Presentation is loading. Please wait.

Presentation is loading. Please wait.

Monitoring, analyzing and cleaning DNS configuration errors across European NRENs Slavko Gajin University of Belgrade, Serbia

Published byThomasina Flynn Modified over 8 years ago

Similar presentations

Presentation on theme: "Monitoring, analyzing and cleaning DNS configuration errors across European NRENs Slavko Gajin University of Belgrade, Serbia"— Presentation transcript:

1 Monitoring, analyzing and cleaning DNS configuration errors across European NRENs Slavko Gajin University of Belgrade, Serbia slavko.gajin@rcub.bg.ac.rs Petar Bojović Faculty of computer science, Union University in Belgrade, petar.bojovic@paxy.in.rs

2 TNC2013 Introduction – Why DNS? DNS – the first and still basic infrastructural network service Must be always up and running Multi-redundant DNS is “boring” for net admins, comparing to other newer services Usually works well, at least nobody complains… Do ALL our DNS serves work well? DNS testing tools: DIG can give all the answers… … but highly difficult to cross-check and analyze lot of textual data DNS Squish, DNS Sleuth, DNS Stuff, DNSgoodies… ICmyNet.DNS Test all DNS serves involved in resolution of the specified domain, including all servers on all parent domains Free online service – http:\\live.icmynet.com/icmynet-dns

3 TNC2013 Example – ICmyNet.DNS Proper DNS configuration

4 TNC2013 Example - ICmyNet.DNS Server is not responding

5 TNC2013 Example - ICmyNet.DNS Server is not responding

6 TNC2013 Example - ICmyNet.DNS Unsynchronized SOA

7 TNC2013 Example – ICmyNet.DNS Non-authoritative server

8 TNC2013 Example – ICmyNet.DNS Loops

9 TNC2013 Security issues March, 2013, AMRES 5 DNS servers with open resolver (recursion) were used for massive DDoS attack - DNS Amplification Attacks April, 2009, AMRES One DNS server was used for attack to 9 DNS servers December, 2012, RS TLD Register was broken, ~80 popular domains were hacked January, 2001, Microsoft all the authoritative servers became inaccessible

10 TNC2013 What we have done? Number of DNS checks are defined with compliances to RFC standards and recommendations: UDP/TCP response Authority Parent servers refer to non-authoritative server Parent servers do not refer to authoritative server (Stealth) Resolution loop - referral answer from non-authoritative server Consistency with the parent servers Glue Record A records are inconsistent Public zone transfer Recursion (Open resolver) SOA Synchronization timers MX records A records for WWW and the domain IPv6 - AAAA records DNSSEC

11 TNC2013 What we have done? Application for massive DNS checking is developed Special attention and policy was applied not to overload any DNS servers and network >11.000 domains collected from 31 European NRENs NREN domains are checked during February, 2013 The most interesting results are presented, summarized by NRENs NREN names are shown on the summary statistics

12 TNC2013 Results – Domain numbers >11.000 domains collected from 31 European NRENs Sources: Many NRENs responded and sent domains – Thanks! Web sites - NRENs, universities, ministries… Public Zone Transfer Sorry if some domains are missing…

13 TNC2013 Results – Unavailable domains Unavailable domains were skipped Only available domains were used for the statistic

14 TNC2013 Results – Non-operating DNS servers Domains with at least one non-operating DNS server, but defined in the parent zone: Non-responding DNS server over UDP on port 53 Non-authoritative DNS server for the domain Consequence Queries end up the server, but without resolution (timeout or referral)

15 TNC2013 Results – Problem on the parent level Domains with at least one DNS server: Authoritative but not defined on the parent level – “Stealth” Authoritative but not accessible via some parent server (some parent server is unavailable) Consequence: The server is partially or totally hidden for the resolution (useless)

16 TNC2013 Results – Recursion and PZT Domains with at least one DNS with: Recursion (Open resolver) Public Zone Transfer Consequence: Compromised security

17 TNC2013 Results – Server locality Domains with all DNS servers in /24 subnet Consequence: Potential single point of failure (LAN segment)

18 TNC2013 Results – No MX record Domains with no MX record

19 TNC2013 Results – Mail servers Domains with MX records where: Several mail server names are pointing to the same IP address Inconsistent IP address A record in the domain zone and resolved IP address

20 TNC2013 Results – No A record Domains with no A record: For WWW name For domain itself Web site is not accessible with the domain name only (“www.” must be typed in the browser)

21 TNC2013 Results – IPv6 – AAAA record Domains with AAAA record - for IPv6 access: For WWW name For domain itself

22 TNC2013 Results – DNSSEC Domains with applied DNSSEC options: On parent level Protected NS records Protected MX records Protected A records Protected AAAA records

23 TNC2013 Results – Non-responding over TCP UDP is basic operating mode for DNS TCP is needed for packets with >4000 Bytes of data DNSSEC

24 TNC2013 More examples Miss-configuration in local zone Not all properly configured parent servers resolve properly !

25 TNC2013 Cleaning DNS errors in AMRES March, 2013, AMRES – cleaning the mess (192 domains) Focused to the most serious problems Proper functionality Security Applied methodology: List all domains and servers regarding the specific errors Manual check and analysis for each domain – ICmyNet.DNS Start with parent zones and servers Majority of errors can be fixed on this level ! Direct communication with DNS administrators Slow process, not always successful Update internal database for domains and responsible persons Improve changing - trying to keep the configurations consistent Improve process for opening new domains

26 TNC2013 Cleaning DNS errors in AMRES ProblemBeforeAfter Recursion (Open Resolver) 58.85%15.66% Public Zone Transfer 61.11%12.12% Non-responding UDP 4.04%1.01% Non-authoritative 11.62%5.56% Auth. Server (Stealth) 3.03%2.02% Problem with some parent server 7.07%3.54%

27 TNC2013 What could be next? Spread awareness about DNS problems before they appear Motivate other NRENs to initiate DNS clean-up process We can cooperate with other NRENs by providing detailed reports Domain and server lists Improve the application to permanently monitor domains Access to DNS admins interested in the process Permissions to manage domains, change settings, schedule tests, automatic notifications, reporting…

28 TNC2013 Acknowledgment RNIDS – Register of National Internet Domains of Serbia Sponsoring the research by co-financing the scholarship of PhD student Petar Bojovic Analysis for all RS and СРБ domains On-line checking tool tailored for “ordinary” domain owners

29 TNC2013 Questions ? slavko.gajin@rcub.bg.ac.rs

Download ppt "Monitoring, analyzing and cleaning DNS configuration errors across European NRENs Slavko Gajin University of Belgrade, Serbia"

Similar presentations

Review iClickers. Ch 1: The Importance of DNS Security.

Review iClickers. Ch 1: The Importance of DNS Security.
NetScanTools ® LE Law Enforcement Version of NetScanTools ® from Northwest Performance Software, Inc. netscantools.com.

NetScanTools ® LE Law Enforcement Version of NetScanTools ® from Northwest Performance Software, Inc. netscantools.com.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 6 Managing and Administering DNS in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 6 Managing and Administering DNS in Windows Server 2008.
Sweeping lame DNS reverse delegations APNIC16 – DNS Operations SIG Seoul, Korea, 20 August 2003.

Sweeping lame DNS reverse delegations APNIC16 – DNS Operations SIG Seoul, Korea, 20 August 2003.
11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.

11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.
2.1 Installing the DNS Server Role Overview of the Domain Name System Role Overview of the DNS Namespace DNS Improvements for Windows Server 2008 Considerations.

2.1 Installing the DNS Server Role Overview of the Domain Name System Role Overview of the DNS Namespace DNS Improvements for Windows Server 2008 Considerations.
Implementing Domain Name System

Implementing Domain Name System
Open Resolvers in COM/NET Resolution Duane Wessels, Aziz Mohaisen DNS-OARC 2014 Spring Workshop Warsaw, Poland.

Open Resolvers in COM/NET Resolution Duane Wessels, Aziz Mohaisen DNS-OARC 2014 Spring Workshop Warsaw, Poland.
Domain Name System. DNS is a client/server protocol which provides Name to IP Address Resolution.

Domain Name System. DNS is a client/server protocol which provides Name to IP Address Resolution.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 2: Name Resolution and DNS.

70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 2: Name Resolution and DNS.
Hands-On Microsoft Windows Server 2003 Networking Chapter 6 Domain Name System.

Hands-On Microsoft Windows Server 2003 Networking Chapter 6 Domain Name System.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 8: Managing and Troubleshooting DNS.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 8: Managing and Troubleshooting DNS.
Impact of Configuration Errors on DNS Robustness Vasileios Pappas, Zhiguo Xu, Songwu Lu, Daniel Massey, Andreas Terzis, Lixia Zhang SIGCOMM 2004 Presented.

Impact of Configuration Errors on DNS Robustness Vasileios Pappas, Zhiguo Xu, Songwu Lu, Daniel Massey, Andreas Terzis, Lixia Zhang SIGCOMM 2004 Presented.
Hands-On Microsoft Windows Server 2003 Administration Chapter 9 Administering DNS.

Hands-On Microsoft Windows Server 2003 Administration Chapter 9 Administering DNS.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 5 Introduction to DNS in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 5 Introduction to DNS in Windows Server 2008.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)
25.1 Chapter 25 Domain Name System Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

25.1 Chapter 25 Domain Name System Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
COEN 445 Communication Networks and Protocols Lab 3

COEN 445 Communication Networks and Protocols Lab 3

Similar presentations

Ads by Google