Impact of Configuration Errors on DNS Robustness Vasileios Pappas, Zhiguo Xu, Songwu Lu, Daniel Massey, Andreas Terzis, Lixia Zhang SIGCOMM 2004 Presented.

Slides:

Advertisements

Similar presentations

Next Generation Internet by R.S. Chang, Dept. CSIE, NDHU1 Configuring Hosts through DHCP Configuring Hosts through DHCP.

Advertisements

Chapter 8 Managing Windows Server 2008 Network Services

Sweeping lame DNS reverse delegations APNIC16 – DNS Operations SIG Seoul, Korea, 20 August 2003.

2.1 Installing the DNS Server Role Overview of the Domain Name System Role Overview of the DNS Namespace DNS Improvements for Windows Server 2008 Considerations.

Implementing Domain Name System

Routing Basics By Craig Lindstrom. Overview Routing Process Routing Process Default Routing Default Routing Static Routing Static Routing Dynamic Routing.

Domain Name System. DNS is a client/server protocol which provides Name to IP Address Resolution.

1 Internet Networking Spring 2006 Tutorial 8 DNS and DHCP as UDP applications.

DNS Session 4: Delegation and reverse DNS Joe Abley AfNOG 2006 workshop.

Impact of Configuration Errors on DNS Robustness CSCI 780, Fall 2005.

Internet Networking Spring 2006 Tutorial 12 Web Caching Protocols ICP, CARP.

1 DNS Tutorial Randy H. Katz CS 294-4: NetRADS Network-oriented Reliable Adaptive Distributed Systems.

Application Layer At long last we can ask the question - how does the user interface with the network?

Impact of Configuration Errors on DNS Robustness V. Pappas * Z. Xu *, S. Lu *, D. Massey **, A. Terzis ***, L. Zhang * * UCLA, ** Colorado State, *** John.

Hands-On Microsoft Windows Server 2003 Networking Chapter 6 Domain Name System.

Protecting the BGP Routes to Top Level DNS Servers NANOG-25, June 11, 2002 UCLA Lan Wang Dan Pei Lixia Zhang USC/ISI Xiaoliang Zhao Dan Massey Allison.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 5 Introduction to DNS in Windows Server 2008.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.

Understanding Active Directory

Lecturer : Ms.Trần Thị Ngọc Hoa Chapter 2 Methods Configuring Name Resolution Methods.

Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.

11.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 11: Introducing WINS, DNS,

Basic DNS Course Lecturer: Ron Aitchison. Module 1 DNS Theory.

1 Spring Semester 2009, Dept. of Computer Science, Technion Internet Networking recitation #2 DNS and DHCP.

1 Domain Name System (DNS). 2 DNS: Domain Name System Internet hosts: – IP address (32 bit) - used for addressing datagrams – “name”, e.g.,

The Domain Name System. Computer Center, CS, NCTU 2 History of DNS  Before DNS ARPAnet  HOSTS.txt contains all the hosts’ information  Maintained by.

Chapter 16 – DNS. DNS Domain Name Service This service allows client machines to resolve computer names (domain names) to IP addresses DNS works at the.

Implementing DNS Module D 7: Implementing DNS

Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 1 Lesson 17 Domain Name System (DNS)

Test cases for domain checks – a step towards a best practice Mats Dufberg,.SE Sandoche Balakrichenan, AFNIC.

1 DNS: Domain Name System People: many identifiers: m SSN, name, Passport # Internet hosts, routers: m IP address (32 bit) - used for addressing datagrams.

SAINT ‘01 Proactive DNS Caching: Addressing a Performance Bottleneck Edith Cohen AT&T Labs-Research Haim Kaplan Tel-Aviv University.

Module 5: Planning a DNS Strategy. Overview Planning DNS Servers Planning a Namespace Planning Zones Planning Zone Replication and Delegation Integrating.

Paper Presentation – CAP Page 2 Outline Review - DNS Proposed Solution Simulation Results / Evaluation Discussion.

Chapter 13 Microsoft DNS Server n DNS server: A Microsoft service that resolves computer names to IP addresses, such as resolving the computer name Brown.

70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 6: Name Resolution.

Chapter 29 Domain Name System (DNS) Allows users to reference computer names via symbolic names translates symbolic host names into associated IP addresses.

October 8, 2015 University of Tulsa - Center for Information Security Microsoft Windows 2000 DNS October 8, 2015.

C HAPTER 9 Supporting TCP/IP, DNS using Windows XP.

Status report on Lame Delegations (work in progress) George Michaelson DB SIG APNIC17/APRICOT 2004 Feb KL, Malaysia.

Naming March 8, Networks What is naming?  Associations between some elements in a set of names and some elements in a set of values  Binding.

1 Kyung Hee University Chapter 18 Domain Name System.

Configuring Name Resolution and Additional Services Lesson 12.

Domain Name System (DNS). DNS Server Service Overview of Domain Name System What Is a Domain Namespace? Standards for DNS Naming.

Module 6: Designing Name Resolution. Module Overview Collecting Information for a Name Resolution Design Designing a DNS Server Strategy Designing a DNS.

* Agenda  What is the DNS ?  Poisoning the cache  Short term solution  Long term solution.

Zone State Revocation (ZSR) for DNSSEC Eric Osterweil (UCLA) Vasileios Pappas (IBM Research) Dan Massey (Colorado State Univ.) Lixia Zhang (UCLA)

© F5 Networks, Inc. 1 How Does DNS Work? A user browses to A user browses to

A Comparative Study of the DNS Design with DHT-Based Alternatives 95/08/31 Chen Chih-Ming.

DNS Security 1. Fundamental Problems of Network Security Internet was designed without security in mind –Initial design focused more on how to make it.

Domain Name System (DNS)

Introduction to Active Directory

1 CMPT 471 Networking II DNS © Janice Regan,

ITU ccTLD Workshop March 3, 2003 A Survey of ccTLD DNS Vulnerabilities.

Internet Naming Service: DNS* Chapter 5. The Name Space The name space is the structure of the DNS database –An inverted tree with the root node at the.

So DNS is A client-server application that maps domain names into their corresponding IP addresses with the help of name servers. Mapping domain names.

Basics of the Domain Name System (DNS) By : AMMY- DRISS Mohamed Amine KADDARI Zakaria MAHMOUDI Soufiane Oujda Med I University National College of Applied.

Monitoring, analyzing and cleaning DNS configuration errors across European NRENs Slavko Gajin University of Belgrade, Serbia

Domain Name System The Technology Context Presentation.

Understand Names Resolution

Module 5: Resolving Host Names by Using Domain Name System (DNS)

IMPLEMENTING NAME RESOLUTION USING DNS

Configuring and Troubleshooting DNS

Networking Applications

CHAPTER 3 Architectures for Distributed Systems

Lame DNS Server Sweeping

Net 323 D: Networks Protocols

COMPUTER NETWORKS PRESENTATION

Presentation transcript:

Impact of Configuration Errors on DNS Robustness Vasileios Pappas, Zhiguo Xu, Songwu Lu, Daniel Massey, Andreas Terzis, Lixia Zhang SIGCOMM 2004 Presented by: Keith Mayoral

What this paper is about Analysis of different types of configuration errors in DNS. How they affect DNS performance, availability, robustness

Motivation Jan. 2001: All Authoritative servers for Microsoft DNS domain became inaccessible. Unforeseen effect: # of DNS queries for Microsoft domain seen at F root server went from 0.003% of all queries to greater than 25%.

caching server client bar zone foo zone com zone root zone asking for answer: A referral: com NS RRs com A RRs referral: foo NS RRs foo A RRs referral: bar NS RRs bar A RRs Slide taken from V. Pappas ppt on paper

Methodology Combination of passive and active measurements over a 6 month period – Observe extent of misconfigurations in global DNS infrastructure – See how they affect response times and availability Passive: collected DNS traces of over 3 million queries as seen from UCLA CS network Active: queried random sample set of DNS zones

Count only the DNS traffic exchanges with external sites Measure the delay between first query packet and final response Possible bias incurred since all data taken in University setting Passive Measurements

Active Measurements Purpose to overcome bias in passive measurements Implemented specialized DNS resolver Queried randomly selected subset of DNS namespace Also used BGP tables, geo-location info to estimate server locations.

What constitutes a misconfiguration? Reliable DNS operations depend on the following: – Appropriate placement of redundant servers for high availability – Manual input of each zone’s database for correct setting – Coordination between parent and child zones for consistency Any of the above is considered a configuration error

3 Measured Misconfigurations Lame Deligation – 70% of lame deligation zones reduced avail NSs for a Zone in half Diminished Server Redundancy Cyclic Zone Dependency First two were previously known of, the third was discovered by this paper. – No previous quantitative study to gauge performance impact or extent on internet

Lame Delegation Cause: operator of zone C makes changes to authoritative servers, but fails to coordinate with operator for parent zone P to update P accordingly Remember: zone P must store the list of NS RRs pertaining to it’s child zone C.

Lame Delegation (cont) Decreases zone availability – Both previous examples only had 1 server to give response even though RRs showed a seemingly redundant set of servers Increases query response time – Example 1: a useless referral is sent – Example 2: need to timeout before trying another Best case: lame server gives non-auth. answer if name has been cached

Lame Delegation Types of L.D. – Type I: non-responding server – Type II: DNS error indication – Type III: non-authoritative answer

Lame Delegation Results results

Diminished Server Redundancy If all replicated servers are connected to same local network, redundancy is lost when network fails. If al servers are assigned addresses from same prefix, they will all be unavailable when prefix is unreachable due to routing problems. If all servers are in same location, natural disasters can cause failure.

Diminished Server Redundancy Example

Diminished Server Redundancy Results

Diminished Server Redundancy Impact

Cyclic Zone Dependency Happens when two or more zones’ DNS services depend on each other in a circular way Can happen due to configuration errors in either or both of the zones, but more usually all involved zones don’t have noticeable config. errors when viewed separately.

Cyclic Zone Dependency Examples Examples

Cyclic Zone Dependency Results

Detecting Misconfigs Lame Delegation: detect by simple protocol between parent and child zones to periodically check the consistency of NS records Cyclic Zone Dependency: detect via automatic checking by trying to resolve a name through each of the authoritative servers in the zone. Diminished Server Redundancy: different case Also wrote another paper on a tool to proactively detect DNS configuration errors.

Secret Sauce First paper to quantitatively measure Lame Delegation and Diminished Server Redundancy First paper to discover Cyclic Zone Dependency ??? Anything else?

Conclusion We should realize how important a role human errors play in the systems that we build. – DNS – BGP Future protocol designs should take into account the impact of misconfigurations.

THANKS FOR YOUR TIME!