DNS Measurements, Monitoring & Quality Control

Similar documents

K-Root Name Server Operations

THE MASTER LIST OF DNS TERMINOLOGY. v 2.0

Root zone update for TLD managers Mexico City, Mexico March 2009

THE MASTER LIST OF DNS TERMINOLOGY. First Edition

IPv6 Support in the DNS. Workshop Name Workshop Location, Date

Measurements and Laboratory Simulations of the Upper DNS Hierarchy

IPv6 Support in the DNS. Workshop Name Workshop Location, Date

IPv6 support in the DNS

IANA Functions to cctlds Sofia, Bulgaria September 2008

A New Look at the Old Domain Name System

Computer Networks: Domain Name System

Telecom and Internet Regulatory Challenges and Opportunities Names, Numbers, Internet Governance

DNS. The Root Name Servers. DNS Hierarchy. Computer System Security and Management SMD139. Root name server. .se name server. .

IPv6 Support in the DNS

BEST PRACTICES FOR IMPROVING EXTERNAL DNS RESILIENCY AND PERFORMANCE

RIPE Atlas. Philip Smith Network Startup Resource Center (NSRC) PacNOG 16 1 st December 2014, Honiara, Solomon Islands

Use Domain Name System and IP Version 6

A Survey of cctld DNS Vulnerabilities. ITU cctld Workshop March 3, 2003

Network Infrastructure for Critical DNS. Steve Gibbard

Domain Name Industry. Comparing ZA with the rest

Pre Delegation Testing (PDT) Frequently Asked Questions (FAQ)

An Introduction to the Domain Name System

DNS and BIND. David White

Presented by Greg Lindsay Technical Writer Windows Server Information Experience. Presented at: Seattle Windows Networking User Group April 7, 2010

Introduction to the Domain Name System

NET0183 Networks and Communications

Current Counter-measures and Responses by the Domain Name System Community

Whats Wrong With The DNS

DNSMON. DNS Server Monitoring. RIPE NCC March 23, 05

APNIC IPv6 Deployment

A versatile platform for DNS metrics with its application to IPv6

The Canadian Internet Registration Authority (CIRA) manages a 100% up time service - the.ca domain name registry for over 2.

Basic DNS Course. Module 1. DNS Theory. Ron Aitchison ZYTRAX, Inc. Page 1 of 24

DNS & IPv6. Agenda 4/14/2009. MENOG4, 8-9 April Raed Al-Fayez SaudiNIC CITC rfayez@citc.gov.sa, DNS & IPv6.

Best Practices in DNS Anycast Service-Provision Architecture. Version 1.1 March 2006 Bill Woodcock Gaurab Raj Upadhaya Packet Clearing House

The Internet Ecosystem and ICANN!! Steve Stanford University, Center for Information and Society! 29 April 2013!

5 DNS Security Risks That Keep You Up At Night (And How To Get Back To Sleep)

USING TRANSACTION SIGNATURES (TSIG) FOR SECURE DNS SERVER COMMUNICATION

ANATOMY OF A DDoS ATTACK AGAINST THE DNS INFRASTRUCTURE

Public-Root Name Server Operational Requirements

Introduction to The Internet. ISP/IXP Workshops

Where is Hong Kong in the secure Internet infrastructure development. Warren Kwok, CISSP Internet Society Hong Kong 12 August 2011

The IANA Functions. An Introduction to the Internet Assigned Numbers Authority (IANA) Functions

The Internet Domain Name System Explained for Non- Experts

State of the Cloud DNS Report

A Plan for the Continued Development of the DNS Statistics Collector

OVERVIEW OF THE DNS AND GLOSSARY OF TERMS

State of the Cloud DNS Report

Domain Name System. CS 571 Fall , Kenneth L. Calvert University of Kentucky, USA All rights reserved

OVERVIEW OF THE DNS AND GLOSSARY OF TERMS

Security in the Network Infrastructure - DNS, DDoS,, etc.

Kim Davies Internet Assigned Numbers Authority

DNS Security Survey for National Computer Security Incident Response Teams December 2010

High-Performance DNS Services in BIG-IP Version 11

Conexim DNS Administrator s Guide

Why Managed DNS Services

Introduction to The Internet

DNS Cache Poisoning Vulnerability Explanation and Remedies Viareggio, Italy October 2008

DOMAIN NAME SYSTEM (DNS)

The secret life of a DNS query. Igor Sviridov <sia@nest.org>

THE DOMAIN NAME INDUSTRY BRIEF VOLUME 11 ISSUE 1 APRIL 2014

The Future of DNS. Johan Ihrén Netnod. October 15,

PLAN FOR ENHANCING INTERNET SECURITY, STABILITY, AND RESILIENCY

Topic 1: Internet Architecture & Addressing

Monitoring the DNS. Gustavo Lozano Event Name XX XXXX 2015

Response to Solicitation Number: SA R-P0-016

Operation of the Root Name Servers

DNSSEC in your workflow

Agenda. Network Services. Domain Names. Domain Name. Domain Names Domain Name System Internationalized Domain Names. Domain Names & DNS

DNS Queries And IPv6 Root Servers

F-Root's DNSSEC Signing Plans. Keith Mitchell Internet Systems Consortium DNS-OARC NANOG48, Austin, 24 th Feb 2010

The Impact of DNSSEC. Matthäus Wander. on the Internet Landscape. Duisburg, June 19, 2015

Securing DNS Infrastructure Using DNSSEC

DNSSEC Deployment a case study

On the Use of Anycast in DNS

RIPE Policy Development Process

A Quick Introduction to the Domain Name System

DNS Domain Name System

Final. Dr. Paul Twomey President and Chief Executive Officer Internet Corporation for Assigned Names and Numbers (ICANN)

.np cctld updates Presented By Eswari Prasad Sharma Rakeshman Karmacharya

How To Understand The Power Of A Content Delivery Network (Cdn)

DNS Session 4: Delegation and reverse DNS. Joe Abley AfNOG 2006 workshop

Network Infrastructure for Critical DNS. Steve Gibbard

mydnsipv6 Success Story

ICANN: achievements and challenges of a multi-stakeholder, bottom up, transparent model

Accommodating IP Version 6 Address Resource Records for the Root of the Domain Name System

JPNIC Public Forum. Paul Vixie. Chairman, Internet Software Consortium. January 21, 2003

RSSAC Recommendation on Measurements of the Root Server System RSSAC 002

Designing and Implementing a Server Infrastructure

Guide to Name Collision Identification and Mitigation for IT Professionals. 1 August 2014 Version 1.1

Distributed Systems. 09. Naming. Paul Krzyzanowski. Rutgers University. Fall 2015

TECHNICAL REPORT Network Technologies (NTECH); Description of the DNS protocol usage in IP based operators networks

Strengthening our Ecosystem through Stakeholder Collaboration. Jia-Rong Low, Sr Director, Asia 20 August 2015

Internet-Praktikum I Lab 3: DNS

DNS Rex Do you need an aggressive benchmark?

ISP Systems Design. ISP Workshops. Last updated 24 April 2013

Q3 State of DNS Report DNSSEC Deployment in.gov

Practical DNS Operations

Designing and Implementing a Server Infrastructure MOC 20413

The Domain Name System: An Integral Part of the Internet. By Keiko Ishioka

Transcription:

DNS Measurements, Monitoring & Quality Control Universität Bielefeld pk@techfak.uni-bielefeld.de CENTR General Assembly Budapest, 2003-06-02 CENTR GA 2003-06-02 DNS Monitoring 1 of 18

The Monitor Some Bad News (headlines, at least) Facts behind the News How to investigate Thoughts on prevention CENTR GA 2003-06-02 DNS Monitoring 2 of 18

News at eleven More than 80% of all TLD and Root nameservers are vulnerable! (anonymous) CENTR GA 2003-06-02 DNS Monitoring 3 of 18

DNS Why bother? DNS is critical infrastructure often overlooked, but easy to understand more visible and accessible than other parts of that infrastructure proven scalability and redundancy many new tasks out there Overloading the Saddlebags of an Old Horse (Randy Bush) CENTR GA 2003-06-02 DNS Monitoring 4 of 18

New Challenges IDN Internationalisation expect more queries for non compliant hostnames, longer names DNSSEC Data Origin Authentication larger packets, more latency ENUM Phone Numbers hierarchy, again IPv6 A6 RRs and IP6.ARPA query volume, namespace fragmentation CENTR GA 2003-06-02 DNS Monitoring 5 of 18

What to look at? Server availability, responsiveness Server response times Query volume and patterns Zone quality CENTR GA 2003-06-02 DNS Monitoring 6 of 18

Availability Monitoring Are your servers alive? Do all your slave servers still exist? Do servers respond (locally)? Are their answers authoritative? Are they in sync? ( DNS zone convergence times) CENTR GA 2003-06-02 DNS Monitoring 7 of 18

Who s out there? Cooperative Association for Internet Data Analysis (CAIDA) RIPE NCC TTM RIPE DNS Hostcount TLD led initiatives, e.g. AFNIC s zonecheck DNS ISAC (Information Sharing and Analysis Center) The Matrix, Men & Mice,... CENTR GA 2003-06-02 DNS Monitoring 8 of 18

CAIDA s passive measurements NeTraMet listening to DNS packets only Meter sites: Auckland, Colorado, San Diego ( far end of the net) Measures RTT Compared cctlds with Root and gtlds cctld s servers receive less queries than gtlds Servers covering multiple cctlds Busiest cctlds inspected Nevil Brownlee looking for more meter sites CENTR GA 2003-06-02 DNS Monitoring 9 of 18

Single server monitoring Watch query patterns (and maybe responses) at single server... including all anycast instances CENTR GA 2003-06-02 DNS Monitoring 10 of 18

Server Anycasting multiple instances, topologically distributed server load distribution increased DDoS resilience documented in RFC 3258 deployed for certain Root Nameservers... and some TLD servers also attractive for cctld servers CENTR GA 2003-06-02 DNS Monitoring 11 of 18

Operational advantages by measurement & monitoring Both recent F measurements (Nemeth, Wessels) suggest limited number of high volume culprits find out which sloppy software and/or configuration costs your money microsoft.com problems first noted at COM servers reachability in remote parts of the network is service not only to remote users but also to your customers CENTR GA 2003-06-02 DNS Monitoring 12 of 18

DNS quality in and around RIPE NCC: Active measurements, stay tuned for next slide show DNS WG technical DNS quality on sub TLD levels collect, compile and evaluate set of tests for pre-delegation checks DNS Hostcount long standing data collection growth statistics some postprocessing looking for error patterns and habits CENTR GA 2003-06-02 DNS Monitoring 13 of 18

DNS checks AFNIC has published zonecheck Service freely available on the web: http://zonecheck.nic.fr/v2/ Hostcount data shows lots of problems Responsibilities for technical quality below TLD Problems at 2nd or 3rd level may affect innocent third parties Additional service vs. necessary monitoring Participate in test collection and evaluation CENTR GA 2003-06-02 DNS Monitoring 14 of 18

What is all this measuring good for? Registry resource planning Registry operations and incident response Customer service QoS documentation Deployment support Directions for future DNS work CENTR GA 2003-06-02 DNS Monitoring 15 of 18

Example (DE): Effects of Server Deployment http://www.denic.de/images/nameserver.pdf CENTR GA 2003-06-02 DNS Monitoring 16 of 18

A Plea do (support) research (have someone) monitor your servers and service share and publish results coordinate measurements CENTR GA 2003-06-02 DNS Monitoring 17 of 18

?! CENTR GA 2003-06-02 DNS Monitoring 18 of 18