High performance recursive DNS solution

Slides:

Advertisements

Similar presentations

Review iClickers. Ch 1: The Importance of DNS Security.

Advertisements

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License Introduction.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Domain Name System. DNS is a client/server protocol which provides Name to IP Address Resolution.

Cis e-commerce -- lecture #6: Content Distribution Networks and P2P (based on notes from Dr Peter McBurney © )

Progress Report 11/1/01 Matt Bridges. Overview Data collection and analysis tool for web site traffic Lets website administrators know who is on their.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 5 Introduction to DNS in Windows Server 2008.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.

1 Web Content Delivery Reading: Section and COS 461: Computer Networks Spring 2007 (MW 1:30-2:50 in Friend 004) Ioannis Avramopoulos Instructor:

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

11.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 11: Introducing WINS, DNS,

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

Module 3 DNS Types.

Advanced Module 3 Stealth Configurations.

IT 210 The Internet & World Wide Web introduction.

TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)

IIT Indore © Neminath Hubballi

70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 7: Domain Name System.

Module 5: Planning a DNS Strategy. Overview Planning DNS Servers Planning a Namespace Planning Zones Planning Zone Replication and Delegation Integrating.

Chapter 17 Domain Name System

What DNS is Not 0 Kylie Brown, Jordan Eberst, Danielle Franz Drew Hanson, Dennis Kilgore, Charles Newton, Lindsay Romano, Lisa Soros 0 Paul Vixie

Paper Presentation – CAP Page 2 Outline Review - DNS Proposed Solution Simulation Results / Evaluation Discussion.

Enabling Embedded Systems to access Internet Resources.

2: Application Layer1 Chapter 2 outline r 2.1 Principles of app layer protocols r 2.2 Web and HTTP r 2.3 FTP r 2.4 Electronic Mail r 2.5 DNS r 2.6 Socket.

MySQL and PHP Internet and WWW. Computer Basics A Single Computer.

Naming March 8, Networks What is naming?  Associations between some elements in a set of names and some elements in a set of values  Binding.

Domain Name System (DNS). DNS Server Service Overview of Domain Name System What Is a Domain Namespace? Standards for DNS Naming.

* Agenda  What is the DNS ?  Poisoning the cache  Short term solution  Long term solution.

DNS Cache Poisoning. History 1993 – DNS protocol allowed attacker to inject false data which was then cached 1997 – BIND 16-bit transaction ids not randomized,

© F5 Networks, Inc. 1 How Does DNS Work? A user browses to A user browses to

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Application Layer Functionality and Protocols.

DNS Security 1. Fundamental Problems of Network Security Internet was designed without security in mind –Initial design focused more on how to make it.

How Web Database Architectures Work CPS181s April 8, 2003.

Basics of the Domain Name System (DNS) By : AMMY- DRISS Mohamed Amine KADDARI Zakaria MAHMOUDI Soufiane Oujda Med I University National College of Applied.

Grades update. Homework #1 Count35 Minimum Value47.00 Maximum Value Average

DNS Domain Name System By Alexandros Zampas B101 Coursework The Technology Context.

Domain Name System: DNS To identify an entity, TCP/IP protocols use the IP address, which uniquely identifies the Connection of a host to the Internet.

System Administration(SAD622S) Name of Presenter: Shadreck Chitauro Lecturer 18 July 2016 Faculty of Computing and Informatics.

1 Distributed DNS best practices to build redundant, reliable & scalable DNS architecture By Ladislav Vobr SE/SOP/I&eS Etisalat, UAE.

DNS Attack and SDNS Solution ZHANG PENG. The Infrastructure of Internet billion Internet users billion Websites DNS.

Understand Names Resolution

EDNS Client Subnet (ECS) in CDN solution

Security Issues with Domain Name Systems

A Speculation on DNS DDOS

Module 3: Enabling Access to Internet Resources

Chapter 25 Domain Name System.

DNS Operation And Security Protection

Module 5: Resolving Host Names by Using Domain Name System (DNS)

DNS Security Issues SeongHo Cho DPNM Lab., POSTECH

Web Development Web Servers.

Principles of Computer Security

IMPLEMENTING NAME RESOLUTION USING DNS

Practical Censorship Evasion Leveraging Content Delivery Networks

Living on the Edge: (Re)focus DNS Efforts on the End-Points

DNS Cache Poisoning Attack

A Speculation on DNS DDOS

Providing Network Services

ECE 671 – Lecture 16 Content Distribution Networks

AKAMAI INTELLIGENT PLATFORM™

Re-Engineering the Root of the DNS

AWS Cloud Computing Masaki.

Domain Name System Refs: Chapter 9 RFC 1034 RFC 1035.

COMPUTER NETWORKS PRESENTATION

Computer Networks Primary, Secondary and Root Servers

Computer Networks Presentation

Q/ Compare between HTTP & HTTPS? HTTP HTTPS

Domain Name Server Presented By: Mahesh Venkat Adusumelli

Presentation transcript:

High performance recursive DNS solution Peng Zuo zuopeng@cnnic.cn

Agenda Introduction to recursive resolver Problems of the recursive resolver SDNS-R: High-performance recursive DNS solution

How DNS works User opens browser, enters URL Browser now has IP Recursive resolver Browser sends HTTP request to web server web server sends HTML data stream Browser renders HTML data

DNS Server Types DNS Server: a server that answers DNS queries. Functional Differences Authoritative DNS Server Caching DNS Server/Recursive DNS Server Forwarding DNS Server Relational Differences Primary and Slave Servers Public and Private Servers

Ask example server @ ns.example.cn (+ glue) DNS Server Types root-server www.example.cn A ? Add to cache Ask cn server (+ glue) Recursive Resolver Stub Resolver www.example.cn A ? www.example.cn A ? gtld-server 192.168.5.10 Ask example server @ ns.example.cn (+ glue) www.example.cn A ? 192.168.5.10 example-server + Properties of the recursive DNS Maintains a cache of recently request data Access to the entire range of DNS world Combination of forwarding DNS and recursive DNS Forwarding DNS server Recursive DNS server

Agenda Introduction to recursive resolver Problems of the recursive resolver SDNS-R: High-performance recursive DNS solution

Security Issue Various DDoS attack Cache poisoning (Kaminsky attack) Amplification attack

Nxdomain flood ? ? ? ? Recursive DNS Authoritative DNS Botnet jgalk.dsjgdgasg.cn ? ? 5jt.d5t53g.43t.net ? 53sas.kdjgsjals.com ? 325jkdngoug.cn Recursive DNS Authoritative DNS Botnet The recursive server is running out of available resource!! randomly generated subdomain strings Cache

DNS Server Types CDNs depend on user’s DNS to direct requests Remote DNS services break this assumption

Agenda Introduction to recursive resolver Problems of the recursive resolver SDNS-R: High-performance recursive DNS solution

SDNS-R: High performance Recursive DNS Cache Forward Log RCM New design and architecture Support DNS view High performance Cache performance is about 100 times higher than common DNS server Forward performance is about 10 times higher than common DNS server High Performance DNS Engine Operation System Common DNS server SDNS-R Cache performance (QPS) 30,000 ~ 150,000 10,000,000 Forward performance (QPS) 5,000 ~ 15,000 50,000 + +

Benefits DNSSEC traffic grows up sharply The average traffic is up to about 4.5 times The size of None-exist domain response message is up to about 12 times larger Larger Bandwidth 10,000,000 = 100 * 100,000 Internet Reduce cost significantly Mitigate Nxdomain flood attack Easy to maintain Anti-attack device 10GE More Servers & More cabinets in IDC room A DNS node with 10 Gb bandwidth 2 SDNS-R 100 common DNS servers …… Higher Cost 100,000 QPS per server 10,000,000 QPS per server

Improvement of view function view: A powerful and useful feature of BIND 9 that lets a name server answer a DNS query differently depending on who is asking. Configuring a large number of DNS views uses more device memory and more processor time. SDNS-R improves view function: Speed up DNS view lookup Reduce time complexity of DNS view lookup Lower memory consumption optimized data structure and algorithm Expand the use of View function: from IP to IP + domain

Architecture of a public DNS Example: A public DNS consists of SDNS-R Recursive DNS server Forwarding DNS server User in Beijing Beijing 10.10.10.10 Public DNS User in Shanghai Shanghai Hongkong User in Hongkong Suboptimal route Guangzhou

Thanks!