Network Infrastructure for Critical DNS. Steve Gibbard http://www.stevegibbard.com scg@stevegibbard.com

Similar documents
Network Infrastructure for Critical DNS. Steve Gibbard

F root anycast: What, why and how. João Damas ISC

K-Root Name Server Operations

DNS Measurements, Monitoring & Quality Control

THE MASTER LIST OF DNS TERMINOLOGY. v 2.0

BEST PRACTICES FOR IMPROVING EXTERNAL DNS RESILIENCY AND PERFORMANCE

JPNIC Public Forum. Paul Vixie. Chairman, Internet Software Consortium. January 21, 2003

Four Reasons To Outsource Your DNS

A Survey of cctld DNS Vulnerabilities. ITU cctld Workshop March 3, 2003

The Canadian Internet Registration Authority (CIRA) manages a 100% up time service - the.ca domain name registry for over 2.

Best Practices in DNS Anycast Service-Provision Architecture. Version 1.1 March 2006 Bill Woodcock Gaurab Raj Upadhaya Packet Clearing House

THE MASTER LIST OF DNS TERMINOLOGY. First Edition

RIPE Atlas. Philip Smith Network Startup Resource Center (NSRC) PacNOG 16 1 st December 2014, Honiara, Solomon Islands

The curse of the Open Recursor. Tom Paseka Network Engineer

REVIEW AND ANALYSIS OF INTERNET TRAFFIC AND ITS IMPLICATIONS ON THE ROOT NAME SERVER ARCHITECTURE

ISP Systems Design. ISP Workshops. Last updated 24 April 2013

DNS Cache Poisoning Vulnerability Explanation and Remedies Viareggio, Italy October 2008

THE DOMAIN NAME INDUSTRY BRIEF VOLUME 11 ISSUE 1 APRIL 2014

Distributed Systems. 09. Naming. Paul Krzyzanowski. Rutgers University. Fall 2015

OVERVIEW OF THE DNS AND GLOSSARY OF TERMS

OVERVIEW OF THE DNS AND GLOSSARY OF TERMS

DNS/Hostmaster Architecture for the Greek Network of Health

Application Note. SIP Domain Management

Distributed Systems. 22. Naming Paul Krzyzanowski. Rutgers University. Fall 2013

The Future of DNS. Johan Ihrén Netnod. October 15,

Measuring the Placement of DNS Servers in Top-Level-Domain

DNS Security Survey for National Computer Security Incident Response Teams December 2010

Why Managed DNS Services

Names vs. Addresses. Flat vs. Hierarchical Space. Domain Name System (DNS) Computer Networks. Lecture 5: Domain Name System

GLOBAL SERVER LOAD BALANCING WITH SERVERIRON

BUENOS AIRES ccnso Secure Communication for cctld Incident Response Working Group [C]

PowerLink Bandwidth Aggregation Redundant WAN Link and VPN Fail-Over Solutions

The Internet Ecosystem and ICANN!! Steve Stanford University, Center for Information and Society! 29 April 2013!

How To Understand The Power Of A Content Delivery Network (Cdn)

ANATOMY OF A DDoS ATTACK AGAINST THE DNS INFRASTRUCTURE

CS 355. Computer Networking. Wei Lu, Ph.D., P.Eng.

The OpenDNS Global Network Delivers a Secure Connection Every Time. Everywhere.

State of the Cloud DNS Report

The Domain Name Industry Brief

We keep internet traffic flowing Frank Ip VP of Marketing and Business Development

INTERNET DOMAIN NAME SYSTEM

Company Overview. October 2014

Lecture 2 CS An example of a middleware service: DNS Domain Name System

Miami KeyCenter Empowering you to do more

Network Layers. CSC358 - Introduction to Computer Networks

Miami KeyCenter Empowering you to do more

NET0183 Networks and Communications

2008 DNS Cache Poisoning Vulnerability Cairo, Egypt November 2008

Measuring the Web: Part I - - Content Delivery Networks. Prof. Anja Feldmann, Ph.D. Dr. Ramin Khalili Georgios Smaragdakis, PhD

Root zone update for TLD managers Mexico City, Mexico March 2009

The Collateral Damage of Internet Censorship by DNS Injection

Akamai CDN, IPv6 and DNS security. Christian Kaufmann Akamai Technologies APNIC th August 2013

WHITE PAPER. DNS: Key Considerations Before Deploying Your Solution

Building Nameserver Clusters with Free Software

Overview of DNSSEC deployment worldwide

State of the Cloud DNS Report

SIP-IX NeuStar. March 22, 2006

APNIC IPv6 Deployment

The IANA Functions. An Introduction to the Internet Assigned Numbers Authority (IANA) Functions

DNS Tampering and Root Servers

new gtlds: WHAT DO THEY MEAN FOR YOUR BUSINESS? Jim Reid

The Internet Domain Name System Explained for Non- Experts

How To Map Between Ip Address And Name On A Domain Name System (Dns)

CMPD 323 DATA COMMUNICATION & COMPUTER NETWORKS. Chapter 5: Network Design and Troubleshooting Scenarios

Internet Structure and Organization

Brief Engineering Assessment: Cost estimate for building fiber optics to key anchor institutions

Connect Intelligence. Performance intelligence for your application delivery chain. BT Connect Networks that think

DNS use guidelines in AWS Jan 5, 2015 Version 1.0

CMPE 80N: Introduction to Networking and the Internet

State of the Cloud DNS Report. Basic Edition April 2014

Securing DNS Infrastructure Using DNSSEC

Telecom and Internet Regulatory Challenges and Opportunities Names, Numbers, Internet Governance

HW2 Grade. CS585: Applications. Traditional Applications SMTP SMTP HTTP 11/10/2009

Application. Transport. Network. Data Link. Physical. Network Layers. Goal

Internet Security and Resiliency: A Collaborative Effort

Deploying IP Anycast. Core DNS Services for University of Minnesota Introduction and General discussion

WHAT SERVICES ARE ACCESSIBLE VIA IPV6? Mark Prior Liaison Asia Pacific Research & Education Community Juniper Networks

A Plan for the Continued Development of the DNS Statistics Collector

Enterprise Buyer Guide

Enterprise Architecture Office Resource Document Design Note - Domain Name System (DNS)

CMPE 80N: Introduction to Networking and the Internet

The secret life of a DNS query. Igor Sviridov <sia@nest.org>

STATE OF DNS AVAILABILITY REPORT

Tunnel Broker System Using IPv4 Anycast

IPv6 Support in the DNS. Workshop Name Workshop Location, Date

Executive Summary. Internet Traffic and Capacity

DNS. The Root Name Servers. DNS Hierarchy. Computer System Security and Management SMD139. Root name server. .se name server. .

IPv6 support in the DNS

IP Connectivity Dedicated servers Co-location in data centers

BGP and Traffic Engineering with Akamai. Christian Kaufmann Akamai Technologies MENOG 14

Ensuring Business Continuity and Disaster Recovery with Coyote Point Systems Envoy

Copyright

UAEnic at a Glance. Abdulla A. Hashim UAEnic Manager hashim@nic.ae. inet MEA Regional Conference. Cairo, Egypt, 8 May 2005

Service: Cloud Web Filtering and Malware Protection Aruba Instant Integration + Certified for Interop on Campus and RAP

INOC-DBA Hotline Phone System

The Case for Pushing DNS

NETE-4635 Computer Network Analysis and Design. Designing a Network Topology. NETE Computer Network Analysis and Design Slide 1

THE DOMAIN NAME INDUSTRY BRIEF VOLUME 10 - ISSUE 1 - APRIL 2013

IT 3202 Internet Working (New)

Transcription:

Network Infrastructure for Critical DNS Steve Gibbard http://www.stevegibbard.com scg@stevegibbard.com

Introduction Mixing two talks: Infrastructure Distribution Where are DNS servers for cctlds? DNS network architecture Where and how should name servers be connected? Focusing on network infrastructure Lots of important stuff happens on the servers too, but that s not my area.

DNS is critical infrastructure Without DNS, nothing else works. Authoritative DNS needs to be as reliable as the most reliable parts of the network. DNS is a hierarchy. For a domain name to work, its servers and those for all zones above it must be reachable.

Reliability is best close to authoritative servers There s less to break between the server and the user. Response times are faster.

gtlds Focus Mostly on Core Out of date.com/.net map (from March, 2007)"

cctlds are location-based They re depended on by users in their countries. They may be used in neighboring/trading partner countries. People outside may not care much. It s somewhat obvious where they should be reliable. Local root servers are needed too.

Network partitions In a network partition, it s good if local stuff keeps working. In satellite-connected regions, international connectivity breaks frequently. Outages are rarer in fiber-connected regions, but last longer. Local phone calls work without international connectivity. Local Internet should too.

DNS look-ups around the world Pakistan and.pk Root look-ups handled locally, but cctld look-up are handled in the US. Karachi has a root server..pk in UUNet and ev1servers networks in US. Kenya and.ke Root and TLD look-ups are handled locally. Nairobi has multiple root servers..ke is hosted in Kenya and elsewhere.

Notable incidents Sri Lanka (2004) International fiber was cut in Colombo harbor. Press reports described an outage of Internet and long distance phone service. cctld hosted locally, but no root server. Burma/Myanmar (2007) International connectivity was cut off by the government. Local connectivity kept working..mm worked inside but not outside.

Root Server Coverage

cctld Distribution: Just over 2/3 of cctlds are hosted in their own countries. (but a lot of those that aren t are for really tiny countries).

Countries with local cctlds (green) old data

cctlds not hosted in core (old data).ax -- Aland Islands.MQ -- Martinique.BB -- Barbados.NF -- Norfolk Island.BH -- Bahrain.PA -- Panama.CK -- Cook Islands.PF -- French Polynesia.CN -- China.QA -- Qatar.EC -- Ecuador.SR -- Suriname9.GF -- French Guiana.TJ -- Tajikistan.KW -- Kuwait.YE -- Yemen.MP -- Northern Mariana.ZM -- Zambia Islands List used to include.bd - Bangladesh -- Now fixed.

Building DNS infrastructure Goals How to build it Topology Redundancy

Goals Who are you trying to serve? Local users? Users in other local areas? The rest of the Internet? Your region s topology: Is everything well-connected, or a bunch of islands? Servers in central location, or lots of places?

Whose infrastructure? Your own? Somebody else s? Free global anycast services for cctlds provided by ISC, PCH, others Several commercial anycast operators Lots of free unicast options Easy way to get large-scale global-build Mixture? Your own servers in areas that matter most to you Somebody else s global footprint

Where to put the servers In country At a central location -- an exchange point? One in each ISP? At a common uplink location (like Miami for Latin America)? In the rest of the world: At major Internet hubs? At the other end of your ISPs international links?

Unicast/anycast: This is mostly an issue of scale. For small numbers of servers, unicast works well. Anycast is required for larger numbers of servers.

Anycast topology -- keeping traffic local Backbone engineers are often good at keeping local traffic local. Use consistent peering/transit, hot potato routing. Unicast operators don t need to think about this. Anycast DNS operators aren t so good at this. Anycast looks like a backbone. Plugging servers into random networks is done in pursuit of network diversity. Networks send traffic to customers first, regardless of geography.

J-Root in Bay Area There are local J-Root servers in Mountain View and San Francisco. Queries from 3 Bay Area hosts are responded to by: jns2-kr jluepe2-elmad1 jns2-elyyz

Anycast can keep traffic local If designed like a backbone. Consistent transit should be gotten from global ISPs. Peering only locations are good too, but peer with peers in all areas of overlap. No transit from non-global providers.: Insist on being treated like a peer.

Queries with consistent transit Palo Alto" Ashburn London" Hong Kong

Redundancy More servers are better than fewer, if they re manageable. There s no contradiction between using your own servers and outsourcing. Monitoring: Check zone serial numbers on all servers frequently. If using anycast, monitor individual unicast management addresses.

Further reading DNS infrastructure distribution http://www.stevegibbard.com/dns-distribution-ipj.pdf Observations on anycast topology and performance. http://www.stevegibbard.com/anycast-performance.pdf

Thanks! Steve Gibbard http://www.stevegibbard.com scg@stevegibbard.com

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information