looking at dns traces what do we know about resolvers
play

Looking at DNS traces: What do we know about resolvers? lafur Gu - PowerPoint PPT Presentation

Mar 07, 2023 •417 likes •623 views

Looking at DNS traces: What do we know about resolvers? lafur Gu mundsson Shinkuro Ogud@shinkuro.com Motivation: Open Questions What is the market share for resolver X What can we deduct from traces to a subset of authorative

  1. Looking at DNS traces: What do we know about resolvers? Ólafur Gu � mundsson Shinkuro Ogud@shinkuro.com

  2. Motivation: Open Questions � What is the “market share” for resolver X � What can we deduct from traces to a subset of authorative servers ? � Can we predict the effect of adding/deleting a server in location Y ? � Do resolvers behave according to the RFC’s? � Or more generally how do they behave? Oarc-SF-Mar-2011 ogud@shinkuro.com 2 March 13, 11

  3. Case #1: CCTTL adds foreign DNS servers by a commercial operator � The new operator is supposed to answer questions from outside the country. � The new operator charges per query answered. � The CCTLD operator did their homework and predicted what percentage of queries are “foreign” � The bills were higher than predicted � Is the operator over charging? � Is the operator “stealing” traffic from inside the country? � Was the model wrong? Oarc-SF-Mar-2011 ogud@shinkuro.com 3 March 13, 11

  4. Case #2: DNS operator change I was asked to document a procedure that allowed transfer of a DNSSEC signed domain to a new operator � Questions: � In what sequence to perform operations � How long to wait for information to propagate before next step � How do resolvers treat repeated information, such as NS set in authority section � Do they modify the TTL of the stored NS set ? � Which NS set do resolvers use ? � Important during change and when Parent or Child differ � Resolver that uses the Child set � and “stretches” the TTL � And asks question to the domain often enough o � may not discover an operator change Oarc-SF-Mar-2011 ogud@shinkuro.com 4 March 13, 11

  5. Case #3: What % of resolvers support DNAME ? � This question was raised in the context of D+C proposal � Quick survey showed less deployment of DNAME support than expected by looking at well known implementations � supported DNAME, � BIND, Unbound, WindowsDNS, Nominum � did not � Power Recursor, DJBdns/OpenDNS, Google, � How about all the other resolvers? Oarc-SF-Mar-2011 ogud@shinkuro.com 5 March 13, 11

  6. Case #4: DNSSEC validation in the wild � I have been working with traces from .ORG to try to find out how much validation is going on. � Org. DNSKEY TTL is 15 minutes � Org. DS TTL is 1 day � 50 minute long traces � I look for DNSKEY and DS queries from an resolver. � If a resolver asks for � DNSKEY twice (at least 15 minutes apart) � or for a DS for a signed domain � it is validating Oarc-SF-Mar-2011 ogud@shinkuro.com 6 March 13, 11

  7. ORG DNSSEC validation study issues � I only have traces for the DNS server that Afilias operates for .org. � Afilias operates 2/3 of NS records � PCH operates 1/3 of NS records � PCH has more sites � Afilias sees about 50% of query traffic � My first questions: � what is the probably that my traces see a DNSKEY or DS query? � What kind resolvers do I see and why ? � Does the probably of seeing an interesting query depend on how busy the resolver is ? Oarc-SF-Mar-2011 ogud@shinkuro.com 7 March 13, 11

  8. Transfer work: � Are resolvers parent or child centric? � Do sticky resolvers exist? � What is the percentage of each ? � Simple experiments: � Set up a zone and with one server is only in one NS set � Works if all resolvers are queried with identical probability � Set up zone with two sets of authoritative server(s) � One set referenced in parent the other one in children Oarc-SF-Mar-2011 ogud@shinkuro.com 8 March 13, 11

  9. Sticky Resolver detection Zone setup Parent Child-C Child-P Child-C Child-P Blue-C Red-C Blue Red Oarc-SF-Mar-2011 ogud@shinkuro.com 9 March 13, 11

  10. How good a sample of resolvers are open recursive resolvers ? � I got a list of 856 open recursive resolvers � 136 did not answer queries (16%) � I probed the other 720 servers every 3 seconds 20 times for the record and recorded answer and TTL. � NS records TTL 17 � TXT record TTL 7 � I asked the servers a final question: � “version.bind. TXT CH” Oarc-SF-Mar-2011 ogud@shinkuro.com 10 March 13, 11

  11. What should answers look like � I process answers based on where answer comes from � P == Parent referenced server � C == Child referenced server. � Child Centric non sticky: � PPPCCCPPPCCCPPPCCCPP � Child Centric sticky � PPPCCCCCCCCCCCCCCCCC � Parent Centric � PPPPPPPPPPPPPPPPPPPP Oarc-SF-Mar-2011 ogud@shinkuro.com 11 March 13, 11

  12. What answers look like � 130 different patterns � Top 10 are 536 or 74.4 % � 172 PPPCCCPPPCCCPPPCCCP � Child Centric � 108 PPPCCCCCCCCCCCCCCCC � Child Sticky 15% � 49 PPPCCCPPPCCCCCPPPCC � 42 PPPCCCCCPPPCCCPPPCC � 38 PPCCCCCCPPPCCCPPPCC � 34 PPPCCCPPPCCCPPCCCCC � 33 PPPCCCPPPCCCPPPCCCC � 26 PPPCCCPPCCCCCCPPPCC � 23 PPPPPPPPPPPPPPPPPPP � Parent Centric 3% � 11 PPPCCCCCPPPCCCCCPPP Oarc-SF-Mar-2011 ogud@shinkuro.com 12 March 13, 11

  13. Closer look � Most of resolvers are child centric and do not stretch, but some stretch some of the time � Child Sticky 15 % (108) � Parent Centric 3% (23) � Child Centric (517) 72% � 345 do not follow exact pattern 48% � 172 exact pattern 24% � Mostly Child Centric 10% (72 ) � Partial sticky, relaxed handling of TTL, answer caching and reuse, …… Oarc-SF-Mar-2011 ogud@shinkuro.com 13 March 13, 11

  14. Behavior by implementations? 151 different version strings � All Bind releases 9.3 and later are child centric � � 9.2.3 and up are Child Centric � Older are Child sticky Bind 9.x shows up 305 times or 42% � � 18 Parent Centric or mostly PC � 74 Child Sticky but only 7 say 9.2.1 or 9.2.1 � 186 Mostly Child Centric � 25 Other � 62 Bind-9.6…. Only 12 behave according to my freshly compiled copy. But: 1 PPPCCCPPPPPPCCCPPPP 1 PPPCPCPCPPPPCCPCCPC 1 PPPPCCCCCCCCCCCCCCC 1 PPPPCPCPPPCPPPCCPPP 1 PPPPPCPCPCCCCPPCPPP 1 PPPPPPCCCPPPCCCPPPP 1 PPPPPPPCPCPCCCPPPPC 1 PPPPPPPCPPPCPPPPPPC 1 PPPPPPPPCCPPPPPCPPP 1 PPPPPPPPPPPPCCCPPPP Only 8 claim to be Bind 8.x � none Bind 4.x � Oarc-SF-Mar-2011 ogud@shinkuro.com 14 March 13, 11

  15. Concerns ? � Nominum and Google DNS are Parent centric � DNSCache and OpenDNS are Child Sticky � There seem to be many cases where resolvers are not going to authority as expected: � Going through forwarder � Out of band synchronization � Minimum TTL enforcement � Or I’m asking any cast server cluster Oarc-SF-Mar-2011 ogud@shinkuro.com 15 March 13, 11

  16. Resolver query patterns � How do Resolvers scatter queries ? � If a resolver discovers a domain and does not know about the name servers: it will ask a random resolver, � second query will go to DIFFERENT address � After all are probed queries will be concentrated inside a “band” of distance. � How often do resolvers “forget” about closest authorative server. � What is the market share of busy resolvers vs sporadic ones � Depends on the domain being queried e.g. ISP resolver in Brazil will likely show up as sporadic at a.nic.cz but busy at a.dns.br � Does Address == resolver � We see many cases of multiple recursive resolvers behind NAT’s Oarc-SF-Mar-2011 ogud@shinkuro.com 16 March 13, 11

  17. Resolver query patterns: effects � Sporadic resolver will send DNSKEY query to the servers I see 66.7% of the time � Busy resolver is likely to send none or all DNSKEY or DS query to servers I see � Busy resolver that is “tied” to PCH site(s) will show up as Sporadic at Afilias sites and vice versa. � How different are the query patterns at different sites? � Does prevalence of DNSSEC validation depend on regions? Oarc-SF-Mar-2011 ogud@shinkuro.com 17 March 13, 11

  18. Depressing Summary � We do not know a lot about � Resolver NS set usage � Resolver query scattering � Resolver Market share, � Geographical differences � We can not build reliable models of using DNS samples to answer basic questions � What can be done to improve things? � Can we look at big collections and build models. � How can models evolve over time � For example: Bind-9.8 changed RTT banding from prior versions. Oarc-SF-Mar-2011 ogud@shinkuro.com 18 March 13, 11

  19. Positive ways forward � What Models are needed: � List of models � Can we find answers in existing traces � Documentation as what to look for and how � Experiments to expose resolvers from the consumer side. � What do we want to know and how can we “trick” resolvers to expose their behavior ? � Revisit the design and implementation choices for query scattering ? Oarc-SF-Mar-2011 ogud@shinkuro.com 19 March 13, 11

Recommend

DNS Resolvers Considered Harmful Kyle Schomp, Mark Allman, and Michael Rabinovich 2 DNS

DNS Resolvers Considered Harmful Kyle Schomp, Mark Allman, and Michael Rabinovich 2 DNS

DNS Resolvers Considered Harmful Kyle Schomp, Mark Allman, and Michael Rabinovich 2 DNS resolvers abstract complexity and offer the possibility of improved performance and better scalability . Why are they harmful? 3 Resolvers Are Vulnerable

618 views • 34 slides
Eligibility Traces Chapter 12 Eligibility traces are Another way of interpolating between MC and

Eligibility Traces Chapter 12 Eligibility traces are Another way of interpolating between MC and

Eligibility Traces Chapter 12 Eligibility traces are Another way of interpolating between MC and TD methods A way of implementing compound -return targets A basic mechanistic idea a short-term, fading memory A new style of algorithm

881 views • 31 slides
Capture, conversion, and analysis of an intense NFS workload uating newer storage systems because

Capture, conversion, and analysis of an intense NFS workload uating newer storage systems because

the analysis or simulation. about 750 million operations per day. In comparison, the vironment than prior traces, we limit our comparisons Since our traces were captured in such a different en- convert, and analyze the traces. quired us to

366 views • 14 slides
CS371m - Mobile Computing Content Providers And Content Resolvers Content Providers One of

CS371m - Mobile Computing Content Providers And Content Resolvers Content Providers One of

CS371m - Mobile Computing Content Providers And Content Resolvers Content Providers One of the four primary application components: activities content providers / content resolvers services broadcast receivers 2 Android

728 views • 50 slides
Modeling interaction traces of an online panel From raw interaction traces to actionable

Modeling interaction traces of an online panel From raw interaction traces to actionable

Modeling interaction traces of an online panel From raw interaction traces to actionable indicators: lessons learned 8th European Survey Research Association conference July 2019, Zagreb Simon DELLAC Elodie PETORIN (both CDSP, Sciences Po)

435 views • 18 slides
Hoda Rohani Anastasios Poulidis Supervisor: Jeroen Scheerder System and Network Engineering

Hoda Rohani Anastasios Poulidis Supervisor: Jeroen Scheerder System and Network Engineering

Hoda Rohani Anastasios Poulidis Supervisor: Jeroen Scheerder System and Network Engineering July 2014 DNS Main Components Server Side: Authoritative Servers Resolvers (Recursive Resolvers, cache) Client Side: Stub resolvers

429 views • 30 slides
Probing for Open DNS Resolvers John Kristoff jtk@depaul.edu Midwest Security Workshop jtk

Probing for Open DNS Resolvers John Kristoff jtk@depaul.edu Midwest Security Workshop jtk

Probing for Open DNS Resolvers John Kristoff jtk@depaul.edu Midwest Security Workshop jtk (jtk@depaul.edu) DNS Probing September 30, 2006 1 / 9 Open Resolvers Recursive - open access to a full resolver Forwarder - proxy access to a

371 views • 9 slides
Traces Exist (Hypothetically)! Carl Pollard Structure and Evidence in Linguistics Workshop in

Traces Exist (Hypothetically)! Carl Pollard Structure and Evidence in Linguistics Workshop in

Traces Exist (Hypothetically)! Carl Pollard Structure and Evidence in Linguistics Workshop in Honor of Ivan Sag Stanford University April 28, 2013 Carl Pollard Traces Exist (Hypothetically)! Traces in Transformational Grammar (1/2) Traces

411 views • 28 slides
Shrug Daemon Doing DNS the Hard Way Since 2015

Shrug Daemon Doing DNS the Hard Way Since 2015

Shrug Daemon Doing DNS the Hard Way Since 2015 https://en.wikipedia.org/wiki/Ayn_Rand#/media/File:Objectivist1.jpg Problem Statement RIPE Atlas probes have 2 DNS resolvers: Resolver local to probe RIPE Atlas central resolvers

713 views • 6 slides
DNS Rex Do you need an aggressive benchmark? Alex Rousskov The Measurement Factory DNS Rex At a

DNS Rex Do you need an aggressive benchmark? Alex Rousskov The Measurement Factory DNS Rex At a

DNS Rex Do you need an aggressive benchmark? Alex Rousskov The Measurement Factory DNS Rex At a Glance A performance test tool for DNS resolvers. Born 2009 A.D. (Cenozoic Era). Designed to intimidate powerful resolvers. Could

713 views • 22 slides
Two 2-traces Simon Willerton University of Sheffield f Tr ( f ) := V

Two 2-traces Simon Willerton University of Sheffield f Tr ( f ) := V

Two 2-traces Simon Willerton University of Sheffield f Tr ( f ) := V Tr ( f ) := V f Traces What is a trace? Tr ( f g ) = Tr ( g f ) Tr ( f ) = Tr ( a f a 1 ) Traces in a monoidal

651 views • 13 slides
In Inferring the Deployment of f In Inbound Source Address Validation Using DNS Resolvers

In Inferring the Deployment of f In Inbound Source Address Validation Using DNS Resolvers

In Inferring the Deployment of f In Inbound Source Address Validation Using DNS Resolvers Maciej Korczyski*, Yevheniya Nosyk*, Qasim Lone , Marcin Skwarek*, Baptiste Jonglez*, and Andrzej Duda* *Universit Grenoble Alpes, CNRS, Grenoble

546 views • 16 slides
LN-10 Searching for traces of Norwegian economic thought Intro When trying to find the traces of

LN-10 Searching for traces of Norwegian economic thought Intro When trying to find the traces of

LN-10 Searching for traces of Norwegian economic thought Intro When trying to find the traces of Norwegian economic thought, we should be aware that most economic questions until very recently were dealt with within a framework of religious,

409 views • 39 slides
ELLIPSOID : traces on the coordinate planes are ellipses 2 2 2 x 2 y 2 z 2 = 1 a b c

ELLIPSOID : traces on the coordinate planes are ellipses 2 2 2 x 2 y 2 z 2 = 1 a b c

ELLIPSOID : traces on the coordinate planes are ellipses 2 2 2 x 2 y 2 z 2 = 1 a b c ELLIPTIC PARABOLOID : traces are ellipses and parabolas z = x 2 + y 2 y = x 2 + z 2 HYPERBOLIC PARABOLOID : traces are hyperbolas and parabolas. z =

254 views • 3 slides
Caching in with Resolvers Norman Walsh http://www.sun.com/ XML Conference & Exposition 2003

Caching in with Resolvers Norman Walsh http://www.sun.com/ XML Conference & Exposition 2003

Caching in with Resolvers Norman Walsh http://www.sun.com/ XML Conference & Exposition 2003 07-12 December 2003 Version 1.0 Introduction Using URIs The Problem Solutions Catalog-based Resolution Proxy Caches

1.26k views • 47 slides
On The Fidelity of 802.11 Packet Traces Aaron Schulman, Dave Levin, Neil Spring University of

On The Fidelity of 802.11 Packet Traces Aaron Schulman, Dave Levin, Neil Spring University of

On The Fidelity of 802.11 Packet Traces Aaron Schulman, Dave Levin, Neil Spring University of Maryland, College Park PAM - April 2008 On The Fidelity of 802.11 Packet Traces 1 Uses of 802.11 packet traces MAC Layer (Mahajan et al, Jardosh

1.26k views • 78 slides
Discovering Bits of Place Histories from People's Activity Traces from People s Activity Traces

Discovering Bits of Place Histories from People's Activity Traces from People s Activity Traces

Discovering Bits of Place Histories from People's Activity Traces from People s Activity Traces Gennady Andrienko, Natalia Andrienko, y , , Martin Mladenov, Michael Mock, Christian Plitz Not in living memory Not in living memory

552 views • 27 slides
More on Reconstructing from Random Traces: Insertions and Deletions Sampath Kannan and Andrew

More on Reconstructing from Random Traces: Insertions and Deletions Sampath Kannan and Andrew

More on Reconstructing from Random Traces: Insertions and Deletions Sampath Kannan and Andrew McGregor, UPenn Random Traces Transmit a length n binary string t Channel introduces errors: Delete a bit with probability q 1 Insert a

441 views • 30 slides
The Current State of DNS Resolvers and RPKI Protection By Erik Dekker and Marius Brouwer 1

The Current State of DNS Resolvers and RPKI Protection By Erik Dekker and Marius Brouwer 1

The Current State of DNS Resolvers and RPKI Protection By Erik Dekker and Marius Brouwer 1 Motivation Why is this research important? 2 Motivation BGP is old First RFC was published in 1989 (RFC 1105) BGP was developed in times

457 views • 28 slides
Open Resolvers and the Threat of Reflection Attacks John Kristoff jtk@depaul.edu DPU CTI

Open Resolvers and the Threat of Reflection Attacks John Kristoff jtk@depaul.edu DPU CTI

Open Resolvers and the Threat of Reflection Attacks John Kristoff jtk@depaul.edu DPU CTI Networks Seminar jtk (jtk@depaul.edu) ORs and Attacks September 21, 2006 1 / 26 A Review of the DNS Lookup Process jtk (jtk@depaul.edu) ORs and

626 views • 26 slides
Capturing Traffic Traces with Ground- Capturing Traffic Traces with Ground- Truth Information

Capturing Traffic Traces with Ground- Capturing Traffic Traces with Ground- Truth Information

Politecnico di Torino Seminario su Traffic Classification - 10/2009 Capturing Traffic Traces with Ground- Capturing Traffic Traces with Ground- Truth Information Truth Information Niccolo' Cascarano, Politecnico di Torino Joint work with

479 views • 16 slides
Pipeline for Our Example Using SCALE Atmel dataset A Acquire training data 1000 traces, random

Pipeline for Our Example Using SCALE Atmel dataset A Acquire training data 1000 traces, random

How Differential Power Attacks Work Profiled Attack Example 28 Pipeline for Our Example Using SCALE Atmel dataset A Acquire training data 1000 traces, random known plaintexts Fixed known key is less ideal Traces are already aligned B Build a

558 views • 33 slides
ECDSA P-256 support in DNSSEC-validating Resolvers Geoff Huston APNIC Labs February 2016

ECDSA P-256 support in DNSSEC-validating Resolvers Geoff Huston APNIC Labs February 2016

ECDSA P-256 support in DNSSEC-validating Resolvers Geoff Huston APNIC Labs February 2016 ECDSA Elliptic Curve Cryptography allows for the construction of strong public/private key pairs with key lengths that are far shorter than

416 views • 27 slides
COMBINATORIAL INTERPRETATION OF HECKE ALGEBRA TRACES Sam Clearman, Matthew Hyatt, Brittany

COMBINATORIAL INTERPRETATION OF HECKE ALGEBRA TRACES Sam Clearman, Matthew Hyatt, Brittany

COMBINATORIAL INTERPRETATION OF HECKE ALGEBRA TRACES Sam Clearman, Matthew Hyatt, Brittany Shelton, and Mark Skandera Lehigh University Outline (1) The Hecke algebra and its traces (2) The chromatic symmetric and quasisymmetric functions (3)

476 views • 25 slides

More recommend