A study of caching behavior with respect to root server TTLs Matthew Thomas, Duane Wessels October 3 rd, 2015.

Slides:



Advertisements
Similar presentations
Chapter 16. Windows Internet Name Service(WINS) Network Basic Input/Output System (NetBIOS) N etBIOS over TCP/IP (NetBT) provides commands and support.
Advertisements

Updates to ‘dnscap’ Duane Wessels DNS-OARC Workshop Dublin May 12, 2013.
Open Resolvers in COM/NET Resolution Duane Wessels, Aziz Mohaisen DNS-OARC 2014 Spring Workshop Warsaw, Poland.
Kindred Domains: Detecting and Clustering Botnet Domains Using DNS Traffic Matt Thomas Data Architect, Verisign Labs.
Introduction to the DNS AfCHIX 2011 Blantyre, Malawi.
McGraw-Hill©The McGraw-Hill Companies, Inc., Chapter 25 Domain Name System.
CSEE W4140 Networking Laboratory Lecture 10: DNS Jong Yul Kim
Recursive Server. Overview Recursive Service Root server list localhost in-addr.arpa named.conf.
Domain Name System: DNS
CSEE W4140 Networking Laboratory Lecture 10: DNS Jong Yul Kim
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 5 Introduction to DNS in Windows Server 2008.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.
Domain Name System ( DNS )  DNS is the system that provides name to address mapping for the internet.
TCP/IP Protocol Suite 1 Chapter 17 Upon completion you will be able to: Domain Name System: DNS Understand how the DNS is organized Know the domains in.
Presented by Neeta Jain CISC 856 TCP/IP and Upper Layer Protocols RFC 1034 & RFC 1035.
Domain Name Services Oakton Community College CIS 238.
Measuring DANE TLSA Deployment Liang Zhu 1, Duane Wessels 2, Allison Mankin 2, John Heidemann 1 1. USC ISI 2. Verisign Labs 1.
Linux Networking Commands
11.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 11: Introducing WINS, DNS,
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
Domain Name System (DNS) Ayitey Bulley Session-1: Fundamentals.
NET0183 Networks and Communications Lecture 25 DNS Domain Name System 8/25/20091 NET0183 Networks and Communications by Dr Andy Brooks.
Basic DNS Course Lecturer: Ron Aitchison. Module 1 DNS Theory.
Tony Kombol ITIS Who knows this? Who controls this? DNS!
1 Spring Semester 2009, Dept. of Computer Science, Technion Internet Networking recitation #2 DNS and DHCP.
Chapter 16 – DNS. DNS Domain Name Service This service allows client machines to resolve computer names (domain names) to IP addresses DNS works at the.
Domain Names System The Domain Name System (DNS) is a hierarchical distributed naming system for computers, services, or any resource connected to the.
Geoff Huston APNIC Labs
Global Registry Services com/net/org Registry Update for NANOG24 Matt Larson VeriSign Global Registry Services.
14 DNS : The Domain Name System. 14 Introduction - Problem Computers are used to work with numbers Humans are used to work with names ==> IP addresses.
McGraw-Hill©The McGraw-Hill Companies, Inc., 2000 Network Protocols Chapter 25 (Data Communication & Networking Book): Domain Name System (DNS) 1.
October 15, 2002Serguei A. Mokhov, 1 Intro to DNS SOEN321 - Information Systems Security.
Chapter 17 Domain Name System
© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License Troubleshooting.
DNSHarness Duane Wessels DNS-OARC Workshop, Dublin May 12, 2013.
DNS Security Pacific IT Pros Nov. 5, Topics DoS Attacks on DNS Servers DoS Attacks by DNS Servers Poisoning DNS Records Monitoring DNS Traffic Leakage.
Module 8 DNS Tools & Diagnostics. Objectives Understand dig and nslookup Understand BIND toolset Understand BIND logs Understand wire level messages.
© Janice Regan, CMPT 128, CMPT 371 Data Communications and Networking DNS 0.
Why SLD Blocking Misses the Point Burt Kaliski, Verisign gTLD Collisions Workshop October 29, 2013.
1 Kyung Hee University Chapter 18 Domain Name System.
© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License Practicalities.
Tony Kombol ITIS DNS! overview history features architecture records name server resolver dnssec.
Self-Service Open Resolver Scanning Duane Wessels DNS-OARC Workshop Dublin May 12, 2013.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)
Module 8 DNS Tools & Diagnostics. Dig always available with BIND (*nix) and windows Nslookup available on windows and *nix Dig on windows – unpack zip,
McGraw-Hill©The McGraw-Hill Companies, Inc., 2000 Chapter 18 Domain Name System (DNS)
Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 1 Lesson 18 Windows Internet Name Service (WINS)
AfNOG-2003 Domain Name System (DNS) Ayitey Bulley
Domain Name System (DNS) Joe Abley AfNOG Workshop, AIS 2014, Djibouti Session-1: Fundamentals.
TCP/IP Protocol Suite 1 Chapter 17 Upon completion you will be able to: Domain Name System: DNS Understand how the DNS is organized Know the domains in.
DNS Removals - Changing a TLD server‘s address - Peter Koch OARC DNS Operational Meeting Ottawa, 25-SEP-2008.
Domain Name System INTRODUCTION to Eng. Yasser Al-eimad
1 Lecture A.3: DNS Security r Domain Name Service r Security Problems in DNS.
New gTLDs and the Stability of Root Service System CDAR Continuous Data-driven Analysis of Root Stability Enog 11, Moscow Jaap Akkerhuis (NLnet Labs)
Measuring the Leakage of Onion at the Root A measurement of Tor’s.onion pseudo-top-level domain in the global domain name system Aziz Mohaisen Verisign.
Using Digital Signature with DNS. DNS structure Virtually every application uses the Domain Name System (DNS). DNS database maps: –Name to IP address.
Domain Name System (DNS) Ayitey Bulley extended by Phil Regnauld DNS Fundamentals AfNOG 2006.
Track E0 AfNOG workshop April Abuja, Nigeria Introduction to the DNS.
1 CMPT 471 Networking II DNS © Janice Regan,
Domain Name System (DNS)
Networking Applications
Introduction to the DNS
Domain Name System: DNS
Domain Name System Tony Kombol ITIS 3110.
CS 5565 Network Architecture and Protocols
Data Communications and Networking DNS
Domain Name System: DNS
ECDSA P-256 support in DNSSEC-validating Resolvers
The Domain Name System.
Presentation transcript:

A study of caching behavior with respect to root server TTLs Matthew Thomas, Duane Wessels October 3 rd, 2015

Verisign Public RSSAC003 – RSSAC Advisory on Root zone TTLs Consider the extent to which: (1) the current root zone TTLs are appropriate for today’s environment (2) lowering the NS RRset TTL makes sense (3) the impacts that TTL changes would have on the wider DNS Work party volunteers: Duane Wessels, Warren Kumari, Jaap Akkerhuis, Shumon Huque, Brian Dickson, John Bond, Joe Abley, and Matthew Thomas Full report published September 16 th,

Verisign Public RSSAC003 – RSSAC Advisory on Root zone TTLs 1. Document the history of TTLs in the root zone 2. Obtain a measure for TLD managers’ technical preferences for NS and DS TTLs by surveying what those managers have published in TLD zones. 3. Survey "max-cache-ttl" parameters of various recursive implementations 4. Analyze DITL data for the extent that recursive resolvers honor TTLs 5. Study interactions between the SOA refresh timer and serving stale data 3

Verisign Public Waiting for a TTL to expire in theory 4

Verisign Public Waiting for a TTL to expire in the real world… 5 servers.net. ns IN NSa.root-servers.net IN NSb.root-servers.net IN NSc.root-servers.net. ….

Verisign Public DITL Data 6 Data Caveats I-Root & B-Root data removed due to anonymization. Obvious spoofed IP ranges removed. Data stored in PCAP files partitioned by root operator. In order to obtain measurements, we need to massage the raw DITL data into a more optimal format… YearABCDEFGHIJKLM 2014XXXXXX*XXX 2015XX*XXX XXXX

Verisign Public Grouping, Sorting, and Measuring DITL 7 Time IP 1 IP 2 TLD 1 TLD 2 TLD 1 T1T1 T2T2 T3T3 Group by IP address and TLD Sort by Time Measure elapsed time between queries for group Use median of distribution of inter-query time deltas

Verisign Public Some basic inter-query DITL measurement stats Roots Analyzed88 Delegated TLDs at DITL Collection534*905* IP-TLD Observations106MM165MM Inter-query Time Measurements8.75B18.27B Observed IPs9.78MM11.03MM As one might expect, the data follows exhibits a long tail distribution… * Includes “.” and “root-servers.net.”

Verisign Public Queries and Measurements by IPs 9 ~65% of IPs have 10 or fewer Measurements

Verisign Public Delegated TLDs Requested by IP 10

Verisign Public Total Requests by TLD 11

Verisign Public Total Requests by TLD vs. NS TTL (2014 DITL) 12

Verisign Public General Inter-Query Delay at the Roots 13

Verisign Public Inter-Query Delay at the Roots by TLD Type (2015) 14

Verisign Public Potential Impacts by Altering Root TTLs 15

Verisign Public Surveying “max-cache-ttl” behavior of large Open Recursive Name Servers 16

Verisign Public max-cache-ttl Popular caching name servers have a “Max TTL” setting Not specific to Root or any other zone. Learning what we can about popular recursive services might inform authoritative TTL choices. 17

Verisign Public Survey Technique Write custom name server (thanks ldns!) Send TXT queries under zone ‘epoch.verisignlabs.com’ to open recursives Return TXT response with time-of-query in rdata and a 10-day TTL: 18 ~]$ dig a4x90f8.epoch.verisignlabs.com TXT ;; ANSWER SECTION: a4x90f8.epoch.verisignlabs.com IN TXT "At the tone, the time will be Beep!" Repeat same query later Measure time-in-cache for a particular response Plot time-of-measurement vs returned-TTL

Verisign Public UltraDNS 19 8 Unique cached records

Verisign Public Dyn Unique cached records

Verisign Public OpenDNS Unique cached records

Verisign Public Google Unique cached records

Verisign Public Google - Hourly 23

Verisign Public An Extreme Case Thu May 21 05:56:32 EDT 2015 = = TTL should be = 2266 TTL is 5+ hours larger than expected 24 ; > DiG ubuntu0.2-Ubuntu rssac.epoch.verisignlabs.com txt ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;rssac.epoch.verisignlabs.com. IN TXT ;; ANSWER SECTION: rssac.epoch.verisignlabs.com IN TXT "At the tone, the time will be Beep!" ;; Query time: 8 msec ;; SERVER: #53( ) ;; WHEN: Thu May 21 05:56:32 EDT 2015 ;; MSG SIZE rcvd: 118

Verisign Public Conclusions Difficult measurement due to data size, tools available and duration of DITL collection window. Root zone TTLs appear to not matter to most clients. Largest variations in TTL adherence observed at TLD level Traffic to root name servers would change very little if TTLs were reduced to 1 day. Popular open recursive name servers cache for 1 day or less. 25

© 2015 VeriSign, Inc. All rights reserved. VERISIGN and other trademarks, service marks, and designs are registered or unregistered trademarks of VeriSign, Inc. and its subsidiaries in the United States and in foreign countries. All other trademarks are property of their respective owners.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.