PEQ-DNS A Platform for DNS Quality Monitoring
DNS Monitoring Challenges [1/2] The DNS is a complex distributed system that requires a distributed (per DNS server) monitoring system Monitoring usually focuses on aggregated metrics (e.g. number of good/bad queries, zone transfers) that are the key indicators of service provisioning health 2
DNS Monitoring Challenges [2/2] For network operators, DNS monitoring is a way to control that the name resolution is working well (as a service) For domain registries, in addition to running the cctld servers, it is compulsory to make sure that overall DNS infrastructure is in good health 3
DNS Health For Operators Provide DNS name resolution with: Low response time Robustness (no downtime) Ability to resist to attacks Filter invalid DNS packets (e.g. buffer overflow, invalid requests) in order to identify source of potential issues that might be mitigated 4
DNS Health For Registries In addition to the previous goals they also need to: Avoid distributing inaccurate information that might lead to bad service quality Identify invalid or inaccurate DNS registration records and report them to registrars Deploy a DNS infrastructure matching the expected service levels and robustness 5
Monitoring Health [1/2] Health monitoring requires: Validation of the information distributed by DNS servers by means of periodic checks of records consistency and configuration Monitoring DNS server response time, geographical location and service availability over time 6
Monitoring Health [2/2] A healthy DNS infrastructure must also: Place DNS servers on networks where service availability is granted even in case of disaster/security breach Monitor suspicious/excessive requests for slowing down/blocking the requestors Identify DNS scanners that load the infrastructure and might use the collected information for other purposes (e.g. spam) 7
What is PEQ-DNS? Years ago the.it Registry decided to start a project whose goal is DNS health monitoring PEQ-DNS is a distributed monitoring platform developed by the.it Registry aimed at measuring DNS health combining static registrations analysis with live traffic monitoring 8
Static DNS Validation [1/2] Identification of misconfigured DNS servers (e.g. lame delegation, zone check) Route analysis for reaching DNS servers in order to evaluate their resiliency to disasters (overlapping server discovery) Risk analysis (if a DNS fails, how many domains are affected by the failure) 9
Static DNS Validation [2/2] Risk in Case of Network Failure Risk in Case of Server Failure 10
PEQ-DNS Traffic Console 11
PEQ-DNS DNS Console [1/2] 12
PEQ-DNS DNS Console [2/2] Web User Web Console Live DNS Traffic SQL and TSDB (TimeSeries Database) 13
NXDomain [1/3] 14
NXDOMAIN [2/3] Per-query Statistics Client IP Client ASN DNS Request Query Number 15
Queries: ASN Statistics Per-ASN DNS Statistics NXDomain Queries Good Queries 16
DNS Clients Geolocation Information used for statistical purposes and for placing DNS in the most appropriate places for serving requests 17
NXDOMAIN vs Bad Requests In order to trigger alarms, we need to figure out whether a certain request was misspelled or completely wrong Alarms can be triggered only if false-positives are very limited. This can be achieved by identifying and insulating ordinary errors Levenshtein distance is used to compare the request with the real registered domain 18
Ordinary Errors (NXDOMAIN) Mispelled: rossoalicwe.it Correct: rossoalice.it Inexistent: ilballodelpimpolho.it Inexistent domain but ilballodelpimpolho is a popular Google match Human requests: www.film%20tv.it, www.ferrovie%20dello%20stato.it Electronic requests: _ldap._tcp $e52fced9-8106-48a0-9c86-69c5d32d8c92.domains._ msdcs.itcge.it Email addresses used in Web navigation zazzu89@hotmail.it 19
NXDOMAIN Analysis (Future) Domain Registration vs NXDOMAIN (%) 4 3 2 1 0 July August September October November 20
DNS Server Statistics 2,1 DNS server per Internet Domain (average) 7% 2% 93% 98% Domains with MX record Domains w/o MX record Domains with Web site Domains w/o Web site 21
DNS Server Statistics (cont) 5% 2% 95% 98% Domains with IPv4 DNS only Domains with IPv4/v6 DNS DNS Queries IPv4 DNS Queries IPv6 22
DNS Server Statistics (cont) 5% 46% 54% 95% Overlapping Non Overlapping Critical Overlapping Non Critical Overlapping 23
Registrars Ranking 24
Conclusions We developed a near-realtime open-source DNS monitoring system that Contrary to similar tools it s able to handle hundred of million flows/day using low-end commodity hardware. Collected data are used to highlight trends DNS usage We provide a feedback to registrars as well highlight service anomalies Your feedback is warmly welcome! 25