DNS Rex Do you need an aggressive benchmark?

Similar documents
USING TRANSACTION SIGNATURES (TSIG) FOR SECURE DNS SERVER COMMUNICATION

SIDN Server Measurements

page 1 DNS Rate Limiting W. Matthijs Mekking matthijs@nlnetlabs.nl 28 Feb 2013 Stichting NLnet Labs

Blocking DNS Messages is Dangerous

BEST PRACTICES FOR IMPROVING EXTERNAL DNS RESILIENCY AND PERFORMANCE

High-Performance DNS Services in BIG-IP Version 11

5 DNS Security Risks That Keep You Up At Night (And How To Get Back To Sleep)

2008 DNS Cache Poisoning Vulnerability Cairo, Egypt November 2008

Deploying IP Anycast. Core DNS Services for University of Minnesota Introduction and General discussion

Acquia Cloud Edge Protect Powered by CloudFlare

dnsperf DNS Performance Tool Manual

Use Domain Name System and IP Version 6

CloudFlare advanced DDoS protection

The Root of the Matter: Hints or Slaves

F5 Intelligent DNS Scale. Philippe Bogaerts Senior Field Systems Engineer mailto: Mob.:

STARTER KIT. Infoblox DNS Firewall for FireEye

V-ISA Reputation Mechanism, Enabling Precise Defense against New DDoS Attacks

Array Networks NetContinuum. Netli. Fine Ground. StrangeLoop. Akamai. Barracuda. Aptimize. Inkra. Nortel. Juniper. Cisco. Brocade/Foundry.

Web DNS Peer-to-peer systems (file sharing, CDNs, cycle sharing)

How To - Configure Virtual Host using FQDN How To Configure Virtual Host using FQDN

IPv6 and DNS. Secure64

Georgia College & State University

Defending against DNS reflection amplification attacks

Scale your DNS Infrastructure Ensure App and Service Availability. Nigel Ashworth Solution Architect EMEA

SCALABILITY AND AVAILABILITY

IPv6 and DNS. Secure64

Global Service Loadbalancing & DNSSEC. Ralf Brünig Field Systems Engineer r.bruenig@f5.com DNSSEC

Decoding DNS data. Using DNS traffic analysis to identify cyber security threats, server misconfigurations and software bugs

Scalable Internet Services and Load Balancing

DNS at NLnet Labs. Matthijs Mekking

Network Infrastructure Under Siege

Huawei Network Edge Security Solution

WHITE PAPER. Infoblox IPAM Integration with Microsoft AD Sites and Local Services

Eudemon8000E Anti-DDoS SPU

DNS Best Practices. Mike Jager Network Startup Resource Center

DoS: Attack and Defense

Business Case for S/Gi Network Simplification

How To Protect A Dns Authority Server From A Flood Attack

Scalable Internet Services and Load Balancing

PEQ-DNS A Platform for DNS Quality Monitoring

Alteon Global Server Load Balancing

Configuration Notes 0215

AMAZON S3: ARCHITECTING FOR RESILIENCY IN THE FACE OF FAILURES Jason McHugh

A versatile platform for DNS metrics with its application to IPv6

DRDoS Attacks: Latest Threats and Countermeasures. Larry J. Blunk Spring 2014 MJTS 4/1/2014

Distributed Denial of Service Attack Tools

Chapter 25 Domain Name System Copyright The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

STATE OF DNS AVAILABILITY REPORT

Computer Networks CCNA Module 1

Measures to Protect (University) Domain Registrations and DNS Against Attacks. Dave Piscitello, ICANN

DDoS Protection on the Security Gateway

Global Server Load Balancing

Recommendations for dealing with fragmentation in DNS(SEC)

Network Monitoring and Traffic CSTNET, CNIC

VIDEO Intypedia013en LESSON 13: DNS SECURITY. AUTHOR: Javier Osuna García-Malo de Molina. GMV Head of Security and Process Consulting Division

Presented by Greg Lindsay Technical Writer Windows Server Information Experience. Presented at: Seattle Windows Networking User Group April 7, 2010

Testing L7 Traffic Shaping Policies with IxChariot IxChariot

Tuning Tableau Server for High Performance

4 Delivers over 20,000 SSL connections per second (cps), which

Powering the Internet of Things: SDN/NFV Architectures

How To Stop A Malicious Dns Attack On A Domain Name Server (Dns) From Being Spoofed (Dnt) On A Network (Networking) On An Ip Address (Ip Address) On Your Ip Address On A Pc Or Ip Address

A Survey of cctld DNS Vulnerabilities. ITU cctld Workshop March 3, 2003

Network Security Demonstration - Snort based IDS Integration -

H3C Firewall and UTM Devices DNS and NAT Configuration Examples (Comware V5)

Computer Networks: Domain Name System

The Importance of a Resilient DNS and DHCP Infrastructure

DNS Cache-Poisoning: New Vulnerabilities and Implications, or: DNSSEC, the time has come!

AntiDDoS1000 DDoS Protection Systems

Domain Name System (DNS) Fundamentals

RSSAC Recommendation on Measurements of the Root Server System RSSAC 002

WHITEPAPER. Designing a Secure DNS Architecture

shortcut Tap into learning NOW! Visit for a complete list of Short Cuts. Your Short Cut to Knowledge

Copyright 1

2012 Infrastructure Security Report. 8th Annual Edition Kleber Carriello Consulting Engineer

Domain Name System :49:44 UTC Citrix Systems, Inc. All rights reserved. Terms of Use Trademarks Privacy Statement

DNS. The Root Name Servers. DNS Hierarchy. Computer System Security and Management SMD139. Root name server. .se name server. .

The secret life of a DNS query. Igor Sviridov <sia@nest.org>

VALIDATING DDoS THREAT PROTECTION

Business Case for a DDoS Consolidated Solution

The F5 Intelligent DNS Scale Reference Architecture.

TRACE PERFORMANCE TESTING APPROACH. Overview. Approach. Flow. Attributes

DNS Caching Krytyczna infrastruktura operatora i ostatni element układanki

TECHNICAL WHITE PAPER. Infoblox and the Relationship between DNS and Active Directory

Global Server Load Balancing (GSLB) Concepts

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

DNS Cache Poisoning Vulnerability Explanation and Remedies Viareggio, Italy October 2008

How To Block A Ddos Attack On A Network With A Firewall

Evading Infrastructure Security Mohamed Bedewi Penetration Testing Consultant

DATA COMMUNICATOIN NETWORKING

Predictability of Windows DNS resolver. ing. Roberto Larcher robertolarcher@hotmail.com

CommuniGate Pro White Paper. Dynamic Clustering Solution. For Reliable and Scalable. Messaging

Security F5 SECURITY SOLUTION GUIDE

Handling Flash Crowds From Your Garage

DOMAIN NAME SECURITY EXTENSIONS

MEASURING WORKLOAD PERFORMANCE IS THE INFRASTRUCTURE A PROBLEM?

Annexure - " SERVICE REQUIREMENTS"

Infoblox Inc. All Rights Reserved. Securing the critical service - DNS

Single Pass Load Balancing with Session Persistence in IPv6 Network. C. J. (Charlie) Liu Network Operations Charter Communications

Implementing and Managing Windows Server 2008 Clustering

Transcription:

DNS Rex Do you need an aggressive benchmark? Alex Rousskov The Measurement Factory

DNS Rex At a Glance A performance test tool for DNS resolvers. Born 2009 A.D. (Cenozoic Era). Designed to intimidate powerful resolvers. Could also quickly poison caching resolvers. Mission accomplished! Publicly released and dormant since 2012. Will fossilize without demand and more work.

Why a yet another DNS benchmark? We said no more than once, but... Most tools focused on authoritative servers. Also needed to test cache poisoning defenses. Most tools were slow, unreliable, or shady. Angst and distrust among resolver engineers (see Exhibit A). Experience creating HTTP performance tools; it was easy for us to detect/foresee problems.

Exhibit A: Testing Resolver X Tool A's conclusion: Maximum throughput: 22'346 qps Lost at that point: 24% Tool B's conclusion: Sustained throughput: 120'000 qps Transaction errors: 0 Argh!..

Why a yet another DNS benchmark? We said no more than once, but...... gave up and wrote what we needed.

Why no progress since ~2007? (a speculation) Easy problems have been solved (in 3K LOC): send UDP queries at an increasing rate bail on errors RELEASE_NOTES: January 10, 2008 Known Issues: None.

... Since ~2007 No more automagic performance improvement! MUST use threads for reasonable scale Remaining problems are much harder: fundamental benchmarking problems threading is difficult enough on its own solving hard problems while threading is harder Past tool suppliers have to focus on survival. Insufficient demand???

... but if we want to move forward What would an ideal tool for measuring caching resolver performance be?

Ideal: Persistence sustaining load for longer than a few minutes The 3 million record query file has been replaced with a 10 million record query file as 3 million records were not enough for a full run on modern hardware. 2012 testing instructions 10M / 100K QPS = 100 seconds

Ideal: Persistence sustaining load for longer than a few minutes The longest single attack lasted nine days and 11 hours. NSFOCUS DDoS Threat Report

Ideal: Scalability SMP Scalability: faster than any resolver on similar hardware but since there is custom and $$$ hardware... Swarm ability: test synchronization and results aggregation across off the shelf and/or cheaper drones

Ideal: Scalability worst case scenario? The single largest attack [rate was] 23 million PPS. NSFOCUS DDoS Threat Report

Ideal: Cache Awareness ability to offer any configured hit ratio offered hit ratio is a ratio of hits that would be served by a perfect infinite cache relatively short traces: 100% offered hit ratio infinitely long traces: X% offered hit ratio

Ideal: Slowness simulating authoritative server problems: response delays packet drops NXDOMAIN bad referrals errors

Ideal: Independence no 3 rd party authoritative servers: slow (what are you testing?) difficult to configure correctly for the test difficult to replicate limited statistics the real ones do not want to be attacked no resolver libraries? no resolver developers???

Ideal: Protocol Features IPv6 TCP DNSSEC (1000s of generated signed zones!) NXDOMAIN (hijacking infrastructure tests???)

Ideal: Ease of use configuration files awareness and assessment of test environment detailed performance reports GUI???

Ideal: Other Not detailing several key properties/features: reliability (but see Exhibit A) realism cost flexibility (scriptability??) portability openness?

DNS Rex vs The Ideal (marketing) Reliability Persistence Scalability Cache Awareness Slowness Independence IPv6 TCP DNSSEC Ease of use

¾ Reliability... Rex needs more exposure/testing to be sure Persistence ½ Scalability... Rex supports SMP scale but not swarming ¾ Cache Awareness only 0% and 100% hit ratio is configurable ¾ Slowness... configurable think time but not error ratio Independence IPv6... mostly ready but lacking configuration TCP DNS Rex vs The Ideal (reality) ⅕ DNSSEC... sends DO but relies on manual zone signing ½ Ease of use... Rex has config file, detects overload, but...

What's Next? Leave DNS Rex as is, allowing it to die? or Relaunch the project? focusing on what features?

Feedback Alex Rousskov The Measurement Factory info@measurement factory.com http://rex.measurement factory.com/

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information