Monitoring, analyzing and cleaning DNS configuration errors across European NRENs Slavko Gajin University of Belgrade, Serbia

Slides:



Advertisements
Similar presentations
Review iClickers. Ch 1: The Importance of DNS Security.
Advertisements

NetScanTools ® LE Law Enforcement Version of NetScanTools ® from Northwest Performance Software, Inc. netscantools.com.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 6 Managing and Administering DNS in Windows Server 2008.
Sweeping lame DNS reverse delegations APNIC16 – DNS Operations SIG Seoul, Korea, 20 August 2003.
11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.
2.1 Installing the DNS Server Role Overview of the Domain Name System Role Overview of the DNS Namespace DNS Improvements for Windows Server 2008 Considerations.
Implementing Domain Name System
Open Resolvers in COM/NET Resolution Duane Wessels, Aziz Mohaisen DNS-OARC 2014 Spring Workshop Warsaw, Poland.
Domain Name System. DNS is a client/server protocol which provides Name to IP Address Resolution.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 2: Name Resolution and DNS.
Hands-On Microsoft Windows Server 2003 Networking Chapter 6 Domain Name System.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 8: Managing and Troubleshooting DNS.
Impact of Configuration Errors on DNS Robustness Vasileios Pappas, Zhiguo Xu, Songwu Lu, Daniel Massey, Andreas Terzis, Lixia Zhang SIGCOMM 2004 Presented.
Hands-On Microsoft Windows Server 2003 Administration Chapter 9 Administering DNS.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 5 Introduction to DNS in Windows Server 2008.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)
25.1 Chapter 25 Domain Name System Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
COEN 445 Communication Networks and Protocols Lab 3
Andrew Smith 1 NAT and DHCP ( Network Address Translation and Dynamic Host Configuration Protocol )
Domain Name Services Oakton Community College CIS 238.
Copyright line. Configuring DNS EXAM OBJECTIVES  An Introduction to Domain Name System (DNS)  Configuring a DNS Server  Creating DNS Zones  Configuring.
11.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 11: Introducing WINS, DNS,
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
Module 3 DNS Types.
Basic DNS Course Lecturer: Ron Aitchison. Module 1 DNS Theory.
Tony Kombol ITIS Who knows this? Who controls this? DNS!
Advanced Module 3 Stealth Configurations.
Welcome Today Our Topics are: DNS (The Potential Problem for Complete Anonymity) Transparent DNS Proxy (The Problem & The Solution) How To.
Name Resolution Domain Name System.
TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)
Chapter 16 – DNS. DNS Domain Name Service This service allows client machines to resolve computer names (domain names) to IP addresses DNS works at the.
Domain Names System The Domain Name System (DNS) is a hierarchical distributed naming system for computers, services, or any resource connected to the.
Troubleshooting. Why Troubleshoot? What Can Go Wrong? –Misconfigured zone –Misconfigured server –Misconfigured host –Misconfigured network.
Test cases for domain checks – a step towards a best practice Mats Dufberg,.SE Sandoche Balakrichenan, AFNIC.
25.1 Chapter 25 Domain Name System Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
DNS Related Commands Sayed Ahmed Computer Engineering, BUET, Bangladesh (Graduated on 2001 ) MSc, Computer Science, U of Manitoba, Canada
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 6: Name Resolution.
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network, Enhanced Chapter 6: Name Resolution.
Domain Name System CH 25 Aseel Alturki
October 8, 2015 University of Tulsa - Center for Information Security Microsoft Windows 2000 DNS October 8, 2015.
DNS & BIND Chapter 24. This Chapter DNS Overview.
DNS Security Pacific IT Pros Nov. 5, Topics DoS Attacks on DNS Servers DoS Attacks by DNS Servers Poisoning DNS Records Monitoring DNS Traffic Leakage.
Naming March 8, Networks What is naming?  Associations between some elements in a set of names and some elements in a set of values  Binding.
1 Kyung Hee University Chapter 18 Domain Name System.
FCC CSRIC III Working Group 5 DNSSEC Implementation Practices Steve Crocker CEO, Shinkuro, Inc. March 6, 2013 Working Group 5: DNSSEC.
Tony Kombol ITIS DNS! overview history features architecture records name server resolver dnssec.
Configuring Name Resolution and Additional Services Lesson 12.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)
DNS DNS overview DNS operation DNS zones. DNS Overview Name to IP address lookup service based on Domain Names Some DNS servers hold name and address.
Publishing zone scan data using an open data portal Sebastian Castro OARC Workshop Montreal – Oct 2015.
DNS Security 1. Fundamental Problems of Network Security Internet was designed without security in mind –Initial design focused more on how to make it.
ITU ccTLD Workshop March 3, 2003 A Survey of ccTLD DNS Vulnerabilities.
Ch 6: DNSSEC and Beyond Updated DNSSEC Objectives of DNSSEC Data origin authentication – Assurance that the requested data came from the genuine.
COMP2322 Lab 3 DNS Steven Lee Feb. 19, Content Understand the Domain Name System (DNS). Analyze the DNS protocol with Wireshark. 2.
COMP 431 Internet Services & Protocols
Internet Naming Service: DNS* Chapter 5. The Name Space The name space is the structure of the DNS database –An inverted tree with the root node at the.
DNS Traffic Management and DNS data mining Making Windows DNS Server Cloud Ready ~Kumar Ashutosh, Microsoft.
Open DNS resolvers have to be closed ● Open resolvers respond to recursive queries from any host on the Internet ● Amplification DNS attack 2.
This courseware is copyrighted © 2016 gtslearning. No part of this courseware or any training material supplied by gtslearning International Limited to.
KAPLAN SCHOOL OF INFORMATION SYSTEMS AND TECHNOLOGY IT375 Window Enterprise Administration Course Name – IT Introduction to Network Security Instructor.
Monitoring, analyzing and cleaning DNS configuration errors across European NRENs Slavko Gajin University of Belgrade, Serbia
Using Digital Signature with DNS. DNS structure Virtually every application uses the Domain Name System (DNS). DNS database maps: –Name to IP address.
1 Internet Service DNS & BIND OPS335 Seneca College of Applied Technology.
Understand Names Resolution
Module 5: Resolving Host Names by Using Domain Name System (DNS)
IMPLEMENTING NAME RESOLUTION USING DNS
Configuring and Troubleshooting DNS
Chapter 19 Domain Name System (DNS)
Presentation transcript:

Monitoring, analyzing and cleaning DNS configuration errors across European NRENs Slavko Gajin University of Belgrade, Serbia Petar Bojović Faculty of computer science, Union University in Belgrade,

TNC2013 Introduction – Why DNS? DNS – the first and still basic infrastructural network service Must be always up and running Multi-redundant DNS is “boring” for net admins, comparing to other newer services Usually works well, at least nobody complains… Do ALL our DNS serves work well? DNS testing tools: DIG can give all the answers… … but highly difficult to cross-check and analyze lot of textual data DNS Squish, DNS Sleuth, DNS Stuff, DNSgoodies… ICmyNet.DNS Test all DNS serves involved in resolution of the specified domain, including all servers on all parent domains Free online service –

TNC2013 Example – ICmyNet.DNS Proper DNS configuration

TNC2013 Example - ICmyNet.DNS Server is not responding

TNC2013 Example - ICmyNet.DNS Server is not responding

TNC2013 Example - ICmyNet.DNS Unsynchronized SOA

TNC2013 Example – ICmyNet.DNS Non-authoritative server

TNC2013 Example – ICmyNet.DNS Loops

TNC2013 Security issues March, 2013, AMRES 5 DNS servers with open resolver (recursion) were used for massive DDoS attack - DNS Amplification Attacks April, 2009, AMRES One DNS server was used for attack to 9 DNS servers December, 2012, RS TLD Register was broken, ~80 popular domains were hacked January, 2001, Microsoft all the authoritative servers became inaccessible

TNC2013 What we have done? Number of DNS checks are defined with compliances to RFC standards and recommendations: UDP/TCP response Authority Parent servers refer to non-authoritative server Parent servers do not refer to authoritative server (Stealth) Resolution loop - referral answer from non-authoritative server Consistency with the parent servers Glue Record A records are inconsistent Public zone transfer Recursion (Open resolver) SOA Synchronization timers MX records A records for WWW and the domain IPv6 - AAAA records DNSSEC

TNC2013 What we have done? Application for massive DNS checking is developed Special attention and policy was applied not to overload any DNS servers and network > domains collected from 31 European NRENs NREN domains are checked during February, 2013 The most interesting results are presented, summarized by NRENs NREN names are shown on the summary statistics

TNC2013 Results – Domain numbers > domains collected from 31 European NRENs Sources: Many NRENs responded and sent domains – Thanks! Web sites - NRENs, universities, ministries… Public Zone Transfer Sorry if some domains are missing…

TNC2013 Results – Unavailable domains Unavailable domains were skipped Only available domains were used for the statistic

TNC2013 Results – Non-operating DNS servers Domains with at least one non-operating DNS server, but defined in the parent zone: Non-responding DNS server over UDP on port 53 Non-authoritative DNS server for the domain Consequence Queries end up the server, but without resolution (timeout or referral)

TNC2013 Results – Problem on the parent level Domains with at least one DNS server: Authoritative but not defined on the parent level – “Stealth” Authoritative but not accessible via some parent server (some parent server is unavailable) Consequence: The server is partially or totally hidden for the resolution (useless)

TNC2013 Results – Recursion and PZT Domains with at least one DNS with: Recursion (Open resolver) Public Zone Transfer Consequence: Compromised security

TNC2013 Results – Server locality Domains with all DNS servers in /24 subnet Consequence: Potential single point of failure (LAN segment)

TNC2013 Results – No MX record Domains with no MX record

TNC2013 Results – Mail servers Domains with MX records where: Several mail server names are pointing to the same IP address Inconsistent IP address A record in the domain zone and resolved IP address

TNC2013 Results – No A record Domains with no A record: For WWW name For domain itself Web site is not accessible with the domain name only (“ must be typed in the browser)

TNC2013 Results – IPv6 – AAAA record Domains with AAAA record - for IPv6 access: For WWW name For domain itself

TNC2013 Results – DNSSEC Domains with applied DNSSEC options: On parent level Protected NS records Protected MX records Protected A records Protected AAAA records

TNC2013 Results – Non-responding over TCP UDP is basic operating mode for DNS TCP is needed for packets with >4000 Bytes of data DNSSEC

TNC2013 More examples Miss-configuration in local zone Not all properly configured parent servers resolve properly !

TNC2013 Cleaning DNS errors in AMRES March, 2013, AMRES – cleaning the mess (192 domains) Focused to the most serious problems Proper functionality Security Applied methodology: List all domains and servers regarding the specific errors Manual check and analysis for each domain – ICmyNet.DNS Start with parent zones and servers Majority of errors can be fixed on this level ! Direct communication with DNS administrators Slow process, not always successful Update internal database for domains and responsible persons Improve changing - trying to keep the configurations consistent Improve process for opening new domains

TNC2013 Cleaning DNS errors in AMRES ProblemBeforeAfter Recursion (Open Resolver) 58.85%15.66% Public Zone Transfer 61.11%12.12% Non-responding UDP 4.04%1.01% Non-authoritative 11.62%5.56% Auth. Server (Stealth) 3.03%2.02% Problem with some parent server 7.07%3.54%

TNC2013 What could be next? Spread awareness about DNS problems before they appear Motivate other NRENs to initiate DNS clean-up process We can cooperate with other NRENs by providing detailed reports Domain and server lists Improve the application to permanently monitor domains Access to DNS admins interested in the process Permissions to manage domains, change settings, schedule tests, automatic notifications, reporting…

TNC2013 Acknowledgment RNIDS – Register of National Internet Domains of Serbia Sponsoring the research by co-financing the scholarship of PhD student Petar Bojovic Analysis for all RS and СРБ domains On-line checking tool tailored for “ordinary” domain owners

TNC2013 Questions ?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.