sniffing the DNS traffic on a server (port mirroring, tcpdump ) Storing structured info (what we have learnt) in a rdbms Do measurements/statistics by querying the DB Periodically, unattended or on-demand runs Examples: Top N domains queried for (and more specifically those which yield a NXDOMAIN answer) Percentage of queries targeting AAAA (wrt A) records Percentage of traffic transported on IPv6 (wrt IPv4) How many queries use EDNS0 and for which sizes? Percentage of recursive name servers patched against Kaminsky attack (SPR) 7

8 Similar Work (DNS-based) Active measurements The Health of the Internet in Sweden (annual reports): Passive Measurements: IIS.se dns2db ISC SIE DSC 8

9 Past & Current DNSwitness Uses Feeding the French Annual DNS Industry Report with IPv6 figures Contribution to the OECD Report on IPv6 Deployment Measurements in the world As a platform for Internet Resilience measurements in France Observatoire de la Résilience de l Internet en France Jointly with ANSSI (the French Network and Information Security Agency) AFNIC s contribution: from the DNS perspective Results unveiled at the DNS-OARC meeting (while waiting for the 1 st edition of the report to be published): Surveys on demand (AFNIC or third parties) 9

10 Active measurements results IPv6 penetra,on rate in domains under.fr 45,00% 40,00% 35,00% 30,00% 25,00% 20,00% 15,00% DNS Web Mail IPv6- Enabled IPv6- Full 10,00% 5,00% 0,00% Q1-09 Q2-09 Q3-09 Q4-10 Q1-11 Q2-11 Q3-11 Q4-11 Q1-12 Q

11 Active measurements results (2) Name Server distribu,on per for zones under.fr 30% 36% AS x AS y AS z AS t 3% AS u Autres 4% 11% 16% 11

12 Active measurements results (3) Name Server distribu,on per country for zones under.fr 1% 1% 4% 11% France 13% Allemagne USA Grande- Bretagne Suisse Autres 71% 12

13 Passive measurements results % of DNS transport in IPv4 vs IPv6 100% 0,60 0,60 99% 98% 2,20 3,47 97% 96% 95% 94% IPv6 transport (%) IPv4 transport (%) 93% 92% 91% 90%

14 Passive measurements results (2) 100% DNS Query type distribu,on for domain names under.fr 90% 80% 70% 8,06 7,29 6,85 8,68 9,17 8,45 7,65 7,57 60% 50% 40% Others (%) MX (%) NS (%) AAAA (%) A (%) 30% 20% 10% 0%

15 Passive measurements results (3) 300 Number of DNSSEC- signed delega,ons (DS) Nb DS

16 Conclusion & Prospective Work DNSwitness is a generic measurements platform used in different contexts for different needs It has served multiple purposes so far The platform is running in production at AFNIC premises Will evolve continuously in order to answer new needs Collaboration with researchers Define metrics and get periodic measurements Put together results and get a joint analysis activity for a complete and long-term view New developments for: Additional resilience indicators measurements Additional services penetration rate measurements Added-value services for AFNIC and third parties 16

17 Merci! Twitter Facebook : afnic.fr