Presentation is loading. Please wait.

Presentation is loading. Please wait.

Monitoring, analyzing and cleaning DNS configuration errors across European NRENs Slavko Gajin University of Belgrade, Serbia

Published byRussell Warren Modified over 8 years ago

Similar presentations

Presentation on theme: "Monitoring, analyzing and cleaning DNS configuration errors across European NRENs Slavko Gajin University of Belgrade, Serbia"— Presentation transcript:

1 Monitoring, analyzing and cleaning DNS configuration errors across European NRENs Slavko Gajin University of Belgrade, Serbia slavko.gajin@rcub.bg.ac.rs Petar Bojović Faculty of computer science, Union University in Belgrade, petar.bojovic@paxy.in.rs

2 TNC2013 Motivation DNS – first and still basic infrastructural network service Must be always up and running Multi-redundant DNS is “boring” for netadmins, comparing to other newer services Usually works well, at least nobody complains… Do ALL our serves work well or work at all? DIG can give all the answers… … but highly difficult to cross-check and analyze lot of textual data Solution DNS testing tools: DNS Squish, DNS Sleuth, DNS Stuff, DNSgoodies ICmyNet.DNS Automaticaly test all DNS serves involved in resolution for specified domain, including all servers on all parent domains Free online service (beta) – live.icmynet.com/icmynet-dns

3 TNC2013 Example - Unsynchronized SOA

4 TNC2013 Example - Server is not responding

5 TNC2013 Example – non authoritative server

6 TNC2013 Example - Loops

7 TNC2013 What we have done? >11.000 Domains from 32 Euroean NREN (most of NREN responded) Number of checks with regards RFC standards and recommendations Application for massive DNS checking for all domains 41 summary results for each NREN The most interesting results are presented

8 TNC2013 Checks UDP/TCP response Server did not respond over the UDP protocol. Server did not respond over the TCP protocol. SOA SOA version number is different from the primary server. Authority Server is not authoritative for domain domain. Consistency with the parent servers There is no A Record (Glue Record) for server name at the parent zone. Server server-name is not authoritative but parents are referring to it. Server server-name is authoritative but parents are not referring to it (Stealth server). A Records from parents and zone for server name do not match. Mail server MX record has invalid syntax. A Record for mail server differs from the A Record of the server-domain domain's primary server. Resolution loop referral answer from non-authoritative server

9 TNC2013 Checks Public zone transfer – security risk Server supports public zone transfer for domain domain. Recursion Server supports recursion for domain domain. No mail servers No mail servers found. A record server-name server does not have an A record on the primary server. A Records for servers name1, name2, …, nameN have the same IP address. There is no A Record on the primary DNS server for mail server mail server. Server does not have a public IP address. Consistency with the parent servers Server server-name is authoritative and parents are referring to it but it is not defined on the primary server (Stealth server). DNSSEC... IPv6...

10 TNC2013 Results the most interesting results go here....

11 TNC2013 Results the most interesting results go here....

12 TNC2013 Results the most interesting results go here....

13 TNC2013 Case study: Cleaning DNS errors in AMRES Reports AMRES experiance, coordination with other DNS admins from AMRES members, feedback, results after cleaning will be presented....

14 TNC2013 What is next? How to cooperate with other NRENs spread awareness about DNS problems before they appear, initiate wide DNS clean-up report warnings/errors/critical errors to DNS admins Extend the test to other domains Portal for DNS admins change settings, schedule tests, specify reporting check out from the reporting....

15 TNC2013 Questions ? slavko.gajin@rcub.bg.ac.rs

16 TNC2013 temp At least one server support recursion At least one server support Public Zone Transfer Number of domains with None of NS autoritive Non-authoritive but parent pointing to it Authoritive but not defined on some parent Authoritive but not defined on any parent No A record for internal glue record A record from internal glue and parent zone did not match No A record for external glue record A record from external glue and parent zone did not match Domains with sycnhronisation problem Loop Internal servers missing A record on primary NS External server missing A record on primary NS C class/subnet UDP non response TCP non response Domains with MX records SOA mail not in recommended format All SOA parameters in recommended range SOA serial not in recommended range Refresh interval not in recommended range Retry interval not in recommended range Refresh interval is not shorter than the retry interval Expire interval is not in recommended range Expire interval is not in 7 times longer than the refresh interval Minimum TTL interval is not in the recommended range Mail servers have the same IP address Inconsistent mail servers IP address Mail server have CNAME record Mail server do not have PTR record Don't have IPv4 WWW Don't have IPv4 A record for domain Don't have IPv6 WWW Don't have IPv6 A record for domain Primary server is defined Domains with working DNSSEC parent Domains with DNSSEC protected NS records Domains with DNSSEC protected MX records Domains with DNSSEC protected A records Domains with DNSSEC protected AAAA records

Download ppt "Monitoring, analyzing and cleaning DNS configuration errors across European NRENs Slavko Gajin University of Belgrade, Serbia"

Similar presentations

Review iClickers. Ch 1: The Importance of DNS Security.

Review iClickers. Ch 1: The Importance of DNS Security.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
School of Electrical Engineering and Computer Science, 2004 Slide 1 Autonomic DNS Experiment Architecture, Symptom and Fault Identification.

School of Electrical Engineering and Computer Science, 2004 Slide 1 Autonomic DNS Experiment Architecture, Symptom and Fault Identification.
2.1 Installing the DNS Server Role Overview of the Domain Name System Role Overview of the DNS Namespace DNS Improvements for Windows Server 2008 Considerations.

2.1 Installing the DNS Server Role Overview of the Domain Name System Role Overview of the DNS Namespace DNS Improvements for Windows Server 2008 Considerations.
Implementing Domain Name System

Implementing Domain Name System
Domain Name System. DNS is a client/server protocol which provides Name to IP Address Resolution.

Domain Name System. DNS is a client/server protocol which provides Name to IP Address Resolution.
February 2003slideset 1 Writing Zone Files Olaf M. Kolkman

February 2003slideset 1 Writing Zone Files Olaf M. Kolkman
DNS Session 4: Delegation and reverse DNS Joe Abley AfNOG 2006 workshop.

DNS Session 4: Delegation and reverse DNS Joe Abley AfNOG 2006 workshop.
DNS Domain name server – a server to translate IP aliases to addresses As you know, IP (internet protocol) works by providing every Internet machine with.

DNS Domain name server – a server to translate IP aliases to addresses As you know, IP (internet protocol) works by providing every Internet machine with.
DNS. DNS is a network service that enables clients to resolve names to IP address and vice-versa. Allows machines to be logically grouped by domain names.

DNS. DNS is a network service that enables clients to resolve names to IP address and vice-versa. Allows machines to be logically grouped by domain names.
1 DNS. 2 BIND DNS –Resolve names to IP address –Resolve IP address to names (reverse DNS) BIND –Berkeley Internet Name Domain system Version 4 is still.

1 DNS. 2 BIND DNS –Resolve names to IP address –Resolve IP address to names (reverse DNS) BIND –Berkeley Internet Name Domain system Version 4 is still.
The Domain Name System Overview Introduction DNS overview How DNS helps us? Summary.

The Domain Name System Overview Introduction DNS overview How DNS helps us? Summary.
The Domain Name System. CeylonLinux DNS concepts using BIND 2 Hostnames IP Addresses are great for computers –IP address includes information used for.

The Domain Name System. CeylonLinux DNS concepts using BIND 2 Hostnames IP Addresses are great for computers –IP address includes information used for.
Chapter 9: Configuring DNS for Active Directory

Chapter 9: Configuring DNS for Active Directory
Chapter 4 - Lab DNS Configuration in Linux.  DNS Configuration in Linux Projects 4-1 through 4-3 Projects 4-4 deals with multiple domains  DNS Configuration.

Chapter 4 - Lab DNS Configuration in Linux.  DNS Configuration in Linux Projects 4-1 through 4-3 Projects 4-4 deals with multiple domains  DNS Configuration.
Domain Name System (DNS) Network Information Center (NIC) : HOSTS.TXT.

Domain Name System (DNS) Network Information Center (NIC) : HOSTS.TXT.
Hands-On Microsoft Windows Server 2003 Administration Chapter 9 Administering DNS.

Hands-On Microsoft Windows Server 2003 Administration Chapter 9 Administering DNS.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 5 Introduction to DNS in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 5 Introduction to DNS in Windows Server 2008.
The Domain Name System (DNS)

The Domain Name System (DNS)
Reverse DNS. Overview Principles Creating reverse zones Setting up nameservers Reverse delegation procedures.

Reverse DNS. Overview Principles Creating reverse zones Setting up nameservers Reverse delegation procedures.

Similar presentations

Ads by Google