Harness Your Internet Activity. AAAA Deep Dive DNS-OARC, Buenos Aires March 2016 Ralf Weber.

Slides:



Advertisements
Similar presentations
CSC458 Programming Assignment II: NAT Nov 7, 2014.
Advertisements

Measuring IPv6 Geoff Huston APNIC Labs, February 2014.
IPv4 - IPv6 Integration and Coexistence Strategies Warakorn Sae-Tang Network Specialist Professional Service Department A Subsidiary.
© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v2.0—2-1 IPv6 Operations Defining and Configuring Neighbor Discovery.
TCP-IP Primer David Cozens. Targets Have a basic understanding of Ethernet network technology Be aware of how this technology is applied on the 5000 series.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 6 Managing and Administering DNS in Windows Server 2008.
Channel Access Protocol Andrew Johnson Computer Scientist, AES Controls Group.
Open Resolvers in COM/NET Resolution Duane Wessels, Aziz Mohaisen DNS-OARC 2014 Spring Workshop Warsaw, Poland.
An Engineering Approach to Computer Networking
Harness Your Internet Activity. DNS-Based DDoS Evolving Threat RIPE May 2015 Amsterdam Ralf Weber Bruce Van Nice.
Hands-On Microsoft Windows Server 2003 Networking Chapter 7 Windows Internet Naming Service.
Chapter 23: ARP, ICMP, DHCP IS333 Spring 2015.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.
Introduction to the Internet What is the Internet? What is a Network? Use Netscape Mike Menchaca
Presented by Neeta Jain CISC 856 TCP/IP and Upper Layer Protocols RFC 1034 & RFC 1035.
Click to edit Master subtitle style Chapter 17: Troubleshooting Tools Instructor:
NET0183 Networks and Communications Lecture 25 DNS Domain Name System 8/25/20091 NET0183 Networks and Communications by Dr Andy Brooks.
Installing Windows Deployment Service
Support Protocols and Technologies. Topics Filling in the gaps we need to make for IP forwarding work in practice – Getting IP addresses (DHCP) – Mapping.
Protocol Basics. IPSec Provides two modes of protection –Tunnel Mode –Transport Mode Authentication and Integrity Confidentiality Replay Protection.
CNT-150VT. Question #1 Your name Question #2 Your computer number ##
Day15 IP Space/Setup. IP Suite of protocols –TCP –UDP –ICMP –GRE… Gives us many benefits –Routing of packets over internet –Fragmentation/Reassembly of.
Harness Your Internet Activity. Zeroing in On Zero Days DNS OARC Spring 2014 Ralf Weber
Project Octopus: Network Topology Discovery Rachit Siamwalla Rosen Sharma MONET : Cornell Department of Computer Science.
ADMINISTRATION HANDS-ON. Page 2 About the Hands-On This hands-on section is structured in a way, that it allows you to work independently, but still giving.
Hands-on Networking Fundamentals
Chapter 16 – DNS. DNS Domain Name Service This service allows client machines to resolve computer names (domain names) to IP addresses DNS works at the.
TCOM 515 Lecture 6.
1 DNS: Domain Name System People: many identifiers: m SSN, name, Passport # Internet hosts, routers: m IP address (32 bit) - used for addressing datagrams.
Harness Your Internet Activity. Drilling down into DNS DDoS Data Amsterdam, May 2015 Ralf Weber.
NSLOOKUP CNIT 102 Substitute lecture Sam Bowne.
Tyre Kicking the DNS Testing Transport Considerations of Rolling Roots Geoff Huston APNIC.
COMT 6251 Network Layers COMT Overview IP and general Internet Operations Address Mapping ATM LANs Other network protocols.
Measuring IPv6 Deployment Geoff Huston George Michaelson
Internet Ethernet Token Ring Video High Speed Router Host A: Client browser: REQUEST:http//mango.ee.nogradesu.edu/c461.
Measuring IPv6 Deployment Geoff Huston George Michaelson
Understanding Networking Joe Cicero Northeast Wisconsin Technical College.
UNIT IP Datagram Fragmentation Figure 20.7 IP datagram.
1. I NTRODUCTION TO N ETWORKS Network programming is surprisingly easy in Java ◦ Most of the classes relevant to network programming are in the java.net.
Lecture 11 Page 1 Advanced Network Security Cryptography and Networks: IPSec and SSL/TLS Advanced Network Security Peter Reiher August, 2014.
Naming March 8, Networks What is naming?  Associations between some elements in a set of names and some elements in a set of values  Binding.
Port and Message ID Analysis of Resolvers Querying.com/.net Name Servers David Blacka Matt Larson September 24, 2008 DNS OARC Meeting, Ottawa, Canada.
ECEN “Internet Protocols and Modeling”, Spring 2012 Course Materials: Papers, Reference Texts: Bertsekas/Gallager, Stuber, Stallings, etc Class.
DoS Suite and Raw Socket Programming Group 16 Thomas Losier Paul Obame Group 16 Thomas Losier Paul Obame.
Module 5: Designing Security for Internal Networks.
IP addresses IPv4 and IPv6. IP addresses (IP=Internet Protocol) Each computer connected to the Internet must have a unique IP address.
Publishing zone scan data using an open data portal Sebastian Castro OARC Workshop Montreal – Oct 2015.
WEEK 11 – TOPOLOGIES, TCP/IP, SHARING & SECURITY IT1001- Personal Computer Hardware System & Operations.
Computer Communication: An example What happens when I click on
Harness Your Internet Activity. Random Subdomain Attacks Plaguing the Internet.
Network protocles (TCP), (UDP), (DHCP), (DNS) DR:abd alrauoof alshtawi
Networking (Cont’d). Congestion Control l Is achieved by informing nodes along a route that congestion has occurred and asking them to reduce their packet.
IP - Internet Protocol No. 1  Seattle Pacific University IP: The Internet Protocol Kevin Bolding Electrical Engineering Seattle Pacific University.
Defeating DNS Amplification Attacks UKNOF Manchester Central, UK January Ralf Weber Senior Infrastructure Architect.
Monitoring, analyzing and cleaning DNS configuration errors across European NRENs Slavko Gajin University of Belgrade, Serbia
Lecture 10 Page 1 CS 236 Online Encryption and Network Security Cryptography is widely used to protect networks Relies on encryption algorithms and protocols.
Domain Name System The Technology Context Presentation.
NET 536 Network Security Firewalls and VPN
Configuring ALSMS Remote Navigation
Encryption and Network Security
Instructor & Todd Lammle
Deploying IPv6 in days: Tore Anderson
IP Adressing in IPv4 By Kenneth Lundby.
Network Load Balancing Functionality
DNS-Based DDoS Evolving Threat UKNOF Sept 2015 Manchester, UK
Working at a Small-to-Medium Business or ISP – Chapter 7
I. Basic Network Concepts
DNS: Domain Name System
COMPUTER NETWORKS PRESENTATION
Network Addressing.
Presentation transcript:

Harness Your Internet Activity

AAAA Deep Dive DNS-OARC, Buenos Aires March 2016 Ralf Weber

Geoff Houston talk at RIPE –DNS doesn’t use IPv6 Our default configuration at least didn't –DNS should use IPv6 What would be the impact? Find the state of IPv6 transport in the long tail –Alexa Top 1M isn’t long enough! –I’m not set up to do Geoff’s neat ad network trick! –I am set up to gather anonymized resolver data 3 Motivation for this talk

4 How Nominum Gets Data Customer Resolvers Receivers Hadoop HDFS Receivers Kafka Hadoop Loader n x 100B queries/day stats 600 cores 8T RAM n x Pbytes storage stats

Unique Name Query-Type Tuples –We do daily rollups so a day looked like a natural choice –Raw Data 1,152,389,150 (1.15 Billion ) To much to run and analyze from –Only used data that has been queried more than once 602,661,609 (602 million) Still a lot –Remove known PRSD and DNS tunnels 135,919,893 (135 million ) 5 Getting a test data set

135,919,893 Unique tuples 125,889,174 Unique names 27,466,881 Core domains Query Type distribution –108,509,872 A –11,663,222 AAAA –46,350 SPF –7,140 A6 –1,178 DNSKEY –12 HINFO –3 TLSA 6 What is in the test data set

7 Test Setup

Use a couple of dnsperf to run the queries simultaneously against the hosts –Every host gets 1000qps –Timeout is 60 seconds as every query is cold cache – dnsperf -d allq.new -Q q t 60 -S 1 –s IP –Test ran for nearly 38 hours over a weekend 8 Test Run

9 Result error codes

10 Result timings

11 Questions asked

12 Servers talked to

13 Question answered IPv4IPv6 IPv4 then 6IPv6 then 4 UDP Ok UDP Timeout TCP OK TCP Timout 0.08% 0.07% 0.18% 0.07%

14 Question answered per Protocol IPv4 IPv6 UDP Ok UDP Timeout TCP OK TCP Timout IPv4 then 6 IPv6 then % 0.09% 0.06% 0.08%

ip | timeout | ok | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Timeout offenders IPv4

ip | timeout | ok | | d.root-servers.net | | dina.ns.cloudflare.com | | i.root-servers.net | | i.gtld-servers.net | | buck.ns.cloudflare.com | | g.gtld-servers.net | | dee.ns.cloudflare.com | | f.gtld-servers.net | | | | marek.ns.cloudflare.com | | | | l.gtld-servers.net | | sns-pb.isc.org | | tinnie.arin.net | | a.gtld-servers.net | | d.gtld-servers.net | | c.gtld-servers.net | | ns3.nic.fr | | j.root-servers.net | | cumin.apnic.net | | sec3.apnic.net | | pri.authdns.ripe.net | | m.gtld-servers.net. 16 Timeout offenders IPv4

ip | timeout | ok :503:a83e::2:30 | | :503:231d::2:30 | | :500:2d::d | | :7fe::53 | | :cb00:2049:1::adf5:3a6b | | | | :cb00:2049:1::adf5:3a5d | | :500:2e::1 | | | | | | :cb00:2049:1::adf5:3bca | | :cb00:2049:1::adf5:3b4e | | | | :500:13::c7d4:35 | | :12f8:4::10 | | :dc0:1:0:4777::140 | | | | | | | | :dc0:2001:a:4608::59 | | | | :67c:e0::5 | | | | :660:3006:1::1:1 | | Timeout offenders IPv6 then IPv4

ip | timeout | ok :503:a83e::2:30 | | a.gtld-servers.net. 2001:503:231d::2:30 | | b.gtld-servers.net. 2001:500:2d::d | | d.root-servers.net. 2001:7fe::53 | | i.root-servers.net. 2400:cb00:2049:1::adf5:3a6b | | dina.ns.cloudflare.com | | g.gtld-servers.net. 2400:cb00:2049:1::adf5:3a5d | | dee.ns.cloudflare.com. 2001:500:2e::1 | | sns-pb.isc.org | | | | f.gtld-servers.net. 2400:cb00:2049:1::adf5:3bca | | marek.ns.cloudflare.com. 2400:cb00:2049:1::adf5:3b4e | | buck.ns.cloudflare.com | | :500:13::c7d4:35 | | tinnie.arin.net. 2001:12f8:4::10 | | d.dns.br. 2001:dc0:1:0:4777::140 | | sec3.apnic.net | | l.gtld-servers.net | | i.gtld-servers.net | | d.gtld-servers.net. 2001:dc0:2001:a:4608::59 | | sec1.apnic.net | | m.gtld-servers.net. 2001:67c:e0::5 | | pri.authdns.ripe.net | | a.gtld-servers.net. 2001:660:3006:1::1:1 | | ns3.nic.fr. 18 Timeout offenders IPv6 then IPv4

Servers that timeout are regular server that usually answer good I guess we see RRL in action Seems that people are not switching to TCP Good that DNS scales horizontally 6000 – 8000 qps is not much traffic outbound –Rule of thumb is 5 – 10% of inbound gets send out –Resolvers can easily do a couple of 100k qps inbound –Does this affect normal operation (another talk…) Maybe do a second test Looking into timeouts

Found another DNS tunnel in the dataset –Put it on our list –Removed queries (~500k) First test –All servers were asking the same at the same time –Total of 6000 qps Second Test –Offset start time by 30 minutes for each test run –Lowered qps to 800 per test (total 4800 qps) Test now ran over 48 hours 20 Second test…

21 Result error codes Test 2

22 Result timings Test 2

23 Questions asked Test 2

24 Servers talked to Test 2

25 Question answered Test 2 IPv4IPv6 IPv4 then 6IPv6 then 4 UDP Ok UDP Timeout TCP OK TCP Timout 0.03% 0.06% 0.03%

26 Question answered per Protocol Test 2 IPv4 IPv6 UDP Ok UDP Timeout TCP OK TCP Timout IPv4 then 6 IPv6 then % 0.03% 0.001% 0.03%

Second test had less servers not answering Overall answers were faster and better The more baskets you have the better Still wonder if the low auth qps has an impact on production servers –Payload is different –At least cold cache could see the same problem 27 Analysis

Turning on IPv6 as additional transport has only good effects –More baskets –More resilliency Should be enabled by default –Latest Cacheserve version has (IPv4 then IPv6) 28 Summary

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.