when parents and children disagree diving into dns
play

WHEN PARENTS AND CHILDREN DISAGREE: DIVING INTO DNS DELEGATION - PowerPoint PPT Presentation

Feb 27, 2023 •544 likes •866 views

WHEN PARENTS AND CHILDREN DISAGREE: DIVING INTO DNS DELEGATION INCONSISTENCY The Domain Name System (DNS) is one of the most critical components of the Internet DNS is a distributed, hierarchical database DNS maps hosts, services and

  1. WHEN PARENTS AND CHILDREN DISAGREE: DIVING INTO DNS DELEGATION INCONSISTENCY

  2. The Domain Name System (DNS) is one of the most critical components of the Internet DNS is a distributed, hierarchical database DNS maps hosts, services and applications to IP addresses and various other types of records. INTRODUCTION

  3. A key mechanism that enables the DNS to be hierarchical and distributed is delegation The DNS hierarchy is organized in parent and child zones typically managed by different entities Different zones need to share common information (NS records) about which are the authoritative name servers for a given domain. DNS AND DELEGATIONS

  4. RFC1034 states that the NS records at both parent and child should be “consistent and remain so” Is this in practice the case? IS COMMON INFORMATION CONSISTENT?

  5. Provide a broad characterization Investigate the practical of inconsistencies in DNS consequences of these delegations inconsistencies. OUR CONTRIBUTION

  6. A WELL CONFIGURED DELEGATION

  7.  We study delegation consistency between parent (TLD) and child (SLD) zones for all active second-level domain names of .com, .net, and .org.  We analyse more than 166M domain names (50% of the DNS namespace)  80% of these domain names exhibit consistency.  8% (13 million domains) DO NOT! ARE THE DOMAINS IN THE DNS WELL CONFIGURED?

  8.  We study delegation consistency between parent (TLD) and child (SLD) zones for all active second-level domain names of .com, .net, and .org.  We analyse more than 166M domain names (50% of the DNS namespace)  80% of these domain names exhibit consistency.  8% (13 million domains) DO NOT! ARE THE DOMAINS IN THE DNS WELL CONFIGURED?

  9. 01 02 03 04 Parent and Parent NSSet is a Parent NSSet is a Parent and children have a subset of children superset of children children NSSet disjoint NSSet NSSet NSSet have some common elements and some different elements. WHICH KIND OF INCONSISTENCY WE FOUND?

  10.  In 55% of domains with delegation inconsistency, parents and children has a disjoint NSSet.  Half of these domains are consistent at IP level  Half are NOT!  16 TLDs present this inconsistency in the root zone, but all are consistent at IP level. b0.org.afilias-nst.org (.org Auth NS) - Parent a.iana-servers.net. (example.org Auth NS) - Child example.org. 86400 IN NS a.iana-servers.net. example.org. 86400 IN NS c.iana-servers.net. example.org. 86400 IN NS b.iana-servers.net. example.org. 86400 IN NS d.iana-servers.net. PARENT AND CHILDREN HAVE A DISJOINT NSSET

  11.  Different servers, which could be lame delegation.  Even if IP level is coherent, keep A records in sync makes misconfiguration easy.  Behaviour of resolver is not predictable! DISJOINT NSSET CONSEQUENCES

  12. India’s .in registry had ns[1– 6].neustar.in as NS records at the parent (Root), and [ns1- ns6].registry.in at the child. Both NSSets pointed to the same A/AAAA records. On 2019-10- 30 we notified them and on 2019 -11-02 they fixed the inconsistency. 15 other internationalized ccTLDs run by India had the same issue with their NSSet, and were also fixed INDIA’S .IN REGISTRY

  13.  In 30% of domains with delegation inconsistency, parent NS-Set is a subset of children NS-Set.  18 TLDs present this inconsistency in the root zone. a.iana-servers.net. (example.org Auth NS) - Child b0.org.afilias-nst.org (.org Auth NS) - Parent example.org. 86400 IN NS a.iana-servers.net. example.org. 86400 IN NS a.iana-servers.net. example.org. 86400 IN NS b.iana-servers.net. example.org. 86400 IN NS b.iana-servers.net. example.org. 86400 IN NS c.iana-servers.net. example.org. 86400 IN NS d.iana-servers.net PARENT NSSET IS A SUBSET OF THE CHILDREN NSSET

  14.  False sense of redundancy.  Less resilience.  Load not well balanced. PARENT SUBSET CONSEQUENCES

  15. AT&T’s main domain att.com had a parent NSSet containing [ns1...ns3].attdns.com, whereas the child had [ns1...ns4].attdns.com. We notified AT&T of this misconfiguration. On 24/10/2019 the issue was resolved and the fourth name server (ns4.attdns.com) was also added to the parent AT&T CASE

  16.  In 8% of domains with delegation inconsistency, parent NS-Set is a superset of children NS-Set.  10 TLDs present this inconsistency in the root zone. b0.org.afilias-nst.org (.org Auth NS) – Parent a.iana-servers.net. (example.org Auth NS) - Child example.org. 86400 IN NS a.iana-servers.net. example.org. 86400 IN NS a.iana-servers.net. example.org. 86400 IN NS b.iana-servers.net. example.org. 86400 IN NS b.iana-servers.net. example.org. 86400 IN NS c.iana-servers.net. example.org. 86400 IN NS d.iana-servers.net. PARENT NSSET IS A SUPERSET OF THE CHILDREN NSSET

  17.  If the additional nameservers defined in the parent are unreachable:  Higher resolution time  Random failure in the resolution  If the additional nameservers defined in the parent are dangling:  Risk of Hijacking PARENT SUPERSET CONSEQUENCES

  18.  In 7% of domains with delegation inconsistency, Parent and children NSSet have some common elements and some different elements.  8 TLDs present this inconsistency in the root zone.  All risk and consequences mentioned before are applicable. b0.org.afilias-nst.org (.org Auth NS) - Parent a.iana-servers.net. (example.org Auth NS) - Child example.org. 86400 IN NS a.iana-servers.net. example.org. 86400 IN NS a.iana-servers.net. example.org. 86400 IN NS b.iana-servers.net. example.org. 86400 IN NS b.iana-servers.net. example.org. 86400 IN NS c.iana-servers.net. example.org. 86400 IN NS d.iana-servers.net. REST CATEGORY

  19. We investigate the consequences of such inconsistencies, by emulating the four categories of NSSet mismatches. We use RIPE Atlas, measuring each unique resolver as seen from their probes physically distributed around the world (3.3k ASes). Our goal is to study these consequences in terms of query load distribution in a controlled environment, where the authoritative name servers are in the same network IMPLICATIONS OF NSSET INCONSISTENCY IN THE WILD

  20. ;; QUESTION SECTION: ;; QUESTION SECTION: ;example.org. IN A ;example.org. IN A ;; ANSWER SECTION: ;; ANSWER SECTION: example.org. 16807 IN A 93.184.216.34 example.org. 16807 IN A 93.184.216.34 ;; AUTHORITATIVE SECTION: ;; Query time: 31 msec iana-servers.net. 1800 IN NS a.iana-servers.net. ;; SERVER: 8.8.4.4#53(8.8.4.4) iana-servers.net. 1800 IN NS b.iana-servers.net. ;; WHEN: Mon Mar 23 16:07:23 CET 2020 iana-servers.net. 1800 IN NS c.iana-servers.net. ;; MSG SIZE rcvd: 56 iana-servers.net. 1800 IN NS ns.icann.org. ;; ADDITIONAL SECTION: a.iana-servers.net. 1800 IN A 199.43.135.53 a.iana-servers.net. 1800 IN AAAA 2001:500:8f::53 b.iana-servers.net. 1800 IN A 199.43.133.53 b.iana-servers.net. 1800 IN AAAA 2001:500:8d::53 c.iana-servers.net. 1800 IN A 199.43.134.53 c.iana-servers.net. 1800 IN AAAA 2001:500:8e::53 MINIMAL RESPONSES

  21. DISJOINT NSSET EXPERIMENTS

  22. SUBSET NS SETS EXPERIMENTS

  23. SUPERSET NS SETS EXPERIMENTS

  24. REST NS SETS EXPERIMENTS

  25.  Having inconsistent NSSets in parent and child authoritative servers impacts how queries are distributed among name servers.  For all evaluated cases, queries will be unevenly distributed among authoritative servers.  The servers listed at the parent zone will receive more queries than then ones specified in the child.  Minimal responses has an impact on resolver behaviour. CONSEQUENCES

  26.  We focus on evaluating specific DNS resolver software to understand how they behave in case of NS-Set Inconsistency.  We pay attention as to whether resolvers follow RFC2181, which specifies how resolvers should rank data in case of inconsistency.  The RFC states that child authoritative data should be preferred.  We evaluate four popular DNS resolver implementations: BIND, Unbound, Knot, PowerDNS and Windows. RESOLVER SOFTWARE EVALUATION

  27. We ask the resolver for an A record of a subdomain in our test i. zone We ask for the NS record of the zone ii. We se ask first an A query followed by an NS query, to iii. understand if resolvers use non-authoritative cached NS information to answer to the following query violating §5.4.1of RFC2181 We invert this order to understand if authoritative record are iv. overwritten by non-authoritative ones in the cache. FOUR TESTS

  28. Knot and Unbound comply with RFC2181 ranking specification. In (i) BIND packaged for Ubuntu did not: it caches only information from the parent and does not override it with information from the child. In (i) and (iii), BIND from source sends the parent an explicit NS query before performing the A query. In (iii) PowerDNS packaged for CentOS 6 and Ubuntu Xenial, and Windows (all) use the cached non-authoritative information to answer the NS query in the test, not conforming to RFC2181. RESULTS

Recommend

Diving into Mastery Guidance for Educators Each activity sheet is split into three sections,

Diving into Mastery Guidance for Educators Each activity sheet is split into three sections,

Diving into Mastery Guidance for Educators Each activity sheet is split into three sections, diving, deeper and deepest, which are represented by the following icons: These carefully designed activities take your children through a learning

156 views • 15 slides
When Parents Disagree: Practical S S t trategies for Advocates t i f Ad t Brian J.

When Parents Disagree: Practical S S t trategies for Advocates t i f Ad t Brian J.

When Parents Disagree: Practical S S t trategies for Advocates t i f Ad t Brian J. McLaughlin, Esq. B i J M L hli E Law Offices of Brian J. McLaughlin Mary W. S y S heridan, Esq. , q Law Office of Mary W. S heridan, Esq. I

596 views • 45 slides
Children and Parents: Media Use and Attitude Report 2013 0 Children and Parents: media use and

Children and Parents: Media Use and Attitude Report 2013 0 Children and Parents: media use and

Children and Parents: Media Use and Attitude Report 2013 0 Children and Parents: media use and attitudes report 1700 interviews comScore with 5-15s; data on most- Statutory duty 1700 interviews BARB data accessed to promote with their

1.43k views • 46 slides
Children and Youth with Mental Health Challenges Who We Are & What We Do Parents and

Children and Youth with Mental Health Challenges Who We Are & What We Do Parents and

Supporting Parents and Caregivers of Children and Youth with Mental Health Challenges Who We Are & What We Do Parents and Caregivers for Wellness (PC4W) is a collaborative launched in 2017 by United Parents, California Alliance of

491 views • 23 slides
Capital & Entrepreneurship HOW TO? Jaime L. Amsel, Ph.D. 1 = Strongly disagree, 2 =

Capital & Entrepreneurship HOW TO? Jaime L. Amsel, Ph.D. 1 = Strongly disagree, 2 =

Psychological Capital & Entrepreneurship HOW TO? Jaime L. Amsel, Ph.D. 1 = Strongly disagree, 2 = disagree, 3 = somewhat disagree, 4 = somewhat agree, 5 = agree, 6 = strongly agree ____ 1. I feel confident in representing my work

482 views • 36 slides
DC Autism Parents (DCAP) Where Parents Empower Parents Who we are... About DCAP DC

DC Autism Parents (DCAP) Where Parents Empower Parents Who we are... About DCAP DC

DC Autism Parents (DCAP) Where Parents Empower Parents Who we are... About DCAP DC Autism Parents (DCAP) is a 501(c)(3) nonprofit organization created by parents of children with autism for parents of children with autism. Our

250 views • 7 slides
Recent advances in diving medicine research DAN Europe VGE Studies A Century of Diving Medicine

Recent advances in diving medicine research DAN Europe VGE Studies A Century of Diving Medicine

Recent advances in diving medicine research DAN Europe VGE Studies A Century of Diving Medicine Research 1908 : J.S. Haldane staged decompression prevents DCS 2003 : D. Elliott After nearly 100 years of diving

612 views • 44 slides
How Can the Informed Consent Process Better Address the Needs of Parents/Children? Educating

How Can the Informed Consent Process Better Address the Needs of Parents/Children? Educating

How Can the Informed Consent Process Better Address the Needs of Parents/Children? Educating Parents/Children About Clinical Research: Encouraging Participation Without Distorting Expectations Redefining the Informed Consent Process

665 views • 6 slides
Connection between Children who have Experienced Trauma and their Parents Maria Jesus Ampuero,

Connection between Children who have Experienced Trauma and their Parents Maria Jesus Ampuero,

17 th Annual Conference on Parent-Child Interaction Therapy For Traumatized Children September 27-28, 2017 Group PCIT: Treatment Approach to Promote Connection between Children who have Experienced Trauma and their Parents Maria Jesus

420 views • 15 slides
PGL Liddington INFORMATION FOR PARENTS AND CHILDREN 15 th and 16 th November 2018 Where is PGL

PGL Liddington INFORMATION FOR PARENTS AND CHILDREN 15 th and 16 th November 2018 Where is PGL

PGL Liddington INFORMATION FOR PARENTS AND CHILDREN 15 th and 16 th November 2018 Where is PGL Liddington? King Edwards Place, Foxhill Swindon, SN4 0DZ On the day! Children to come straight in to hall with bags and wait to be

273 views • 13 slides
Day 2: Diving Deeper into Day 2: Diving Deeper into Data Visualization with R Data Visualization

Day 2: Diving Deeper into Day 2: Diving Deeper into Data Visualization with R Data Visualization

Day 2: Diving Deeper into Day 2: Diving Deeper into Data Visualization with R Data Visualization with R Introduction Introduction Presented by Di Cook Department of Econometrics and Business Statistics 12 Nov 2020 @ Statistical Society of

250 views • 8 slides
6 and 8 Times Table and Division Facts Diving into Mastery Guidance for Educators Diving Deeper

6 and 8 Times Table and Division Facts Diving into Mastery Guidance for Educators Diving Deeper

6 and 8 Times Table and Division Facts Diving into Mastery Guidance for Educators Diving Deeper Deepest Aim This week we are really focusing on securing the 6 and 8 multiplication tables . It is really important to be able to recall these

198 views • 16 slides
Student Parents: Transitioning to College with Children. Transitioning to Parenthood in College

Student Parents: Transitioning to College with Children. Transitioning to Parenthood in College

Student Parents: Transitioning to College with Children. Transitioning to Parenthood in College Susan Warfield, SPHC Program Director University of Minnesota, Student Parent HELP Center warfi002@umn.edu 612-625-0825 Student Parents By the

905 views • 49 slides
Southern Diving Group SDU1 (Plymouth) / SDU2 (Portsmouth) Commander Del McKnight RN Fleet Diving

Southern Diving Group SDU1 (Plymouth) / SDU2 (Portsmouth) Commander Del McKnight RN Fleet Diving

Southern Diving Group SDU1 (Plymouth) / SDU2 (Portsmouth) Commander Del McKnight RN Fleet Diving Squadron UDT Conference 2 The Strategic Responsibility Island Nation 90% per volume of world trade by sea Freedom of Navigation/access

505 views • 24 slides
BARTON CAMP INFORMATION FOR PARENTS AND CHILDREN 23 rd and 24 th November 2016 Where is Barton

BARTON CAMP INFORMATION FOR PARENTS AND CHILDREN 23 rd and 24 th November 2016 Where is Barton

BARTON CAMP INFORMATION FOR PARENTS AND CHILDREN 23 rd and 24 th November 2016 Where is Barton Camp? Winscombe, Avon 45 minutes drive from BHJS On the day! Children to come straight in to hall with bags and wait to be registered.

454 views • 9 slides
Role of Parents FM3 3 8/12/2014 Role of Parents Facilitator to select suitable books

Role of Parents FM3 3 8/12/2014 Role of Parents Facilitator to select suitable books

8/12/2014 Making Reading the Power to Learn Mandarin Dr Aw Guat Poh Asst Prof, National Institute of Education guatpoh.aw@nie.edu.sg Reading and Children Children read for meaning Reading Generates curiosity and imagination

490 views • 10 slides
Health of Children and Parents: Understanding and Addressing the Crisis Families Face in the

Health of Children and Parents: Understanding and Addressing the Crisis Families Face in the

Health of Children and Parents: Understanding and Addressing the Crisis Families Face in the Global Economy Dr. Jody Heymann M.D., Ph.D. March 2, 2006 Findings from: Forgotten Families Ending the Growing Crisis Confronting Children and

639 views • 44 slides
How to Support Parents of Children and Adolescents with Mental Health Issues Martha Molly

How to Support Parents of Children and Adolescents with Mental Health Issues Martha Molly

How to Support Parents of Children and Adolescents with Mental Health Issues Martha Molly J Faulkner , P hDc, CNP , LIS W UNMHS C Children's Psychiatric Center Outpatient Cimarron Clinic, Albuquerque, NM Why this Topic? My

318 views • 28 slides
I am proud of you! Practical solution focused communication tools for parents, teachers and

I am proud of you! Practical solution focused communication tools for parents, teachers and

I am proud of you! Practical solution focused communication tools for parents, teachers and others who raise children The Five Sessions: 1. Praising children 2. Influencing children 3. Pulling in the same direction with the other adults involved

766 views • 73 slides
7, 11 and 12 Multiplication Tables Diving into Mastery Guidance for Educators Diving Deeper

7, 11 and 12 Multiplication Tables Diving into Mastery Guidance for Educators Diving Deeper

7, 11 and 12 Multiplication Tables Diving into Mastery Guidance for Educators Diving Deeper Deepest Aim This week we are really focusing on securing the 7, 11 and 12 multiplication tables . It is really important to be able to recall these

665 views • 18 slides
AUDIENCE Who is the audience? The pie iece(s) may be targeted at a specific ic group of

AUDIENCE Who is the audience? The pie iece(s) may be targeted at a specific ic group of

Targeting an AUDIENCE Who is the audience? The pie iece(s) may be targeted at a specific ic group of people: Volunteers Music enthusiasts Parents Parents of young children Parents of young children who play musical

520 views • 18 slides
Diving into Mastery Guidance for Educators Diving Deeper Deepest Aim Read Roman numerals to

Diving into Mastery Guidance for Educators Diving Deeper Deepest Aim Read Roman numerals to

Diving into Mastery Guidance for Educators Diving Deeper Deepest Aim Read Roman numerals to 1000 (M) and recognise years written in Roman numerals. Roman Numerals to 1000 Diving Correctly match the Roman numerals to the words and digits.

520 views • 13 slides
Treatment and Incarceration Issues for Parents of Young Children Tana M. Fye Fye Law Office

Treatment and Incarceration Issues for Parents of Young Children Tana M. Fye Fye Law Office

6/13/2016 Treatment and Incarceration Issues for Parents of Young Children Tana M. Fye Fye Law Office Summary When parents are incarcerated, facing potential incarceration, or have substance abuse issues requiring treatment, arranging

86 views • 8 slides
KINGSHURST PRIMARY SCHOOL A GUIDE FOR PARENTS/CARERS WITH CHILDREN IN NURSERY, RECEPTION, YEAR 1,

KINGSHURST PRIMARY SCHOOL A GUIDE FOR PARENTS/CARERS WITH CHILDREN IN NURSERY, RECEPTION, YEAR 1,

KINGSHURST PRIMARY SCHOOL A GUIDE FOR PARENTS/CARERS WITH CHILDREN IN NURSERY, RECEPTION, YEAR 1, YEAR 6 AND KEY WORKER PARENTS RETURNING TO SCHOOL FROM 8 TH JUNE WIDER SCHOOL OPENING FROM JUNE 8TH 2020 Dear Parents/Carers, We hope you are well

415 views • 26 slides

More recommend