A Study of DNS Lameness Edward Lewis. July 14, 2002 IETF 54 Slide 2 Agenda Lameness Why (Surprise:) Spotty(?) results Approach Plans.

Slides:



Advertisements
Similar presentations
Chapter 16. Windows Internet Name Service(WINS) Network Basic Input/Output System (NetBIOS) N etBIOS over TCP/IP (NetBT) provides commands and support.
Advertisements

IP Router Architectures. Outline Basic IP Router Functionalities IP Router Architectures.
1 Addition of IPv6 servers to in-addr.arpa tree DNS Operations Sig APNIC 18 2 September 2004, Fiji.
State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.
Sweeping lame DNS reverse delegations APNIC16 – DNS Operations SIG Seoul, Korea, 20 August 2003.
School of Electrical Engineering and Computer Science, 2004 Slide 1 Autonomic DNS Experiment Architecture, Symptom and Fault Identification.
2.1 Installing the DNS Server Role Overview of the Domain Name System Role Overview of the DNS Namespace DNS Improvements for Windows Server 2008 Considerations.
Network Border Patrol: Preventing Congestion Collapse and Promoting Fairness in the Internet Celio Albuquerque, Brett J. Vickers, Tatsuya Suda 1.
DNS Session 4: Delegation and reverse DNS Joe Abley AfNOG 2006 workshop.
The new APNIC DNS generation system. Previous System Direct access to backend whois.db files – Constructed radix tree in memory from domain objects –
1 DNS. 2 BIND DNS –Resolve names to IP address –Resolve IP address to names (reverse DNS) BIND –Berkeley Internet Name Domain system Version 4 is still.
The Domain Name System Overview Introduction DNS overview How DNS helps us? Summary.
EEC-484/584 Computer Networks Lecture 6 Wenbing Zhao
Domain Name System (DNS) Network Information Center (NIC) : HOSTS.TXT.
588 Section 7 Neil Spring May 18, Schedule Homework 2 review DNS Active Naming.
1 [prop-038] Proposal to amend APNIC Lame DNS reverse delegation policy Policy SIG 7 Sep 2006 APNIC 22, Kaohsiung, Taiwan Terry Manderson.
Impact of Configuration Errors on DNS Robustness Vasileios Pappas, Zhiguo Xu, Songwu Lu, Daniel Massey, Andreas Terzis, Lixia Zhang SIGCOMM 2004 Presented.
Domain Name System: DNS
TCP/IP Protocol Suite 1 Chapter 17 Upon completion you will be able to: Domain Name System: DNS Understand how the DNS is organized Know the domains in.
CSE 461 Section (Week 0x02). Port numbers for applications MAC addresses for hardware IP addresses for a way to send data in a smart, routable way.
Module 3 DNS Types.
Providing A Subset of Whois Data Via DNS Shuang Zhu Xing Li CERNET Center.
TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)
IIT Indore © Neminath Hubballi
DNS and C# SWE 344 Internet Protocols & Client Server Programming.
Domain names and IP addresses Resolver and name server DNS Name hierarchy Domain name system Domain names Top-level domains Hierarchy of name servers.
Petrozavodsk State University, Alex Moschevikin, 2003NET TECHNOLOGIES Domain Name System HISTORY File hosts (the size of Internet became more than 1000.
13/09/2015 Michael Chai; Behrouz Forouzan Staffordshire University School of Computing Transport layer and Application Layer Slide 1.
DNS Related Commands Sayed Ahmed Computer Engineering, BUET, Bangladesh (Graduated on 2001 ) MSc, Computer Science, U of Manitoba, Canada
Chapter 13 Microsoft DNS Server n DNS server: A Microsoft service that resolves computer names to IP addresses, such as resolving the computer name Brown.
October 8, 2015 University of Tulsa - Center for Information Security Microsoft Windows 2000 DNS October 8, 2015.
DNS Security Pacific IT Pros Nov. 5, Topics DoS Attacks on DNS Servers DoS Attacks by DNS Servers Poisoning DNS Records Monitoring DNS Traffic Leakage.
Module 8 DNS Tools & Diagnostics. Objectives Understand dig and nslookup Understand BIND toolset Understand BIND logs Understand wire level messages.
CS332, Ch. 26: TCP Victor Norman Calvin College 1.
Internet and Intranet Protocols and Applications Lecture 5 Application Protocols: DNS February 20, 2002 Joseph Conron Computer Science Department New York.
Karrenberg et. Al.. RIPE 43, September 2002, Ρόδος. DISTEL Domain Name Server Testing Lab Daniel Karrenberg with Alexis Yushin, Ted.
Internet Protocols. Address Resolution IP Addresses are not recognized by hardware. If we know the IP address of a host, how do we find out the hardware.
Configuring Name Resolution and Additional Services Lesson 12.
Domain Name System (DNS). DNS Server Service Overview of Domain Name System What Is a Domain Namespace? Standards for DNS Naming.
Use of the IPv6 Flow Label as a Transport-Layer Nonce draft-blake-ipv6-flow-nonce-02 Steven Blake IETF 76 November 2009.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)
* Agenda  What is the DNS ?  Poisoning the cache  Short term solution  Long term solution.
Module 8 DNS Tools & Diagnostics. Dig always available with BIND (*nix) and windows Nslookup available on windows and *nix Dig on windows – unpack zip,
The Client-Server Model And the Socket API. Client-Server (1) The datagram service does not require cooperation between the peer applications but such.
Happy Eyeballs for the DNS Geoff Huston, George Michaelson APNIC Labs October 2015.
DNS Security 1. Fundamental Problems of Network Security Internet was designed without security in mind –Initial design focused more on how to make it.
1 CMPT 471 Networking II DNS © Janice Regan,
1. Internet hosts:  IP address (32 bit) - used for addressing datagrams  “name”, e.g., ww.yahoo.com - used by humans DNS: provides translation between.
ITU ccTLD Workshop March 3, 2003 A Survey of ccTLD DNS Vulnerabilities.
TCP/IP Protocol Suite 1 Chapter 17 Upon completion you will be able to: Domain Name System: DNS Understand how the DNS is organized Know the domains in.
APNIC LAME NS measurements. Overview Methodology Initial outcomes from 128 days runtime How bad is the problem? LAME-ness trends Proposals for dealing.
COMP 431 Internet Services & Protocols
Domain Name System INTRODUCTION to Eng. Yasser Al-eimad
Networking (Cont’d). Congestion Control l Is achieved by informing nodes along a route that congestion has occurred and asking them to reduce their packet.
WHAT IS DNS??????????.
TCP/IP1 Address Resolution Protocol Internet uses IP address to recognize a computer. But IP address needs to be translated to physical address (NIC).
Basics of the Domain Name System (DNS) By : AMMY- DRISS Mohamed Amine KADDARI Zakaria MAHMOUDI Soufiane Oujda Med I University National College of Applied.
Short Intro to DNS (part of Tirgul 9) Nir Gazit. What is DNS? DNS = Domain Name System. For translation of host names to IPs. A Distributed Database System.
Open DNS resolvers have to be closed ● Open resolvers respond to recursive queries from any host on the Internet ● Amplification DNS attack 2.
Monitoring, analyzing and cleaning DNS configuration errors across European NRENs Slavko Gajin University of Belgrade, Serbia
AfNOG-2003 Domain Name System (DNS) Ayitey Bulley Setting up an Authoritative Name Server.
CSE 461 Section. Port numbers for applications MAC addresses for hardware IP addresses for a way to send data in a smart, routable way.
Monitoring, analyzing and cleaning DNS configuration errors across European NRENs Slavko Gajin University of Belgrade, Serbia
Chapter 9 The Transport Layer The Internet Protocol has three main protocols that run on top of IP: two are for data, one for control.
DNS Session 3: Configuration of Authoritative Nameservice Joe Abley AfNOG 2013, Lusaka, Zambia.
Implementation of ARIN's Lame DNS Delegation Policy
IMPLEMENTING NAME RESOLUTION USING DNS
Networking Applications
A Study of DNS Lameness by Ed Lewis ARIN Research Engineer
An Analysis of BGP Multiple Origin AS (MOAS) Conflicts
Presentation transcript:

A Study of DNS Lameness Edward Lewis

July 14, 2002 IETF 54 Slide 2 Agenda Lameness Why (Surprise:) Spotty(?) results Approach Plans

July 14, 2002 IETF 54 Slide 3 Lameness is... When an NS RR right-hand-side is a domain name that has no address record(s) does not respond to queries responds negatively for the zone Lameness might happen when the domain name has multiple addresses and at least one fits the above responds non-authoritatively (ie recursively)

July 14, 2002 IETF 54 Slide 4 Why Bother? ARIN membership raised the issue of cleaning this up Lame delegations cause some popular software to behave badly on the Internet Lame delegations can be limited easily Intermittent network problems make it infeasible to eliminate it completely

July 14, 2002 IETF 54 Slide 5 Reverse Map This effort is targeted at ARIN's reverse map delegations ARIN's /8's Legacy /8's Not all /8's - not RIPE's, not APNIC's Dependencies are simplifying assumptions about the parsing of the zone files summary output breaks results into /16's and /24's

July 14, 2002 IETF 54 Slide 6 State of This Work Code first ran at NANOG 25 "just in time" development Trying at home set me back a bit Code now runs at the home office Results have not been verified Results "look" to be valid In brief, problem was traffic shaping Unreliable UDP as a testing mechanism Bandwidth bottleneck upstream (i.e., T-1)

July 14, 2002 IETF 54 Slide 7 Early results Remeber, this is not all of in-addr.arpa... Using counts from last run Number of NS RR's 548,667 Number of zones 231,240 Number of name server names 25,047 Number of IP unique addresses 21,846 Of three runs made just before leaving for here, two runs had very similar counts, all three had similar %'ages

July 14, 2002 IETF 54 Slide 8 per Zone demographics Servers per zone - max 7, avg 2.37 Addresses per zone - max 26, avg 2.32 Zones with no addresses 3,062 Zones with one address 7,365 All zones have multiple NS RR's Some lacked glue for one, some had two names with identical glue, some duplicates slipped through

July 14, 2002 IETF 54 Slide 9 per Name Server Zones - max 5772, avg 21.9 No address - 3,178 Multiple addresses Addresses - max 24, avg not counted Longest name 41 chars just to tell me how big to make name array

July 14, 2002 IETF 54 Slide 10 per IP Zones - max 5772, avg 24.6 Addresses with multiple domain names pointing to them Max number of domain names pointing to an address - 9 PTR records not checked

July 14, 2002 IETF 54 Slide 11 Results in percentages Counting by IP addresses: Number of zones 100% 75-99% 50-74% 25-49% <24% dead sample size any 46% 8% 8% 5% 17% 16% 21, % 0% 0% 0% 16% 20% 10, % 0% 20% 0% 11% 17% 2, % 6% 14% 12% 10% 17% 1, % 13% 12% 9% 17% 15% 1, % 17% 9% 10% 24% 10% 1, % 20% 13% 11% 21% 11% 1, % 29% 16% 11% 19% 11% 1, % 33% 18% 12% 22% 5% % 33% 17% 18% 18% 7% % 64% 7% 29% 0% 0% % 56% 0% 44% 0% 0% 18

July 14, 2002 IETF 54 Slide 12 What the preceding means 100% servers are those that answered authoritatively for all of the claimed zones 75-99% servers answered positively for almost all (one timed out zone would know a 100%'er to this 0-24% servers are likely not answering positively for much dead means there was never any reply to a query (not even servfail)

July 14, 2002 IETF 54 Slide 13 Counting by Zones Category All /16's /24's No IP address 1% 1% 1% - unreachable One IP address 3% 5% 3% Multi address 95% 94% 96% - "the requirement" No working 38% 21% 39% - zones not reachable One working 10% 12% 10% Multi working 52% 67% 51% No broken 49% 58% 49% - "perfect" zones Some broken 13% 21% 12% All broken 38% 21% 39% - unreachable

July 14, 2002 IETF 54 Slide 14 What the preceding means "No working" means that one will never get a reply about that zone (terminal lameness) "No broken" means that all NS records lead to good servers (no lameness) "Some broken" means that there is some lameness

July 14, 2002 IETF 54 Slide 15 What's Missing A good measure of how many NS RR's are faulty It dawned on me last week that I hadn't counted this - d'oh! Code now dumps results 1:1 with NS RR's Has to deal with multiple-address situations Need to sort into canonical order for comparisons Need to account for changes in NS RR's over time

July 14, 2002 IETF 54 Slide 16 Verifying Results A list of all test results is produced Just added Should be 1:1 to NS RR's but 12K are missing during last run Spot checks ought to be done, as testing via UDP is inherently inaccurate List of results from different network locations should be correlated

July 14, 2002 IETF 54 Slide 17 Discussion Points Test takes 11 hours via a T-1 Could speed up if servers always answered (djbdns issue) UDP congestion control would help Coordinating multiple instances of test Eliminate false positives Not for here: what will ARIN/RIRs do with this?

July 14, 2002 IETF 54 Slide 18 Approach Build the following lists from the zone files Zone Record NS Domain Name IP address NS Domain Name IP address

July 14, 2002 IETF 54 Slide 19 Why? This has been seen (1.128.in-addr.arpa): Zone Record NS Domain Name IP address NS Domain Name IP address

July 14, 2002 IETF 54 Slide 20 The program Runs in two phases Reads NS RR's Builds linked lists Uses gethostbyname() to get "glue" Runs through IP addresses Issues SOA queries Looks for aa=1, rcode=0, ancount=1 Both steps print results

July 14, 2002 IETF 54 Slide 21 Impact on the 'net tester Internet NS About 1 second apart Performance hit is close to home

July 14, 2002 IETF 54 Slide 22 Chief Implementation Issue Speeding up tests When there's no answer, I use second time outs No reason to wait on bad servers Queries are parallelized in two dimensions Multiple IP addresses can be under test simultaneously Multiple zone requests are pipelined to a server Wouldn't need to speed this up if down servers could be eliminated quickly

July 14, 2002 IETF 54 Slide 23 Cost of Speeding Up Test environment: tester router Internet 10/100Mb 1.5Mb `excess` packets?

July 14, 2002 IETF 54 Slide 24 Solution Needed to shape the traffic Limit number of IP addresses tested Stagger pipelined requests (one second apart) Seems to slow transmission Seems to avoid any rate limiting (if any) Watching queries on network shows traffic is smooth, not bursty

July 14, 2002 IETF 54 Slide 25 Next steps Finish tweaks to code Distribute and run from different locations Present observations to membership Investigate the use of this data

July 14, 2002 IETF 54 Slide 26 Questions

July 14, 2002 IETF 54 Slide 27 Answers

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.