Recursives in the Wild: Engineering Authoritative DNS Servers IMC 2017 | 2017-11-03 | London Moritz Müller 1,2 , Giovane C. M. Moura 1 , Ricardo de O. Schmidt 1,2 , John Heidemann 3 1 SIDN Labs, 2 University of Twente, 3 USC/Information Sciences Institute
Introduction unicast ns1 ns2 ns3 ns4 ns5 nic.fr isc netnod .nl setup anycast 2
Introduction unicast netnod ns1 ns2 ns3 ns4 ns5 nic.fr isc .nl setup anycast Recursive Resolver who has example.nl ? Client 3
Introduction unicast netnod ns1 ns2 ns3 ns4 ns5 nic.fr isc .nl setup anycast ? Recursive Resolver who has example.nl ? Client 4
Introduction ns5 unicast anycast netnod ns1 ns2 ns3 ns4 nic.fr isc .nl setup Recursive Resolver Client 5
Introduction area relative to netnod ns5 isc ns1 ns2 ns3 ns4 nic.fr the number of sites 6
Introduction area relative to netnod ns5 isc ns1 ns2 ns3 ns4 nic.fr the number of sites area relative to nic.fr ns1 ns5 netnod ns2 ns3 ns4 isc the number of queries 7
Introduction area relative to netnod ns5 isc ns1 ns2 ns3 ns4 nic.fr the number of sites 23% of queries from the US multiple sites in the US area relative to nic.fr ns1 ns5 netnod ns2 ns3 ns4 isc the number of queries located in the Netherlands 8
Research Questions • How do recursive resolvers select authoritative name servers? • [1] says, most implementations prefer faster responding authoritatives • but what is the overall behaviour in the wild ? • To improve performance, how should operators design their authoritatives? [1] Yu, Y., Wessels, D., Larson, M., and Zhang, L. Authority Server Selection in DNS Caching Resolvers. SIGCOMM Computer Communication Review 42, 2 (Mar. 2012), 80–86. 9
Measurement Design Setups: GRU+NRT DUB FRA DUB+FRA IAD SFO NRT FRA+SYD GRU+NRT+SYD DUB+FRA+IAD unicast NS DUB+GRU+NRT+SYD GRU SYD DUB+FRA+IAD+SFO IPv4 only (for now) 10
Measurement Design Setups: GRU+NRT DUB FRA DUB+FRA IAD SFO NRT FRA+SYD GRU+NRT+SYD DUB+FRA+IAD unicast NS DUB+GRU+NRT+SYD GRU RIPE Atlas SYD Probe DUB+FRA+IAD+SFO Recursive IPv4 only (for now) 11
How do recursives distribute their queries over time? 400 300 RTT (ms) 200 100 0 FRA DUB IAD SFO GRU NRT SYD FRA DUB IAD SFO GRU NRT SYD location 1 0.8 queries share 0.6 0.4 0.2 0 GRU DUB FRA GRU DUB GRU DUB 2A 2B 2C 3A 3B 4A 4B NRT FRA SYD NRT FRA NRT FRA authoritatives combination SYD IAD SYD IAD DUB SFO 12
How do recursives distribute their queries over time? 400 • Authoritatives with similar 300 latency get similar number of RTT (ms) 200 queries 100 0 FRA DUB IAD SFO GRU NRT SYD FRA DUB IAD SFO GRU NRT SYD location 1 0.8 queries share 0.6 0.4 0.2 0 GRU DUB FRA GRU DUB GRU DUB 2A 2B 2C 3A 3B 4A 4B NRT FRA SYD NRT FRA NRT FRA authoritatives combination SYD IAD SYD IAD DUB SFO 13
How do recursives distribute their queries over time? 400 • Authoritatives with similar 300 latency get similar number of RTT (ms) 200 queries 100 • Larger difference leads to 0 larger preference FRA DUB IAD SFO GRU NRT SYD FRA DUB IAD SFO GRU NRT SYD location 1 0.8 queries share 0.6 0.4 0.2 0 GRU DUB FRA GRU DUB GRU DUB 2A 2B 2C 3A 3B 4A 4B NRT FRA SYD NRT FRA NRT FRA authoritatives combination SYD IAD SYD IAD DUB SFO 14
How do recursives distribute their queries over time? 400 • Authoritatives with similar 300 latency get similar number of RTT (ms) 200 queries 100 • Larger difference leads to 0 larger preference FRA DUB IAD SFO GRU NRT SYD FRA DUB IAD SFO GRU NRT SYD location • Authoritatives that respond 1 faster are in general preferred 0.8 queries share 0.6 • Confirms previous work, but 0.4 now in the wild 0.2 0 GRU DUB FRA GRU DUB GRU DUB 2A 2B 2C 3A 3B 4A 4B NRT FRA SYD NRT FRA NRT FRA authoritatives combination SYD IAD SYD IAD DUB SFO 15
How do individual recursives distribute their queries? 16
How do individual recursives distribute their queries? 17
How do individual recursives distribute their queries? 18
How do individual recursives distribute their queries? 19
How do individual recursives distribute their queries? 20
How do individual recursives distribute their queries? Up to 69% of resolvers have a weak preference (60% to 90% of their queries to one NS) 21
How do individual recursives distribute their queries? Up to 37% of resolvers have a strong preference (more than 90% of their queries to one NS) 22
How do individual recursives distribute their queries? Some resolvers always prefer the slower NS 23
Validation: Authoritatives in Production Root Servers (10 out of 13) .nl Servers (4 out of 8) • Root: +60% query at least 6 servers • .nl: +90% query at least 4 servers • Overall confirms the observations from our test bed 24
Measurement Summary • Distribution is inversely proportional with the median RTT • Recursives prefer faster responding authoritatives • But they also query slower authoritatives from time to time • Additional findings: • Lower RTT becomes more relevant if competing NSes are closer (<150 ms) • Stronger preference when querying more frequent (< 10min interval) 25
Recommendations for DNS Operators • The slowest authoritative limits the response time of a DNS service • Recommendation : • Use anycast on all your name servers • Anycast sites need to be well connected with good peering à Based on this work .nl is replacing unicast NSes with anycast 26
Data Sets All data sets (but one) available: https://ant.isi.edu/datasets/dns/index.html#recursives 27
Data Sets All data sets (but one) available: https://ant.isi.edu/datasets/dns/index.html#recursives Moritz Müller Questions? email: moritz.muller@sidn.nl twitter: @moritzcm_ 28
Additional Slides 29
Does preference change for distant recursives? 1 fraction of queries NA 0.8 AS (1181) (692) 0.6 EU OC (6221) 0.4 (245) SA AF (131) DUB 0.2 (215) FRA 0 0 50 100 150 200 250 300 350 RTT (ms) • VPs in EU reach Frankfurt 13 ms faster than Dublin • Thus, they clearly prefer Frankfurt • VPs in Asia reach Frankfurt 20 ms faster, but distribute their queries almost equally à Lower RTT becomes more relevant if competing authoritatives are closer to the recursive 30
How does query frequency affect the results? 1 fraction of queries AF 0.8 AS 0.6 EU NA 0.4 OC 0.2 SA 0 2 5 10 15 20 30 query interval (minutes) • A higher query frequency leads to a stronger preference • However, preference persists even after the default timeout of resolvers like Bind and Unbound 31
Do recursives query all authoritatives? 30 # of queries after first query 25 20 Yes, the majority of resolvers 15 query every authoritative 10 5 0 ) ) ) ) ) ) ) São Paulo Dublin Sydney GRU Wash. DC GRU San % % % % % % % (GRU) (DUB) (SYD) (IAD) Francisco 0 5 4 3 8 7 2 . . . . . . . (SFO) 6 5 2 1 4 4 5 9 9 8 9 8 9 7 Tokyo Frankfurt FRA NRT FRA NRT FRA ( ( ( ( ( ( ( (NRT) (FRA) A B C A B A B 2 2 2 3 3 4 4 SYD DUB SYD DUB DUB IAD authoritative combination 32
Recommend
More recommend