is your caching resolver polluting the internet
play

Is Your Caching Resolver Polluting the Internet? Duane Wessels The - PowerPoint PPT Presentation

Sep 09, 2022 •639 likes •882 views

Is Your Caching Resolver Polluting the Internet? Duane Wessels The Measurement Factory, and CAIDA wessels@measurement-factory.com September 2004 SIGCOMM 2004 NetTs 0 The Measurement Factory A Disclaimer This data comes from monitoring

  1. Is Your Caching Resolver Polluting the Internet? Duane Wessels The Measurement Factory, and CAIDA wessels@measurement-factory.com September 2004 SIGCOMM 2004 NetTs 0 The Measurement Factory

  2. A Disclaimer • This data comes from monitoring two instances of the “F” DNS root server – Introduces some biases – We may be missing something interesting that occurs else- where • It would be nice if we had additional data from other sources, like – Authoritative TLD and SLD servers – A variety of caching resolvers • I’ll try to not make this not all about the root servers. SIGCOMM 2004 NetTs 1 The Measurement Factory

  3. What is DNS pollution? • A-for-A queries • A-for-. queries • Queries and Updates for RFC 1918 Addresses • Queries for Invalid TLDs • Excessive Queries for [a–m].root-servers.net • IPv6 Address Queries • Repeated Queries • Queries from Unroutable/Unreachable Sources SIGCOMM 2004 NetTs 2 The Measurement Factory

  4. Why is this DNS pollution? • Some queries are unanswerable because the server is not au- thoritative for the domain in question. e.g., lame delegation and “NXDOMAIN” replies. • Some queries are unanswerable because the server cannot talk back to the client. • Some represent local/private information that escapes onto the public Internet. • Some queries are valid, but occur much more frequently than they would for properly configured systems. SIGCOMM 2004 NetTs 3 The Measurement Factory

  5. A-for-A Queries 22:33:57.847573 228.57.66.241.53 > F.53: 52586 A? 93.122.94.102. 22:33:57.868436 11.176.132.84.31790 > F.53: 32062 A? 209.185.151.123. 22:33:57.879179 152.68.35.117.49283 > F.53: 6958 A? 4.43.140.160. 22:33:57.886175 78.150.111.9.42094 > F.53: 32304 A? 60.141.241.142. 22:33:57.888548 176.17.50.38.49902 > F.53: 17622 A? 203.66.149.153. 22:33:57.899417 19.191.37.135.53 > F.53: 55410 A? 151.208.189.26. 22:33:57.903560 176.17.50.38.49902 > F.53: 33116 A? 149.109.60.44. 22:33:57.916032 128.190.104.73.53 > F.53: 43559 A? 249.54.212.95. 22:33:57.921030 166.203.102.109.33638 > F.53: 57797 A? 88.116.197.24. 22:33:57.924153 144.137.97.110.32787 > F.53: 46316 A? 187.5.78.189. 22:33:57.924177 55.94.177.203.53 > F.53: 62802 A? 145.248.229.75. • Caused by buggy Windows NT DNS server • Some resolvers (i.e., djbdns) recognize and answer these queries. SIGCOMM 2004 NetTs 4 The Measurement Factory

  6. A-for-. Queries 22:33:57.846826 233.214.38.235.1428 > F.53: 7360 A? . 22:33:57.851070 7.153.231.207.1117 > F.53: 12747 A? . 22:33:57.851696 14.102.158.207.33210 > F.53: 11210 A? . 22:33:57.851720 63.217.38.83.3924 > F.53: 7232 A? . 22:33:57.854827 14.102.158.207.33210 > F.53: 5078 A? . 22:33:57.859066 214.130.138.39.3004 > F.53: 14319 A? . 22:33:57.862064 233.214.38.235.1428 > F.53: 5334 A? . 22:33:57.867436 7.153.231.207.1117 > F.53: 12764 A? . 22:33:57.869584 63.217.38.83.3924 > F.53: 11348 A? . 22:33:57.872433 14.102.158.207.33210 > F.53: 3039 A? . 22:33:57.877180 63.217.38.83.3924 > F.53: 9308 A? . 22:33:57.877205 233.214.38.235.1428 > F.53: 1243 A? . • Caused by buggy resolvers that accept null query names? • Why not have the resolver recognize and stop these? SIGCOMM 2004 NetTs 5 The Measurement Factory

  7. RFC 1918 Addresses 22:33:57.875681 102.31.88.27.53 > F.53: 12270 PTR? 185.25.73.198.in-addr.arpa. 22:33:57.927422 170.106.101.76.53 > F.53: 11308 PTR? 228.114.106.114.in-addr.arpa. 22:33:57.983493 21.230.155.233.21301 > F.53: 10007 PTR? 122.101.201.23.in-addr.arpa. 22:33:58.029992 21.230.155.233.21301 > F.53: 10008 PTR? 122.101.201.23.in-addr.arpa. 22:33:58.040788 64.207.181.62.53 > F.53: 6518 PTR? 191.246.143.93.in-addr.arpa. 22:33:58.042961 64.207.181.62.53 > F.53: 9522 PTR? 236.192.208.156.in-addr.arpa. 22:33:58.049204 30.82.18.155.53 > F.53: 2636 PTR? 120.93.57.129.in-addr.arpa. 22:33:58.061992 21.230.155.233.21301 > F.53: 10009 PTR? 122.101.201.23.in-addr.arpa. 22:33:58.073315 17.39.143.35.1116 > F.53: 9518 SOA? 51.50.10.in-addr.arpa. 22:33:58.091679 21.230.155.233.21301 > F.53: 10010 PTR? 122.101.201.23.in-addr.arpa. • Sites that use RFC 1918 addresses should configure their resolver to answer authoritatively for them. • The AS112 project servers take the bulk of this abuse. – 20 anycasted servers authoritative for RFC 1918 space – Certain popular operating systems enable dynamic DNS update by default SIGCOMM 2004 NetTs 6 The Measurement Factory

  8. Invalid TLDs 22:33:57.847825 57.95.26.22.32988 > F.53: 52024 SOA? _ldap._tcp.ForestDnsZones.Primefuels.local. 22:33:57.850071 229.97.210.1.2796 > F.53: 9490 A? 7741-S4.7741-SW. 22:33:57.853445 175.252.10.24.32829 > F.53: 4035 SOA? _kpasswd._udp.D-4240669.S3000. 22:33:57.856318 101.71.170.2.53 > F.53: 44256 MX? w.r[. 22:33:57.856692 101.71.170.2.53 > F.53: 55176 SOA? _ldap._tcp.Default-First-Site._sites.DomainDnsZones.chapplehome.local. 22:33:57.867812 160.182.126.21.38242 > F.53: 10314 AAAA? rnde16. 22:33:57.867837 93.239.82.47.51595 > F.53: 11231 A? localhost. 22:33:57.872558 11.131.20.20.53 > F.53: 59300 SOA? _ldap._tcp.18a20066-37fb-420b-a406-2c2324dde8f4.domains._msdcs.yarravelley.local. 22:33:57.873182 5.34.171.157.49616 > F.53: 9324 A? src="http-//banners.aftrk.com/ab/lifetimeopportunity/top500/html4/inc500-email3.gif. 22:33:57.875705 255.91.199.150.52295 > F.53: 38421 SOA? _ldap._tcp.Default-First-Site._sites.gc._msdcs.merlin.local. 22:33:57.882677 69.144.90.160.61075 > F.53: 45124 A? aloha15.domain.local. 22:33:57.883302 87.30.247.246.1029 > F.53: 9760 A? LIVLNX01.bpionet.local. 22:33:57.884926 219.110.202.94.53 > F.53: 29057 A? WEBDEV.beta.enterprise.sscims.cmo. 22:33:57.888424 75.229.97.50.45481 > F.53: 34440 SRV? _ldap._tcp.CAFolsom._sites.dc._msdcs.CARCRDCDB1Y925H. 22:33:57.888984 104.113.9.195.47688 > F.53: 53968 A? denso. 22:33:57.892196 233.168.229.9.26228 > F.53: 5529 A? SCL-TREE. 22:33:57.893173 87.30.247.246.1029 > F.53: 15918 A? LIVLNX01.commonwealthnet.local. • Common invalid TLDs: localhost , local , corp , workgroup , domain , htm , txt , c • Negative caching not good enough to stop these SIGCOMM 2004 NetTs 7 The Measurement Factory

  9. [a-m].root-servers.net 20:00:30.085662 80.41.136.212.33821 > F.53: 33822 A6? A.ROOT-SERVERS.NET. 20:00:30.085870 80.41.136.212.33821 > F.53: 31888 AAAA? A.ROOT-SERVERS.NET. 20:00:30.086014 80.41.136.212.33821 > F.53: 51435 A? A.ROOT-SERVERS.NET. 20:00:34.087164 80.41.136.212.33821 > F.53: 36477 A6? A.ROOT-SERVERS.NET. 20:00:34.087394 80.41.136.212.33821 > F.53: 45228 AAAA? A.ROOT-SERVERS.NET. 20:00:34.087663 80.41.136.212.33821 > F.53: 33202 A? A.ROOT-SERVERS.NET. 20:00:38.087294 80.41.136.212.33821 > F.53: 5231 A6? A.ROOT-SERVERS.NET. 20:00:38.087563 80.41.136.212.33821 > F.53: 54557 AAAA? A.ROOT-SERVERS.NET. 20:00:38.087669 80.41.136.212.33821 > F.53: 51685 A? A.ROOT-SERVERS.NET. 20:00:42.098064 80.41.136.212.33821 > F.53: 55265 A6? A.ROOT-SERVERS.NET. 20:00:42.098315 80.41.136.212.33821 > F.53: 112 AAAA? A.ROOT-SERVERS.NET. 20:00:42.098440 80.41.136.212.33821 > F.53: 57604 A? A.ROOT-SERVERS.NET. 20:00:46.091344 80.41.136.212.33821 > F.53: 47264 A6? A.ROOT-SERVERS.NET. 20:00:46.091467 80.41.136.212.33821 > F.53: 27313 AAAA? A.ROOT-SERVERS.NET. 20:00:46.091592 80.41.136.212.33821 > F.53: 25386 A? A.ROOT-SERVERS.NET. SIGCOMM 2004 NetTs 8 The Measurement Factory

  10. [a-m].root-servers.net, cont • Caching resolvers like to update/validate their “hints” when they startup. • Some caches query for all 13 root servers, and for both IPv4 and IPv6 addresses. • Excessive root-servers.net queries usually indicates a unidi- rectional communication channel. • Certain versions of BIND sometimes pummel the roots with AAAA and A6 queries for [a-m].root-servers.net . SIGCOMM 2004 NetTs 9 The Measurement Factory

  11. Query Spikes for root-server.net IPv6 addresses 3500 3000 A6 Query Rate (q/s) 2500 AAAA A 2000 1500 1000 500 0 01:12 01:17 01:22 01:27 01:32 01:37 01:42 • Sources are BIND 8.3.3 – 8.3.4 SIGCOMM 2004 NetTs 10 The Measurement Factory

  12. IPv6 Address Queries • Not necessarily pollution, but... • BIND optimistically issues AAAA and/or A6 queries for other nameservers. • A random sampling of 3150 authoritative nameservers found 17 (0.5%) with AAAA records, and none with A6 records. SIGCOMM 2004 NetTs 11 The Measurement Factory

  13. Repeated Queries • Repeated queries are not included in the current analysis. • Repeat analysis requires keeping history or state. • Our real-time analysis tools don’t (yet?) keep history. • Repeated query analysis is complicated by cache poison- prevention techniques. That is, some resolvers start certain queries at the roots, rather than trust cached referrals. • In an earlier study we found that up to 70% of F-root traffic is repeated queries. SIGCOMM 2004 NetTs 12 The Measurement Factory

  14. Unroutable/Unreachable Sources • Source address from RFC 1918 space • No route back to source address • DNS reply is blocked by misconfigured packet filter • Source port is zero SIGCOMM 2004 NetTs 13 The Measurement Factory

  15. DNS Pollution Seen at F-Root Aug 20–27, 2004 50 Percentage of Total RFC1918 PTR 40 A−for−. A−for−A 30 root−servers.net localhost 20 Non−Auth TLD 10 0 PAO1 SFO2 SIGCOMM 2004 NetTs 14 The Measurement Factory

Recommend

Cooperative Web Caching Cooperative Web Caching Cooperative Caching Cooperative Caching

Cooperative Web Caching Cooperative Web Caching Cooperative Caching Cooperative Caching

Cooperative Web Caching Cooperative Web Caching Cooperative Caching Cooperative Caching Previous work has shown that hit rate increases with population size [Duska et al. 97, Breslau et al. 98] However, single proxy caches have practical limits

868 views • 53 slides
DNS Session 2: DNS cache How caching NS works (1) operation and DNS debugging If we've dealt

DNS Session 2: DNS cache How caching NS works (1) operation and DNS debugging If we've dealt

DNS Session 2: DNS cache How caching NS works (1) operation and DNS debugging If we've dealt with this query before recently, answer is already in the cache - easy! Query Caching Joe Abley Resolver NS AfNOG 2006 workshop Response What

373 views • 8 slides
Slide 2 Caching is both the most effective AND the most cost-effective method for schools to

Slide 2 Caching is both the most effective AND the most cost-effective method for schools to

Slide 2 Caching is both the most effective AND the most cost-effective method for schools to optimise internet connections. ApplianSys caching appliance CACHE BOX is the most widely selected caching solution by far in the E-Rate program since

600 views • 30 slides
Slide 2 Caching is both the most effective AND the most cost-effective method for schools to

Slide 2 Caching is both the most effective AND the most cost-effective method for schools to

Slide 2 Caching is both the most effective AND the most cost-effective method for schools to optimise internet connections. ApplianSys caching appliance CACHE BOX is the most widely selected caching solution by far in the E-Rate program since

655 views • 29 slides
DNS Session 2: DNS cache operation and DNS debugging Joe Abley AfNOG 2006 workshop How caching

DNS Session 2: DNS cache operation and DNS debugging Joe Abley AfNOG 2006 workshop How caching

DNS Session 2: DNS cache operation and DNS debugging Joe Abley AfNOG 2006 workshop How caching NS works (1) If we've dealt with this query before recently, answer is already in the cache - easy! Query Caching Resolver NS Response What

721 views • 44 slides
Part 5 Rules Part 5 Rules Spillage of Oil and Polluting Materials Spillage of Oil and Polluting

Part 5 Rules Part 5 Rules Spillage of Oil and Polluting Materials Spillage of Oil and Polluting

Part 5 Rules Part 5 Rules Spillage of Oil and Polluting Materials Spillage of Oil and Polluting Materials Ryan Blazic Tracy Kecskemeti DNRE Water Bureau DNRE Water Bureau Gaylord Field Office Southeast Michigan District Office 989-705-3420

1.84k views • 48 slides
Agenda Caching Caching Gitlab Demo Caching Demos Mirroring Caching Limitations Manual

Agenda Caching Caching Gitlab Demo Caching Demos Mirroring Caching Limitations Manual

Agenda Caching Caching Gitlab Demo Caching Demos Mirroring Caching Limitations Manual Mirroring Caching Other Registries Summary 1 / 35 @sudo_bmitch How to Use Mirroring and Caching to Optimize Your Image Registry Brandon Mitchell

837 views • 35 slides
Web Caching based on: Web Caching , Geoff Huston Web Caching and Zipf-like Distributions:

Web Caching based on: Web Caching , Geoff Huston Web Caching and Zipf-like Distributions:

Web Caching based on: Web Caching , Geoff Huston Web Caching and Zipf-like Distributions: Evidence and Implications , L. Breslau, P. Cao, L. Fan, G. Phillips, S. Shenker On the scale and performance of cooperative Web proxy caching ,

640 views • 24 slides
A flexible DNSSEC-validating Resolver Ondej Sur ondrej.sury@nic.cz 7.3.2016 What

A flexible DNSSEC-validating Resolver Ondej Sur ondrej.sury@nic.cz 7.3.2016 What

A flexible DNSSEC-validating Resolver Ondej Sur ondrej.sury@nic.cz 7.3.2016 What is Knot DNS Resolver? Platform for building recursive DNS service Open-source DNS Resolver (GPLv3+) Full DNSSEC support: RFC 6650

265 views • 12 slides
Web Caching and Content Delivery Web Caching and Content Delivery Caching for a Better Web

Web Caching and Content Delivery Web Caching and Content Delivery Caching for a Better Web

Web Caching and Content Delivery Web Caching and Content Delivery Caching for a Better Web Caching for a Better Web Performance is a major concern in the Web Proxy caching is the most widely used method to improve Web performance

438 views • 22 slides
Web Caching Web Caching and wireless networks Next generation Wireless Networks Helsinki

Web Caching Web Caching and wireless networks Next generation Wireless Networks Helsinki

Web Caching Web Caching and wireless networks Next generation Wireless Networks Helsinki university of technology Csar Fernndez Gago Jean-Baptiste Escoyez 1 Index Web caching concepts Web caching issues How does it works?

417 views • 18 slides
A Socially Aware Caching Mechanism for Encounter Networks Future Internet Architectures: New

A Socially Aware Caching Mechanism for Encounter Networks Future Internet Architectures: New

A Socially Aware Caching Mechanism for Encounter Networks Future Internet Architectures: New Trends in Service Architectures, 2nd EuroFGI Workshop June, 9th 2009 Bernhard Klein, Helmut Hlavacs General Overview Mobile information system for

478 views • 22 slides
Low-power Internet of Things with NDN & Cooperative Caching Oliver Hahm INRIA/Zhlke

Low-power Internet of Things with NDN & Cooperative Caching Oliver Hahm INRIA/Zhlke

Low-power Internet of Things with NDN & Cooperative Caching Oliver Hahm INRIA/Zhlke Emmanuel Baccelli, Cdric Adjih, Laurent Massouli INRIA Thomas C. Schmidt HAW Hamburg Matthias Whlisch Freie Universitt Berlin Low-power

644 views • 33 slides
Caching and Mobility Support in a Publish-Subscribe Internet Architecture George Xylomenos,

Caching and Mobility Support in a Publish-Subscribe Internet Architecture George Xylomenos,

Caching and Mobility Support in a Publish-Subscribe Internet Architecture George Xylomenos, Xenofon Vasilakos, Christos Tsilopoulos, Vasilios A. Siris, and George C. Polyzos Presented by Max Nicosia Motivation Need for Mobility

573 views • 17 slides
Scaling Your Cache & Caching at Scale Alex Miller @puredanger Mission Why does caching

Scaling Your Cache & Caching at Scale Alex Miller @puredanger Mission Why does caching

Scaling Your Cache & Caching at Scale Alex Miller @puredanger Mission Why does caching work? Whats hard about caching? How do we make choices as we design a caching architecture? How do we test a cache for performance?

965 views • 59 slides
CACHING BEYOND RAM CACHING BEYOND RAM memcached.org/blog @dormando WHY RAM? WHY RAM?

CACHING BEYOND RAM CACHING BEYOND RAM memcached.org/blog @dormando WHY RAM? WHY RAM?

CACHING BEYOND RAM CACHING BEYOND RAM memcached.org/blog @dormando WHY RAM? WHY RAM? Identical Cache W W W Broadcast Invalidation W W W MC HASH(key) MC 1G RAM 4G RAM W DB 32bit OS! 4G RAM 4G RAM W DB Filled Empty RAM Slots

417 views • 39 slides
DNS Session 2: DNS cache operation and DNS debugging TENET NSRC - 2013 DNS Cache Operation

DNS Session 2: DNS cache operation and DNS debugging TENET NSRC - 2013 DNS Cache Operation

DNS Session 2: DNS cache operation and DNS debugging TENET NSRC - 2013 DNS Cache Operation How caching NS works (1) If we've dealt with this query before recently, answer is already in the cache - easy! Query Caching Resolver NS

471 views • 45 slides
1 Web Traffic Characterization Zipf Web Traffic Characterization Zipf [Breslau/Cao99] and

1 Web Traffic Characterization Zipf Web Traffic Characterization Zipf [Breslau/Cao99] and

Caching for a Better Web Caching for a Better Web Performance is a major concern in the Web Proxy caching is the most widely used method to improve Web performance Web Caching and Content Delivery Web Caching and Content Delivery

584 views • 4 slides
helping communities protect themselves from polluting energy and waste technologies Why are

helping communities protect themselves from polluting energy and waste technologies Why are

helping communities protect themselves from polluting energy and waste technologies Why are waste coal piles a problem? Look bad Leach iron, manganese and aluminum pollution into waterways Cause acid drainage when exposed to water

476 views • 23 slides
Domain Name System (DNS) Session 2: Resolver Operation and debugging Joe Abley AfNOG

Domain Name System (DNS) Session 2: Resolver Operation and debugging Joe Abley AfNOG

Domain Name System (DNS) Session 2: Resolver Operation and debugging Joe Abley AfNOG Workshop, AIS 2014, Djibou> DNS Resolver Operation How Resolvers Work (1) If we've dealt with this query before recently,

838 views • 46 slides
Domain Name System (DNS) Session 2: Resolver Operation and debugging Michuki Mwangi AfNOG

Domain Name System (DNS) Session 2: Resolver Operation and debugging Michuki Mwangi AfNOG

Domain Name System (DNS) Session 2: Resolver Operation and debugging Michuki Mwangi AfNOG Workshop, AIS 2018, Dakar DNS Resolver Operation How Resolvers Work (1) ! If we've dealt with this query before recently, answer is already in the cache

452 views • 41 slides
1 Harvest Harvest- -Style ICP Hierarchies Style ICP Hierarchies Issues for Cache Hierarchies

1 Harvest Harvest- -Style ICP Hierarchies Style ICP Hierarchies Issues for Cache Hierarchies

Caching for a Better Web Caching for a Better Web Performance is a major concern in the Web Proxy caching is the most widely used method to improve Large Large- -Scale Web Caching and Content Scale Web Caching and Content Web performance

325 views • 9 slides
1 Issues for Cache Hierarchies Issues for Cache Hierarchies Hashing: Cache Array Routing

1 Issues for Cache Hierarchies Issues for Cache Hierarchies Hashing: Cache Array Routing

Cooperative Caching Cooperative Caching Previous work has shown that hit rate increases with population size [Duska et al. 97, Breslau et al. 98] However, single proxy caches have practical limits Cooperative Web Caching Cooperative Web Caching

327 views • 9 slides
Domain Name System (DNS) Session 2: Resolver Operation and debugging Joe Abley AfNOG Workshop,

Domain Name System (DNS) Session 2: Resolver Operation and debugging Joe Abley AfNOG Workshop,

Domain Name System (DNS) Session 2: Resolver Operation and debugging Joe Abley AfNOG Workshop, AIS 2017, Nairobi DNS Resolver Operation How Resolvers Work (1) If we've dealt with this query before recently, answer is already in the cache

558 views • 42 slides

More recommend