SlideShare a Scribd company logo

Re-Engineering the Root of the DNS

APNIC
APNIC

Presentation by Geoff Huston at APNIC 44 on Tuesday, 12 September 2017

Internet
1 of 40
Re-Engineering the Root of the DNS Geoff Huston, Chief Scientist APNIC
In this presentation • I’ll talk about the DNS, and the root server infrastructure in particular • And some recent initiative by APNIC to try and improve the situation 2
The Structure of the Domain Name System The Domain Name System (DNS) is a distributed data collection using a delegation hierarchy that reflects the internal hierarchical structure of domain names. At each level in the name hierarchy each label represents a potential point of administrative delegation www.example.com. . (“root”) zone com. zone example.com. zone www.example.com.
The Structure of the Domain Name System The Domain Name System (DNS) is a distributed data collection using a delegation hierarchy that reflects the internal hierarchical structure of domain names. At each level in the name hierarchy each label represents a potential point of administrative delegation www.example.com. . (“root”) zone com. zone example.com. zone www.example.com. Delegation of the label “com” Delegation of the label “example” terminal label “www”
DNS Name Servers • Every DNS zone has a set of authoritative servers that can answer queries for names defined by that zone • The Root Zone is just another zone in that respect, and the authoritative servers for that zone are called “Root Servers” – There are 13 Root Server names – And these names are used to label Anycast Name Server constellations – Which means that there are probably some thousands of discrete Root Server instances if you could peek inside all of these these anycast clouds 5
Resolving a DNS Name Your resolver needs need to ask a DNS server for the zone that contains the terminal label for the associated information (resource record) associated with the DNS name But… Where exactly is the zone cut? Who are the servers? So resolvers discover this information by performing a top-down iterative search…
Resolving a DNS Name Qname: www.example.com.? . (“root”) zone server Response: servers for the com. zone
Resolving a DNS Name Qname: www.example.com.? . (“root”) zone server Response: servers for the com. zone com. zone serverQname: www.example.com.? Response: servers for the example.com. zone
Resolving a DNS Name Qname: www.example.com.? . (“root”) zone server Response: servers for the com. zone com. zone serverQname: www.example.com.? Response: servers for the example.com. zone example.com. zone server www.example.com. terminal label Qname: www.example.com.? Response: Resource records for terminal label
Resolving a DNS Name Qname: www.example.com.? . (“root”) zone server Response: servers for the com. zone com. zone serverQname: www.example.com.? Response: servers for the example.com. zone example.com. zone server www.example.com. terminal label Qname: www.example.com.? Response: Resource records for terminal label Every DNS resolution procedure starts with a query to the root!
How to be bad If an attacker could prevent the root servers from answering DNS queries then the entire Internet will suffer! 11 Every DNS resolution procedure starts with a query to the root!
Caching in the DNS The main role of the root server system is to answer queries that are not cached in local name caches The vast majority of the queries that are passed to the root zone servers (some 2/3 of root queries) generate a “no-such- name” (NXDOMAIN) response from the root system
How to be bad 13 To attack the root servers you need to get past DNS resolver caches. This means you need to have every query in the DNS attack flow ask for a different non-existent name
14 Root Servers are a highly visible attack target
15 Root Servers are a highly visible attack target
16 Root Servers are a highly visible attack target If you can prevent resolvers from getting answers from the root then the resolvers will stop answering queries as their local cache expires
17 Root Servers are a highly visible attack target If you can prevent resolvers from asking the root then the resolvers will stop answering queries as their cached responses expire
18 Root Servers are a highly visible attack target If you can prevent resolvers from asking the root then the resolvers will stop answering queries as their cached responses expire
How should we defend the Root? • Larger Root Server platforms? • More Root Server Letters? • More Anycast Instances? • Change Root Server response behaviours? • Or… 19
How should we defend the Root? • Larger Root Server platforms? • More Root Server Letters? • More Anycast Instances? • Change Root Server response behaviours? • Or… 20 * Distributed parallel attacks can scale up in intensity more effectively than a single point of service can scale its defence mechanisms
How should we defend the Root? • Larger Root Server platforms? • More Root Server Letters? • More Anycast Instances? • Change Root Server response behaviours? • Or… 21 * The limit of 13 distinct root server names is an inherited limit that these days has a political dimension that has largely supersedes the original technical reasons for the limit. In any case more letters is not a very good DDOS defence!
How should we defend the Root? • Larger Root Server platforms? • More Root Server Letters? • More Anycast Instances? • Change Root Server response behaviours? • Or… 22
Anycast Root Servers 12 of the 13 root server “letters” operate some form of “anycast” server constellation. All the servers in a constellation respond to the same public IP addresses. The routing system will direct resolvers to pass their query to a particular root letter to the “closest” member of the letter’s anycast constellation. Anycast provides: – faster responses to queries to the root for many DNS resolvers – Greater resilience to hostile traffic by load sharing widely distributed attacks across the entire anycast constellation, and absorbing a single point attack on a single server instance
Anycast Root Servers 12 of the 13 root server “letters” operate some form of “anycast” server constellation. All the servers in a constellation respond to the same public IP addresses. The routing system will direct resolvers to pass their query to a particular root letter to the “closest” member of the letter’s anycast constellation. Anycast provides: – faster responses to queries to the root for many DNS resolvers – Greater resilience to hostile traffic by load sharing widely distributed attacks across the entire anycast constellation, and absorbing a single point attack on a single server instance
How do we defend the Root today? As the traffic levels to the root servers increases both as steady state query levels and instances of attacks, we keep on adding more instances to the existing anycast clouds
The attacks get bigger 26
Our defence is bigger walls 27
We are scaling the DNS root server infrastructure in order to be resilient against floods of queries about non- existent names coming from the existing DNS resolvers, who are scaling their own capabilities to survive the very same query attacks that are being directed against them! 28 The attackers are our own recursive resolvers!
How do we defend the Root today? As the traffic levels to the root servers increases both as steady state query levels and instances of attacks, we keep on adding more instances to the existing anycast clouds What we are in effect doing is building ever bigger and larger trash processors to handle ever larger amounts of garbage queries to cope with these ever larger attacks
Can we jump out of this vicious cycle? Can we change the behaviour of the DNS system to improve both its service and its resilience?
DNSSEC changes Everything Before DNSSEC we relied on the assumption that if we asked an IP address of a root server, then the response was genuine With DNSSEC we can ask anyone, and then use DNSSEC validation to assure ourselves that the answer is genuine How can we use this?
DNSSEC-Enabled Directions for the Root Service If we could answer NXDOMAIN queries from recursive resolvers we could reduce the load on the root servers by close to 70% This would be a very significant win: – reducing root query traffic – providing faster response to these queries – reduces the local cache load on recursive resolvers
Local Root Secondaries – RFC 7706 Enlist DNS resolvers to offer a root zone secondary service If resolvers use this approach then they only need to query a root server infrequently and perform a zone transfer of the current state of the root zone (IXFR from a root server), and use this validated copy of the root zone to directly answer all queries that refer to the root zone
NSEC caching – RFC 8198 Most of the queries seen at the root are for non-existent domains, and resolvers cache the non-existence of a given name But a DNSSEC-signed NXDOMAIN response from the root zone actually describes a range of labels that do not exist, and it’s the range that is signed, not the actual query name If resolvers cached this range and the signed response, then they could use the same signed response to locally answer a query for any name that falls within the same label range This has a similar effect to RFC7706, but without any configuration overhead, nor is there any requirement for supporting root zone transfers.
NSEC caching 35 For example, if you were to query the root server for the non-existant name www.example. the returned response from the root says that there are NO TLDS between everbank. and exchange. The same response can be used to respond to queries for every TLD between these labels. So we can cache this range response and use it to respond to subsequent queries that fall into the same range
Architecturally speaking… • Rather than have recursive resolvers act as “amplifiers” for DNS queries for non-existent names, NSEC caching enlists these recursive resolvers to act on behalf of the root servers, and provide the answers for them. • This approach uses existing DNS functionality and existing queries – there is nothing new in this. • The change here is to take advantage of the use of the NSEC response to define a range of names, allowing what is in effect semi-wildcard cache entries that can be used to respond to a range of query labels 36
Impacts… • Rather than trying to expand the capabilities of the root zone servers, we can leverage the massive number of already deployed recursive resolvers to extend their cache to cover both defined and non-existant root labels • We anticipate that this will have a major effect on the DNS by absorbing most of the current root query load at the edge, rather than passing these queries into the root system 37
Impacts… NSEC caching can also help recursive resolvers • Instead of caching non-existent individual names they can cache the NSEC-described range, and refresh the cached NSEC record instead of any individual name • This will shrink the demands placed on the local cache, which can improve local cache performance in the recursive resolver 38
Coming to a Bind Resolver near you APNIC has sponsored the inclusion of this NSEC caching code for the root zone in the forthcoming Bind 9.12 release This function will be enabled by default in this release We hope that other DNS resolver vendors also implement this feature, as widespread use of NSEC caching will have a dramatic positive impact on the root server ecosystem!
40

Recommended

HKNOG 5.0 - NSEC caching
HKNOG 5.0 - NSEC cachingHKNOG 5.0 - NSEC caching
HKNOG 5.0 - NSEC cachingAPNIC
 
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS AttacksDNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS AttacksFindWhitePapers
 
A study of our DNS full-resolvers
A study of our DNS full-resolversA study of our DNS full-resolvers
A study of our DNS full-resolversBangladesh Network Operators Group
 
DNS Cache Poisoning
DNS Cache PoisoningDNS Cache Poisoning
DNS Cache PoisoningChristiaan Ottow
 
Domain name system
Domain name systemDomain name system
Domain name systemmahakant sharma
 
DNS
DNSDNS
DNSbhavanatmithun
 
DNS Cache White Paper
DNS Cache White PaperDNS Cache White Paper
DNS Cache White PaperRyan Ellingson
 
Thoughts about DNS for DDoS
Thoughts about DNS for DDoSThoughts about DNS for DDoS
Thoughts about DNS for DDoSAPNIC
 

Recommended

HKNOG 5.0 - NSEC caching
HKNOG 5.0 - NSEC cachingHKNOG 5.0 - NSEC caching
HKNOG 5.0 - NSEC cachingAPNIC
 
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS AttacksDNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS AttacksFindWhitePapers
 
A study of our DNS full-resolvers
A study of our DNS full-resolversA study of our DNS full-resolvers
A study of our DNS full-resolversBangladesh Network Operators Group
 
DNS Cache Poisoning
DNS Cache PoisoningDNS Cache Poisoning
DNS Cache PoisoningChristiaan Ottow
 
Domain name system
Domain name systemDomain name system
Domain name systemmahakant sharma
 
DNS
DNSDNS
DNSbhavanatmithun
 
DNS Cache White Paper
DNS Cache White PaperDNS Cache White Paper
DNS Cache White PaperRyan Ellingson
 
Thoughts about DNS for DDoS
Thoughts about DNS for DDoSThoughts about DNS for DDoS
Thoughts about DNS for DDoSAPNIC
 
Ad fundamentals
Ad fundamentalsAd fundamentals
Ad fundamentalsRajesh Pushparaj
 
DNS/DNSSEC by Nurul Islam
DNS/DNSSEC by Nurul IslamDNS/DNSSEC by Nurul Islam
DNS/DNSSEC by Nurul IslamMyNOG
 
understanding-dns-essential
understanding-dns-essentialunderstanding-dns-essential
understanding-dns-essentialwael eshag eshag
 
How does DNS works?
How does DNS works?How does DNS works?
How does DNS works?Jorich Ponio
 
Grey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache PoisoningGrey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache PoisoningChristopher Grayson
 
DNSSEC Tutorial; USENIX LISA 2013
DNSSEC Tutorial; USENIX LISA 2013DNSSEC Tutorial; USENIX LISA 2013
DNSSEC Tutorial; USENIX LISA 2013Shumon Huque
 
DNS : The internet’s directory service
DNS : The internet’s directory serviceDNS : The internet’s directory service
DNS : The internet’s directory serviceBalaSuresh AsaiThambi
 
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
2nd ICANN APAC-TWNIC Engagement Forum: DNS OblivionAPNIC
 
Dns server setup on ubuntu vps (master+slave)
Dns server setup on ubuntu vps (master+slave)Dns server setup on ubuntu vps (master+slave)
Dns server setup on ubuntu vps (master+slave)Vijay Sharma
 
Aws route 53
Aws route 53Aws route 53
Aws route 53Rafael Salerno de Oliveira
 
DDNS
DDNSDDNS
DDNSpraneetha523
 
IETF 100: A signalling mechanism for trusted keys in the DNS
IETF 100: A signalling mechanism for trusted keys in the DNSIETF 100: A signalling mechanism for trusted keys in the DNS
IETF 100: A signalling mechanism for trusted keys in the DNSAPNIC
 
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)Dan York
 
6425 b 10
6425 b 106425 b 10
6425 b 10FMAB2010
 
Improving HDFS Availability with Hadoop RPC Quality of Service
Improving HDFS Availability with Hadoop RPC Quality of ServiceImproving HDFS Availability with Hadoop RPC Quality of Service
Improving HDFS Availability with Hadoop RPC Quality of ServiceMing Ma
 
Network and System Administration chapter 2
Network and System Administration chapter 2Network and System Administration chapter 2
Network and System Administration chapter 2IgguuMuude
 
HBase: How to get MTTR below 1 minute
HBase: How to get MTTR below 1 minuteHBase: How to get MTTR below 1 minute
HBase: How to get MTTR below 1 minuteHortonworks
 
Ubuntu For Intranet Services
Ubuntu For Intranet ServicesUbuntu For Intranet Services
Ubuntu For Intranet ServicesDominique Cimafranca
 
Day 2 Dns Cert 4a Cache Poisoning
Day 2 Dns Cert 4a Cache PoisoningDay 2 Dns Cert 4a Cache Poisoning
Day 2 Dns Cert 4a Cache Poisoningvngundi
 
Dns interview
Dns interviewDns interview
Dns interviewsiddu balaganur
 
Re-Engineering the DNS – One Resolver at a Time
Re-Engineering the DNS – One Resolver at a Time Re-Engineering the DNS – One Resolver at a Time
Re-Engineering the DNS – One Resolver at a Time Bangladesh Network Operators Group
 
bdNOG 7 - Re-engineering the DNS - one resolver at a time
bdNOG 7 - Re-engineering the DNS - one resolver at a timebdNOG 7 - Re-engineering the DNS - one resolver at a time
bdNOG 7 - Re-engineering the DNS - one resolver at a timeAPNIC
 

More Related Content

What's hot

DNS/DNSSEC by Nurul Islam
DNS/DNSSEC by Nurul IslamDNS/DNSSEC by Nurul Islam
DNS/DNSSEC by Nurul IslamMyNOG
 
understanding-dns-essential
understanding-dns-essentialunderstanding-dns-essential
understanding-dns-essentialwael eshag eshag
 
How does DNS works?
How does DNS works?How does DNS works?
How does DNS works?Jorich Ponio
 
DNSSEC Tutorial; USENIX LISA 2013
DNSSEC Tutorial; USENIX LISA 2013DNSSEC Tutorial; USENIX LISA 2013
DNSSEC Tutorial; USENIX LISA 2013Shumon Huque
 
DNS : The internet’s directory service
DNS : The internet’s directory serviceDNS : The internet’s directory service
DNS : The internet’s directory serviceBalaSuresh AsaiThambi
 
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
2nd ICANN APAC-TWNIC Engagement Forum: DNS OblivionAPNIC
 
Dns server setup on ubuntu vps (master+slave)
Dns server setup on ubuntu vps (master+slave)Dns server setup on ubuntu vps (master+slave)
Dns server setup on ubuntu vps (master+slave)Vijay Sharma
 
IETF 100: A signalling mechanism for trusted keys in the DNS
IETF 100: A signalling mechanism for trusted keys in the DNSIETF 100: A signalling mechanism for trusted keys in the DNS
IETF 100: A signalling mechanism for trusted keys in the DNSAPNIC
 
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)Dan York
 
Improving HDFS Availability with Hadoop RPC Quality of Service
Improving HDFS Availability with Hadoop RPC Quality of ServiceImproving HDFS Availability with Hadoop RPC Quality of Service
Improving HDFS Availability with Hadoop RPC Quality of ServiceMing Ma
 
Network and System Administration chapter 2
Network and System Administration chapter 2Network and System Administration chapter 2
Network and System Administration chapter 2IgguuMuude
 
HBase: How to get MTTR below 1 minute
HBase: How to get MTTR below 1 minuteHBase: How to get MTTR below 1 minute
HBase: How to get MTTR below 1 minuteHortonworks
 
Day 2 Dns Cert 4a Cache Poisoning
Day 2 Dns Cert 4a Cache PoisoningDay 2 Dns Cert 4a Cache Poisoning
Day 2 Dns Cert 4a Cache Poisoningvngundi
 

What's hot (20)

Ad fundamentals
Ad fundamentalsAd fundamentals
Ad fundamentals
 
DNS/DNSSEC by Nurul Islam
DNS/DNSSEC by Nurul IslamDNS/DNSSEC by Nurul Islam
DNS/DNSSEC by Nurul Islam
 
understanding-dns-essential
understanding-dns-essentialunderstanding-dns-essential
understanding-dns-essential
 
How does DNS works?
How does DNS works?How does DNS works?
How does DNS works?
 
Grey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache PoisoningGrey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache Poisoning
 
DNSSEC Tutorial; USENIX LISA 2013
DNSSEC Tutorial; USENIX LISA 2013DNSSEC Tutorial; USENIX LISA 2013
DNSSEC Tutorial; USENIX LISA 2013
 
DNS : The internet’s directory service
DNS : The internet’s directory serviceDNS : The internet’s directory service
DNS : The internet’s directory service
 
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
 
Dns server setup on ubuntu vps (master+slave)
Dns server setup on ubuntu vps (master+slave)Dns server setup on ubuntu vps (master+slave)
Dns server setup on ubuntu vps (master+slave)
 
Aws route 53
Aws route 53Aws route 53
Aws route 53
 
DDNS
DDNSDDNS
DDNS
 
IETF 100: A signalling mechanism for trusted keys in the DNS
IETF 100: A signalling mechanism for trusted keys in the DNSIETF 100: A signalling mechanism for trusted keys in the DNS
IETF 100: A signalling mechanism for trusted keys in the DNS
 
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
 
6425 b 10
6425 b 106425 b 10
6425 b 10
 
Improving HDFS Availability with Hadoop RPC Quality of Service
Improving HDFS Availability with Hadoop RPC Quality of ServiceImproving HDFS Availability with Hadoop RPC Quality of Service
Improving HDFS Availability with Hadoop RPC Quality of Service
 
Network and System Administration chapter 2
Network and System Administration chapter 2Network and System Administration chapter 2
Network and System Administration chapter 2
 
HBase: How to get MTTR below 1 minute
HBase: How to get MTTR below 1 minuteHBase: How to get MTTR below 1 minute
HBase: How to get MTTR below 1 minute
 
Ubuntu For Intranet Services
Ubuntu For Intranet ServicesUbuntu For Intranet Services
Ubuntu For Intranet Services
 
Day 2 Dns Cert 4a Cache Poisoning
Day 2 Dns Cert 4a Cache PoisoningDay 2 Dns Cert 4a Cache Poisoning
Day 2 Dns Cert 4a Cache Poisoning
 
Dns interview
Dns interviewDns interview
Dns interview
 

Similar to Re-Engineering the Root of the DNS

bdNOG 7 - Re-engineering the DNS - one resolver at a time
bdNOG 7 - Re-engineering the DNS - one resolver at a timebdNOG 7 - Re-engineering the DNS - one resolver at a time
bdNOG 7 - Re-engineering the DNS - one resolver at a timeAPNIC
 
Domain Name Server
Domain Name ServerDomain Name Server
Domain Name Servervipulvaid
 
How DNS works and How to secure it: An Introduction
How DNS works and How to secure it: An IntroductionHow DNS works and How to secure it: An Introduction
How DNS works and How to secure it: An Introductionyasithbagya1
 
CSE dns ppt.pptx
CSE dns ppt.pptxCSE dns ppt.pptx
CSE dns ppt.pptxPandajangal
 
DNS for Developers - NDC Oslo 2016
DNS for Developers - NDC Oslo 2016DNS for Developers - NDC Oslo 2016
DNS for Developers - NDC Oslo 2016Maarten Balliauw
 
DNS for Developers - ConFoo Montreal
DNS for Developers - ConFoo MontrealDNS for Developers - ConFoo Montreal
DNS for Developers - ConFoo MontrealMaarten Balliauw
 
Internet Host Name
Internet Host NameInternet Host Name
Internet Host Nameadil raja
 
What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]
What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]
What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]APNIC
 

Similar to Re-Engineering the Root of the DNS (20)

Re-Engineering the DNS – One Resolver at a Time
Re-Engineering the DNS – One Resolver at a Time Re-Engineering the DNS – One Resolver at a Time
Re-Engineering the DNS – One Resolver at a Time
 
bdNOG 7 - Re-engineering the DNS - one resolver at a time
bdNOG 7 - Re-engineering the DNS - one resolver at a timebdNOG 7 - Re-engineering the DNS - one resolver at a time
bdNOG 7 - Re-engineering the DNS - one resolver at a time
 
Domain Name System(ppt)
Domain Name System(ppt)Domain Name System(ppt)
Domain Name System(ppt)
 
Domain Name Server
Domain Name ServerDomain Name Server
Domain Name Server
 
How DNS works and How to secure it: An Introduction
How DNS works and How to secure it: An IntroductionHow DNS works and How to secure it: An Introduction
How DNS works and How to secure it: An Introduction
 
CSE dns ppt.pptx
CSE dns ppt.pptxCSE dns ppt.pptx
CSE dns ppt.pptx
 
DNS for Developers - NDC Oslo 2016
DNS for Developers - NDC Oslo 2016DNS for Developers - NDC Oslo 2016
DNS for Developers - NDC Oslo 2016
 
DNS Presentation
DNS PresentationDNS Presentation
DNS Presentation
 
2 technical-dns-workshop-day1
2 technical-dns-workshop-day12 technical-dns-workshop-day1
2 technical-dns-workshop-day1
 
Domain Name System ppt
Domain Name System pptDomain Name System ppt
Domain Name System ppt
 
Hands-on DNSSEC Deployment
Hands-on DNSSEC DeploymentHands-on DNSSEC Deployment
Hands-on DNSSEC Deployment
 
DNS(In_Linux).pptx
DNS(In_Linux).pptxDNS(In_Linux).pptx
DNS(In_Linux).pptx
 
DNS for Developers - ConFoo Montreal
DNS for Developers - ConFoo MontrealDNS for Developers - ConFoo Montreal
DNS for Developers - ConFoo Montreal
 
Dns
DnsDns
Dns
 
Ch20 system administration
Ch20 system administration Ch20 system administration
Ch20 system administration
 
Intro to DNS
Intro to DNSIntro to DNS
Intro to DNS
 
Dns
DnsDns
Dns
 
Internet Host Name
Internet Host NameInternet Host Name
Internet Host Name
 
What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]
What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]
What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]
 
Domainnamesystem
DomainnamesystemDomainnamesystem
Domainnamesystem
 

More from APNIC

DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024APNIC
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...APNIC
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024APNIC
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGAPNIC
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119APNIC
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119APNIC
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119APNIC
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119APNIC
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119APNIC
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...APNIC
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonAPNIC
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonAPNIC
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPNIC
 
Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6APNIC
 
AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!APNIC
 
CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023APNIC
 
AFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet developmentAFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet developmentAPNIC
 
AFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment StatusAFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment StatusAPNIC
 
AFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressingAFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressingAPNIC
 

More from APNIC (20)

DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOG
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff Huston
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
 
Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6
 
AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!
 
CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023
 
AFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet developmentAFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet development
 
AFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment StatusAFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment Status
 
AFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressingAFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressing
 

Recently uploaded

VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...aditipandeya
 
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With RoomVIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Roomdivyansh0kumar0
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一Fs
 
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With RoomVIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Roomishabajaj13
 
Russian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsRussian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsstephieert
 
Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMGit and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMgdsc13
 
Denver Web Design brochure for public viewing
Denver Web Design brochure for public viewingDenver Web Design brochure for public viewing
Denver Web Design brochure for public viewingbigorange77
 
Sushant Golf City / best call girls in Lucknow | Service-oriented sexy call g...
Sushant Golf City / best call girls in Lucknow | Service-oriented sexy call g...Sushant Golf City / best call girls in Lucknow | Service-oriented sexy call g...
Sushant Golf City / best call girls in Lucknow | Service-oriented sexy call g...akbard9823
 
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Delivery
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on DeliveryCall Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Delivery
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Deliverybabeytanya
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一Fs
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)Christopher H Felton
 
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With RoomVIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Roomdivyansh0kumar0
 
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call GirlVIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girladitipandeya
 
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一Fs
 
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Dana Luther
 
Gram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of indiaGram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of indiaimessage0108
 
Complet Documnetation for Smart Assistant Application for Disabled Person
Complet Documnetation for Smart Assistant Application for Disabled PersonComplet Documnetation for Smart Assistant Application for Disabled Person
Complet Documnetation for Smart Assistant Application for Disabled Personfurqan222004
 

Recently uploaded (20)

VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
 
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With RoomVIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
 
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With RoomVIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
 
Russian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsRussian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girls
 
sasti delhi Call Girls in munirka 🔝 9953056974 🔝 escort Service-
sasti delhi Call Girls in munirka 🔝 9953056974 🔝 escort Service-sasti delhi Call Girls in munirka 🔝 9953056974 🔝 escort Service-
sasti delhi Call Girls in munirka 🔝 9953056974 🔝 escort Service-
 
Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMGit and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITM
 
Denver Web Design brochure for public viewing
Denver Web Design brochure for public viewingDenver Web Design brochure for public viewing
Denver Web Design brochure for public viewing
 
Sushant Golf City / best call girls in Lucknow | Service-oriented sexy call g...
Sushant Golf City / best call girls in Lucknow | Service-oriented sexy call g...Sushant Golf City / best call girls in Lucknow | Service-oriented sexy call g...
Sushant Golf City / best call girls in Lucknow | Service-oriented sexy call g...
 
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Delivery
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on DeliveryCall Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Delivery
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Delivery
 
Call Girls Service Dwarka @9999965857 Delhi 🫦 No Advance VVIP 🍎 SERVICE
Call Girls Service Dwarka @9999965857 Delhi 🫦 No Advance VVIP 🍎 SERVICECall Girls Service Dwarka @9999965857 Delhi 🫦 No Advance VVIP 🍎 SERVICE
Call Girls Service Dwarka @9999965857 Delhi 🫦 No Advance VVIP 🍎 SERVICE
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
 
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With RoomVIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
 
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call GirlVIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
 
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
 
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
 
Gram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of indiaGram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of india
 
Complet Documnetation for Smart Assistant Application for Disabled Person
Complet Documnetation for Smart Assistant Application for Disabled PersonComplet Documnetation for Smart Assistant Application for Disabled Person
Complet Documnetation for Smart Assistant Application for Disabled Person
 

Re-Engineering the Root of the DNS

  • 1. Re-Engineering the Root of the DNS Geoff Huston, Chief Scientist APNIC
  • 2. In this presentation • I’ll talk about the DNS, and the root server infrastructure in particular • And some recent initiative by APNIC to try and improve the situation 2
  • 3. The Structure of the Domain Name System The Domain Name System (DNS) is a distributed data collection using a delegation hierarchy that reflects the internal hierarchical structure of domain names. At each level in the name hierarchy each label represents a potential point of administrative delegation www.example.com. . (“root”) zone com. zone example.com. zone www.example.com.
  • 4. The Structure of the Domain Name System The Domain Name System (DNS) is a distributed data collection using a delegation hierarchy that reflects the internal hierarchical structure of domain names. At each level in the name hierarchy each label represents a potential point of administrative delegation www.example.com. . (“root”) zone com. zone example.com. zone www.example.com. Delegation of the label “com” Delegation of the label “example” terminal label “www”
  • 5. DNS Name Servers • Every DNS zone has a set of authoritative servers that can answer queries for names defined by that zone • The Root Zone is just another zone in that respect, and the authoritative servers for that zone are called “Root Servers” – There are 13 Root Server names – And these names are used to label Anycast Name Server constellations – Which means that there are probably some thousands of discrete Root Server instances if you could peek inside all of these these anycast clouds 5
  • 6. Resolving a DNS Name Your resolver needs need to ask a DNS server for the zone that contains the terminal label for the associated information (resource record) associated with the DNS name But… Where exactly is the zone cut? Who are the servers? So resolvers discover this information by performing a top-down iterative search…
  • 7. Resolving a DNS Name Qname: www.example.com.? . (“root”) zone server Response: servers for the com. zone
  • 8. Resolving a DNS Name Qname: www.example.com.? . (“root”) zone server Response: servers for the com. zone com. zone serverQname: www.example.com.? Response: servers for the example.com. zone
  • 9. Resolving a DNS Name Qname: www.example.com.? . (“root”) zone server Response: servers for the com. zone com. zone serverQname: www.example.com.? Response: servers for the example.com. zone example.com. zone server www.example.com. terminal label Qname: www.example.com.? Response: Resource records for terminal label
  • 10. Resolving a DNS Name Qname: www.example.com.? . (“root”) zone server Response: servers for the com. zone com. zone serverQname: www.example.com.? Response: servers for the example.com. zone example.com. zone server www.example.com. terminal label Qname: www.example.com.? Response: Resource records for terminal label Every DNS resolution procedure starts with a query to the root!
  • 11. How to be bad If an attacker could prevent the root servers from answering DNS queries then the entire Internet will suffer! 11 Every DNS resolution procedure starts with a query to the root!
  • 12. Caching in the DNS The main role of the root server system is to answer queries that are not cached in local name caches The vast majority of the queries that are passed to the root zone servers (some 2/3 of root queries) generate a “no-such- name” (NXDOMAIN) response from the root system
  • 13. How to be bad 13 To attack the root servers you need to get past DNS resolver caches. This means you need to have every query in the DNS attack flow ask for a different non-existent name
  • 14. 14 Root Servers are a highly visible attack target
  • 15. 15 Root Servers are a highly visible attack target
  • 16. 16 Root Servers are a highly visible attack target If you can prevent resolvers from getting answers from the root then the resolvers will stop answering queries as their local cache expires
  • 17. 17 Root Servers are a highly visible attack target If you can prevent resolvers from asking the root then the resolvers will stop answering queries as their cached responses expire
  • 18. 18 Root Servers are a highly visible attack target If you can prevent resolvers from asking the root then the resolvers will stop answering queries as their cached responses expire
  • 19. How should we defend the Root? • Larger Root Server platforms? • More Root Server Letters? • More Anycast Instances? • Change Root Server response behaviours? • Or… 19
  • 20. How should we defend the Root? • Larger Root Server platforms? • More Root Server Letters? • More Anycast Instances? • Change Root Server response behaviours? • Or… 20 * Distributed parallel attacks can scale up in intensity more effectively than a single point of service can scale its defence mechanisms
  • 21. How should we defend the Root? • Larger Root Server platforms? • More Root Server Letters? • More Anycast Instances? • Change Root Server response behaviours? • Or… 21 * The limit of 13 distinct root server names is an inherited limit that these days has a political dimension that has largely supersedes the original technical reasons for the limit. In any case more letters is not a very good DDOS defence!
  • 22. How should we defend the Root? • Larger Root Server platforms? • More Root Server Letters? • More Anycast Instances? • Change Root Server response behaviours? • Or… 22
  • 23. Anycast Root Servers 12 of the 13 root server “letters” operate some form of “anycast” server constellation. All the servers in a constellation respond to the same public IP addresses. The routing system will direct resolvers to pass their query to a particular root letter to the “closest” member of the letter’s anycast constellation. Anycast provides: – faster responses to queries to the root for many DNS resolvers – Greater resilience to hostile traffic by load sharing widely distributed attacks across the entire anycast constellation, and absorbing a single point attack on a single server instance
  • 24. Anycast Root Servers 12 of the 13 root server “letters” operate some form of “anycast” server constellation. All the servers in a constellation respond to the same public IP addresses. The routing system will direct resolvers to pass their query to a particular root letter to the “closest” member of the letter’s anycast constellation. Anycast provides: – faster responses to queries to the root for many DNS resolvers – Greater resilience to hostile traffic by load sharing widely distributed attacks across the entire anycast constellation, and absorbing a single point attack on a single server instance
  • 25. How do we defend the Root today? As the traffic levels to the root servers increases both as steady state query levels and instances of attacks, we keep on adding more instances to the existing anycast clouds
  • 26. The attacks get bigger 26
  • 27. Our defence is bigger walls 27
  • 28. We are scaling the DNS root server infrastructure in order to be resilient against floods of queries about non- existent names coming from the existing DNS resolvers, who are scaling their own capabilities to survive the very same query attacks that are being directed against them! 28 The attackers are our own recursive resolvers!
  • 29. How do we defend the Root today? As the traffic levels to the root servers increases both as steady state query levels and instances of attacks, we keep on adding more instances to the existing anycast clouds What we are in effect doing is building ever bigger and larger trash processors to handle ever larger amounts of garbage queries to cope with these ever larger attacks
  • 30. Can we jump out of this vicious cycle? Can we change the behaviour of the DNS system to improve both its service and its resilience?
  • 31. DNSSEC changes Everything Before DNSSEC we relied on the assumption that if we asked an IP address of a root server, then the response was genuine With DNSSEC we can ask anyone, and then use DNSSEC validation to assure ourselves that the answer is genuine How can we use this?
  • 32. DNSSEC-Enabled Directions for the Root Service If we could answer NXDOMAIN queries from recursive resolvers we could reduce the load on the root servers by close to 70% This would be a very significant win: – reducing root query traffic – providing faster response to these queries – reduces the local cache load on recursive resolvers
  • 33. Local Root Secondaries – RFC 7706 Enlist DNS resolvers to offer a root zone secondary service If resolvers use this approach then they only need to query a root server infrequently and perform a zone transfer of the current state of the root zone (IXFR from a root server), and use this validated copy of the root zone to directly answer all queries that refer to the root zone
  • 34. NSEC caching – RFC 8198 Most of the queries seen at the root are for non-existent domains, and resolvers cache the non-existence of a given name But a DNSSEC-signed NXDOMAIN response from the root zone actually describes a range of labels that do not exist, and it’s the range that is signed, not the actual query name If resolvers cached this range and the signed response, then they could use the same signed response to locally answer a query for any name that falls within the same label range This has a similar effect to RFC7706, but without any configuration overhead, nor is there any requirement for supporting root zone transfers.
  • 35. NSEC caching 35 For example, if you were to query the root server for the non-existant name www.example. the returned response from the root says that there are NO TLDS between everbank. and exchange. The same response can be used to respond to queries for every TLD between these labels. So we can cache this range response and use it to respond to subsequent queries that fall into the same range
  • 36. Architecturally speaking… • Rather than have recursive resolvers act as “amplifiers” for DNS queries for non-existent names, NSEC caching enlists these recursive resolvers to act on behalf of the root servers, and provide the answers for them. • This approach uses existing DNS functionality and existing queries – there is nothing new in this. • The change here is to take advantage of the use of the NSEC response to define a range of names, allowing what is in effect semi-wildcard cache entries that can be used to respond to a range of query labels 36
  • 37. Impacts… • Rather than trying to expand the capabilities of the root zone servers, we can leverage the massive number of already deployed recursive resolvers to extend their cache to cover both defined and non-existant root labels • We anticipate that this will have a major effect on the DNS by absorbing most of the current root query load at the edge, rather than passing these queries into the root system 37
  • 38. Impacts… NSEC caching can also help recursive resolvers • Instead of caching non-existent individual names they can cache the NSEC-described range, and refresh the cached NSEC record instead of any individual name • This will shrink the demands placed on the local cache, which can improve local cache performance in the recursive resolver 38
  • 39. Coming to a Bind Resolver near you APNIC has sponsored the inclusion of this NSEC caching code for the root zone in the forthcoming Bind 9.12 release This function will be enabled by default in this release We hope that other DNS resolver vendors also implement this feature, as widespread use of NSEC caching will have a dramatic positive impact on the root server ecosystem!
  • 40. 40