Impact of Configuration Errors on DNS Robustness CSCI 780, Fall 2005.

Slides:



Advertisements
Similar presentations
IDN TLD Variants Implementation Guideline draft-yao-dnsop-idntld-implementation-01.txt Yao Jiankang.
Advertisements

Review iClickers. Ch 1: The Importance of DNS Security.
1 Addition of IPv6 servers to in-addr.arpa tree DNS Operations Sig APNIC 18 2 September 2004, Fiji.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
Sweeping lame DNS reverse delegations APNIC16 – DNS Operations SIG Seoul, Korea, 20 August 2003.
Domain Name System. DNS is a client/server protocol which provides Name to IP Address Resolution.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
1 DNS. 2 BIND DNS –Resolve names to IP address –Resolve IP address to names (reverse DNS) BIND –Berkeley Internet Name Domain system Version 4 is still.
The Domain Name System Overview Introduction DNS overview How DNS helps us? Summary.
70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 2: Name Resolution and DNS.
Hitesh Ballani, Paul Francis(Cornell University) Presenter: Zhenhua Liu Date: Mar. 16 th, 2009.
1 DNS Tutorial Randy H. Katz CS 294-4: NetRADS Network-oriented Reliable Adaptive Distributed Systems.
IMC 2004Jeff Pang 1 Availability, Usage, and Deployment Characteristics of the Domain Name System Jeffrey Pang *, James Hendricks *, Aditya Akella *, Roberto.
Impact of Configuration Errors on DNS Robustness V. Pappas * Z. Xu *, S. Lu *, D. Massey **, A. Terzis ***, L. Zhang * * UCLA, ** Colorado State, *** John.
Impact of Configuration Errors on DNS Robustness Vasileios Pappas, Zhiguo Xu, Songwu Lu, Daniel Massey, Andreas Terzis, Lixia Zhang SIGCOMM 2004 Presented.
11.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 11: Introducing WINS, DNS,
A Study of DNS Lameness Edward Lewis. July 14, 2002 IETF 54 Slide 2 Agenda Lameness Why (Surprise:) Spotty(?) results Approach Plans.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 5 Introduction to DNS in Windows Server 2008.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.
Lecturer : Ms.Trần Thị Ngọc Hoa Chapter 2 Methods Configuring Name Resolution Methods.
11.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 11: Introducing WINS, DNS,
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
NET0183 Networks and Communications Lecture 25 DNS Domain Name System 8/25/20091 NET0183 Networks and Communications by Dr Andy Brooks.
Basic DNS Course Lecturer: Ron Aitchison. Module 1 DNS Theory.
CS 4396 Computer Networks Lab
1 Domain Name System (DNS). 2 DNS: Domain Name System Internet hosts: – IP address (32 bit) - used for addressing datagrams – “name”, e.g.,
Domain Name System (DNS)
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 1 Lesson 17 Domain Name System (DNS)
DNS: Domain Name System
Test cases for domain checks – a step towards a best practice Mats Dufberg,.SE Sandoche Balakrichenan, AFNIC.
1 DNS: Domain Name System People: many identifiers: m SSN, name, Passport # Internet hosts, routers: m IP address (32 bit) - used for addressing datagrams.
SAINT ‘01 Proactive DNS Caching: Addressing a Performance Bottleneck Edith Cohen AT&T Labs-Research Haim Kaplan Tel-Aviv University.
Module 5: Planning a DNS Strategy. Overview Planning DNS Servers Planning a Namespace Planning Zones Planning Zone Replication and Delegation Integrating.
BAI513 - PROTOCOLS DNS BAIST – Network Management.
Paper Presentation – CAP Page 2 Outline Review - DNS Proposed Solution Simulation Results / Evaluation Discussion.
October 8, 2015 University of Tulsa - Center for Information Security Microsoft Windows 2000 DNS October 8, 2015.
Domain Name System. CONTENTS Definitions. DNS Naming Structure. DNS Components. How DNS Servers work. DNS Organizations. Summary.
Status report on Lame Delegations (work in progress) George Michaelson DB SIG APNIC17/APRICOT 2004 Feb KL, Malaysia.
ECO-DNS: Expected Consistency Optimization for DNS Chen Stephanos Matsumoto Adrian Perrig © 2013 Stephanos Matsumoto1.
Data Communications and Networks Chapter 5 – Network Services DNS, DHCP, FTP and SMTP ICT-BVF8.1- Data Communications and Network Trainer: Dr. Abbes Sebihi.
CPSC 441: DNS 1. DNS: Domain Name System Internet hosts: m IP address (32 bit) - used for addressing datagrams m “name”, e.g., - used by.
Domain Name System (DNS). DNS Server Service Overview of Domain Name System What Is a Domain Namespace? Standards for DNS Naming.
Module 6: Designing Name Resolution. Module Overview Collecting Information for a Name Resolution Design Designing a DNS Server Strategy Designing a DNS.
Japan Registry Service Copyright © 2002 Japan Registry Service Co., Ltd. Consideration on DNS Service Level Shinta Sato Japan Registry.
* Agenda  What is the DNS ?  Poisoning the cache  Short term solution  Long term solution.
Lecture 5: Web Continued 2-1. Outline  Network basics:  HTTP protocols  Studies on HTTP performance from different views:  Browser types [NSDI 2014]
A Comparative Study of the DNS Design with DHT-Based Alternatives 95/08/31 Chen Chih-Ming.
Linux Operations and Administration
DNS Security 1. Fundamental Problems of Network Security Internet was designed without security in mind –Initial design focused more on how to make it.
Domain Name System (DNS)
11.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 11: Introducing WINS, DNS,
AfNOG-2003 Domain Name System (DNS) Ayitey Bulley
ITU ccTLD Workshop March 3, 2003 A Survey of ccTLD DNS Vulnerabilities.
DNS Cache Poisoning (pretending to be the authoritative zone) ns.example.co m Webserver ( ) DNS Caching Server Client I want to access
COMP 431 Internet Services & Protocols
Internet Naming Service: DNS* Chapter 5. The Name Space The name space is the structure of the DNS database –An inverted tree with the root node at the.
Domain Name System INTRODUCTION to Eng. Yasser Al-eimad
So DNS is A client-server application that maps domain names into their corresponding IP addresses with the help of name servers. Mapping domain names.
Basics of the Domain Name System (DNS) By : AMMY- DRISS Mohamed Amine KADDARI Zakaria MAHMOUDI Soufiane Oujda Med I University National College of Applied.
Monitoring, analyzing and cleaning DNS configuration errors across European NRENs Slavko Gajin University of Belgrade, Serbia
Monitoring, analyzing and cleaning DNS configuration errors across European NRENs Slavko Gajin University of Belgrade, Serbia
Understand Names Resolution
IMPLEMENTING NAME RESOLUTION USING DNS
Networking Applications
Unit 5: Providing Network Services
Lame DNS Server Sweeping
DNS: Domain Name System
Presentation transcript:

Impact of Configuration Errors on DNS Robustness CSCI 780, Fall 2005

Motivation DNS: part of the Internet core infrastructure Applications: web, , e164, CDNs … DNS: considered as a very reliable system Works almost always Question: is DNS a robust system? User-perceived robustness System robustness are they the same?

Thousands or even millions of users affected All due to a single DNS configuration error Motivation Short Answer: “Microsoft's websites were offline for up to 23 hours -- the most dramatic snafu to date on the Internet -- because of an equipment misconfiguration” -- Wired News, Jan 2001

Related Work Traffic & implementation errors studies: Danzig et al. [ SIGCOMM92 ]: bugs CAIDA : traffic & bugs Performance studies: Jung et al. [ IMW01 ]: caching Cohen et al. [ SAINT01 ]: proactive caching Liston et al. [ IMW02 ]: diversity Server availability : in [ OSDI04, IMC04 ]

Study DNS Robustness Classify DNS operational errors: Study known errors Identify new types of errors Measure their pervasiveness Quantify their impact on DNS availability performance

Outline DNS Overview Measurement Methodology DNS Configuration Errors Example Cases Measurement Results Discussion & Summary

netcomukcajp foo buzbar bar1bar2bar3 Zone: Occupies a continues subspace Served by the same nameservers bar.foo.com. NS ns1.bar.foo.com. bar.foo.com. NS ns3.bar.foo.com. bar.foo.com. NS ns2.bar.foo.com. bar.foo.com. MX mail.bar.foo.com. A bar name servers resource records Background

local DNS server client bar zone foo zone com zone root zone asking for answer: A referral: com NS RRs com A RRs referral: foo NS RRs foo A RRs referral: bar NS RRs bar A RRs

Infrastructure RRs foo.com. NS ns1.foo.com. foo.com. NS ns2.foo.com. foo.com. NS ns3.foo.com. foo.com. NS ns1.foo.com. foo.com. NS ns2.foo.com. foo.com. NS ns3.foo.com. foo.com com ns1.foo.com. A ns2.foo.com. A ns3.foo.com. A ns1.foo.com. A ns2.foo.com. A ns3.foo.com. A NS Resource Record : –Provides the names of a zone’s authoritative servers –Stored both at the parent and at the child zone A Resource Record –Associated with a NS resource record –Stored at the parent zone (glue A record)

What Affects DNS Availability Name Servers: Software failures Network failures Scheduled maintenance tasks Infrastructure Resource Records: Availability of these records Configuration errors focus of our work

Classification of Measured Errors InconsistencyDependency Lame Delegation Inconsistency Diminished Redundancy Cyclic Dependency The configuration of infrastructure RRs does not correspond to the actual authoritative name-servers. More than one name-servers share a common point of failure.

What is Measured? Frequency of configuration errors: System parameters: TLDs, DNS level, zone size (i.e. the number of delegations) Impact on availability: Number of servers: lost due to these errors Zone ’ s availability: probability of resolving a name Impact on performance: Total time to resolve a query Starting from the query issuing time Finishing at the query final answer time

Measurement Methodology Error frequency and availability impact: 3 sets of active measurements Random set of 50K zones 20K zones that allow zone transfers 500 popular zones Performance impact: 2 sets of passive measurements:1-week DNS packet traces

Lame Delegation com foo foo.com. NS A.foo.com. foo.com. NS B.foo.com. A.foo.com A.foo.com. A B.foo.com. A ) DNS error code -- 1 RTT perf. penalty 3) Useless referral -- 1 RTT perf. penalty 4) Non-authoritative answer (cached) 1) Non-existing server -- 3 seconds perf. penalty B.foo.com

Lame Delegation Results

0.06 sec 0.4 sec 3 sec 50%

Lame Delegation Results Error Frequency: 15% of the zones 8% for the 500 most popular zones independent of the zone ’ s location (level), varies a lot per TLD Impact: 70% of the zones with errors lose half or more of the authoritative servers 8% of the queries experience increased response times (up to an order of magnitude) due to lame delegation

C) Geographic location level: - belong to the same city B) Autonomous system level: - belong to the same AS Diminished Server Redundancy com foo foo.com. NS A.foo.com. foo.com. NS B.foo.com. A.foo.comB.foo.com A.foo.com. A B.foo.com. A A) Network level: - belong to the same subnet

Diminished Server Redundancy Results Error Frequency: 45% of all zones have all servers in the same /24 subnet 75% of all zones have servers in the same AS large & popular zones: better AS and geo diversity Impact: less than 99.9% availability: all servers in the same /24 subnet more than 99.99% availability: 3 servers at different ASs or different cities

Cyclic Zone Dependency (1) com foo foo.com. NS A.foo.com. foo.com. NS B.foo.com. A.foo.comB.foo.com A.foo.com. A B.foo.com depends on A.foo.com The A glue RR for B.foo.com missing B.foo.com. A If A.foo.com is unavailable then B.foo.com is too

Cyclic Zone Dependency (2) com foo foo.com. NS A.foo.com. foo.com. NS B.bar.com. A.foo.com B.bar.com A.foo.com. A bar B.foo.comA.bar.com bar.com. NS A.bar.com. bar.com. NS B.foo.com. A.bar.com. A The foo.com zone seems correctly configured The combination of foo.com and bar.com zones is wrongly configured The B servers depend on A servers If A.foo and A.bar are unavailable, B addr. are unresolvable

Cyclic Zone Dependency Results Error Frequency: 2% of the zones None of the 500 most popular zones Impact: 90% of the zones with cyclic dependency errors lose 25% (or even more) of their servers 2 or 4 zones are involved in most errors

Discussion: User-Perceived != System Robustness User-perceived robustness: Data replication: only one server is needed Data caching: temporary masks infrastructure failures Popular zones: fewer configuration errors System robustness: Fewer available servers: due to inconsistency errors Fewer redundant servers: due to dependency errors

Discussion: Why so many errors? Superficially: are due to operators: Unaware of these errors Lack of coordination parent-child zone, secondary servers hosting Fundamentally: are due to protocol design: Lack of mechanisms to handle these errors proactively or reactively Design choices that embrace some of them: Name-servers are recognized with names Glue NS & A records necessary to set up the DNS tree

Summary DNS operational errors are widespread DNS operational errors affect availability: 50% of the servers lost less than 99.9% availability DNS operational errors affect performance: 1 or even 2 orders of magnitude DNS system robustness lower than user perception Due to protocol design, not just due to operator errors

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.