SlideShare a Scribd company logo
1 of 29
1
Re-engineering the DNS
– One Resolver at a Time
Paul Wilson
Director General
APNIC
…channeling Geoff Huston
APNIC Chief Scientist
In this presentation…
• the DNS, and root servers in particular
• vulnerabilities of the DNS to DDoS attack, and current
mitigations
• new mitigation techniques relying on DNSSEC
• a recent initiative by APNIC to try and improve the situation.
2
3
The DNS…
DNS naming
• The Domain Name System (DNS) is a distributed database
representing the hierarchical structure of domain names
• DNS names read left-to-right
1. The “www” service
2. In the “bdnog” domain
3. In the “org” TLD
www.bdnog.org.
DNS delegation
• The DNS involves delegation of authority from the “root”
registry, to a top-level domain, to a domain owner.
• DNS delegations read right-to-left
1. The “root” or “.” zone…
2. Delegates to authority for ”org”…
3. Delegates to authority for ”bdnog”…
4. Defines terminal label “www”
www.bdnog.org.
104.28.22.118
DNS resolution
6
Root
server
198.41.0.4
www.bdnog.org?
Local
server
10.128.128.128
.org
server
22.123.1.1
.bdnog.org
server
63.128.0.1
A 104.28.22.118
10.128.1.15
DNS caching
• Full resolution of DNS names is expensive!
• Recursive name servers use caches to remember recent
query results
– This decentralises the DNS “database” across millions of servers
– The root server is only queried when a domain name, and its parent
zone, are not cached in local name caches
• NOTE, name servers don’t cache names that don’t exist
– The vast majority (66%) of queries to the root zone servers generate
a “no-such-name” (NXDOMAIN) response
Local
server
10.128.128.128 104.28.22.118
DNS caching
8
Root
server
198.41.0.4
www.bdnog.org?
.org
server
22.123.1.1
.bdnog.org
server
63.128.0.1
A 104.28.22.118
10.128.1.15
9
Attacking the DNS…
How to be Bad
10
If an attacker can prevent the root servers from
answering queries then the entire DNS will suffer!
Every DNS resolution
starts with a query to the
root!
How to be Bad
11
But caching ensures that the DNS is distributed and
the root servers are shielded.
To reach the root servers you need to get past DNS
resolver caches.
This can be done by querying for non-existent
names, which creates the opportunity for a DDoS
attack.
12
Root Servers are a highly visible
attack target
If root servers can be effectively attacked, resolvers
will
stop getting answers from the root, and will stop
answering queries as their local cache expires.
This will cause a DNS outage and major
disruption.
13
Defenses…
How can we defend the Root?
• Larger Root Server platforms?
• More Root Server Letters?
• More Anycast Instances?
14
1. DDoS attacks are growing faster than upgrades can
handle
2. Limit of 13 distinct servers within UDP packet constraint.
In any case more letters will not help!
Anycast Root Servers
• 12 of the 13 root server operators use “anycast”
– All the servers in a constellation share the same public IP addresses
– The routing system will direct queries to the “closest” server
• Anycast provides…
– Faster responses to queries to the root for many DNS resolvers
– Greater resilience by load sharing widely distributed attacks across the
entire anycast constellation
• As root server load increases, we keep on adding more
instances to the existing anycast clouds
– Is it scalable?
www.root-servers.org
16
How can we defend the Root?
• Larger Root Server platforms?
• More Root Server Letters?
• More Anycast Instances?
• Change DNS behaviour?
17
18
DNSSEC…
DNSSEC changes Everything
• Before DNSSEC we assumed that if we queried a root
server, then the response was genuine
• With DNSSEC, a signed response assures us that the
answer is genuine
• Because it is signed, that response can come from
anywhere
• How can we use this?
RFC7706 – Local rootserver
• RFC7706 proposes the use of a local rootserver, carrying a
local copy of the root zone
• DNSSEC signing ensures the root zone is valid
• However:
– Significant operational overhead in maintenance of this server
– Fragility in case of failure of server, or failure to update the root zone
RFC 8198 – NSEC caching
• 66% of queries seen at the root are for non-existent domains, due to non-
caching of “non-existent” domain names.
• DNS does provide the NXT record type to allow non-existent ranges to be
identified.
• With DNSSEC, the NSEC record type (Nxt-SECure) is a signed version of
the NXT record, allowing these non-existent ranges to be reliably identified.
• If resolvers cached this range and the signed response, they can then
answer a query (negatively) for any name that falls within the same label
range.
• This will prevent queries for non-existent domains from being passed to the
root and other nameservers
Example
If we query the root server for the non-existent name
www.example. the returned response says that there
are NO TLDS between everbank. and exchange.
The identical response can be used to respond
(negatively) to queries for any TLD between these
labels.
So we can cache this signed response and use it
to respond to subsequent queries that fall into the
same range.
Name server software upgrade is required, but no
operational impact in involved.
24
Impacts…
• Instead of relying on endless scaling of the root server system,
existing deployed resolvers can help mitigate DNS DDoS attacks
• This will also improve overall DNS efficiency by absorbing most
of the current root query load in the resolvers
• Also, individual resolvers will operate more efficiently in both
response time (for failed queries) and cache performance.
• Win, Win, Win!
25
26
The good news
Coming to a Bind Resolver near you
• APNIC has sponsored the inclusion of NSEC caching in the
forthcoming Bind 9.12 release
– Enabled by default
– Available early 2018
• Then…
– To be included in Linux distros
– Replicated in other DNS resolvers?
– Operators must upgrade: OS or Bind, or both
In the meantime
• Anycast rootserver deployment continues
– At request of rootserver operators, since recent attacks
• APNIC working with F, I, K, M
– Especially at neutral IXPs
– Especially in developing countries
• Let APNIC know if we can help
• Stay tuned!
28
29
Thanks
dg@apnic.net

More Related Content

What's hot

Thoughts about DNS for DDoS
Thoughts about DNS for DDoSThoughts about DNS for DDoS
Thoughts about DNS for DDoSAPNIC
 
State of the Art Thin Provisioning
State of the Art Thin ProvisioningState of the Art Thin Provisioning
State of the Art Thin ProvisioningStephen Foskett
 
Ceph Day Melbourne - Scale and performance: Servicing the Fabric and the Work...
Ceph Day Melbourne - Scale and performance: Servicing the Fabric and the Work...Ceph Day Melbourne - Scale and performance: Servicing the Fabric and the Work...
Ceph Day Melbourne - Scale and performance: Servicing the Fabric and the Work...Ceph Community
 
Encrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPSEncrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPSAlex Mayrhofer
 
What can QNAP Turbo NAS do for your business
What can QNAP Turbo NAS do for your businessWhat can QNAP Turbo NAS do for your business
What can QNAP Turbo NAS do for your businessqnap
 
Windows Server 2016 Webinar
Windows Server 2016 WebinarWindows Server 2016 Webinar
Windows Server 2016 WebinarMen and Mice
 
Namespaces for Local Networks
Namespaces for Local NetworksNamespaces for Local Networks
Namespaces for Local NetworksMen and Mice
 
Ceph Day London 2014 - Best Practices for Ceph-powered Implementations of Sto...
Ceph Day London 2014 - Best Practices for Ceph-powered Implementations of Sto...Ceph Day London 2014 - Best Practices for Ceph-powered Implementations of Sto...
Ceph Day London 2014 - Best Practices for Ceph-powered Implementations of Sto...Ceph Community
 
Putting Wings on the Elephant
Putting Wings on the ElephantPutting Wings on the Elephant
Putting Wings on the ElephantDataWorks Summit
 
[B4]deview 2012-hdfs
[B4]deview 2012-hdfs[B4]deview 2012-hdfs
[B4]deview 2012-hdfsNAVER D2
 
Red Hat Storage 2014 - Product(s) Overview
Red Hat Storage 2014 - Product(s) OverviewRed Hat Storage 2014 - Product(s) Overview
Red Hat Storage 2014 - Product(s) OverviewMarcel Hergaarden
 
Building Linux IPv6 DNS Server (Complete Presentation)
Building Linux IPv6 DNS Server (Complete Presentation)Building Linux IPv6 DNS Server (Complete Presentation)
Building Linux IPv6 DNS Server (Complete Presentation)Hari
 
Developing a Ceph Appliance for Secure Environments
Developing a Ceph Appliance for Secure EnvironmentsDeveloping a Ceph Appliance for Secure Environments
Developing a Ceph Appliance for Secure EnvironmentsCeph Community
 
HBaseCon 2013: How to Get the MTTR Below 1 Minute and More
HBaseCon 2013: How to Get the MTTR Below 1 Minute and MoreHBaseCon 2013: How to Get the MTTR Below 1 Minute and More
HBaseCon 2013: How to Get the MTTR Below 1 Minute and MoreCloudera, Inc.
 
Journey to Stability: Petabyte Ceph Cluster in OpenStack Cloud
Journey to Stability: Petabyte Ceph Cluster in OpenStack CloudJourney to Stability: Petabyte Ceph Cluster in OpenStack Cloud
Journey to Stability: Petabyte Ceph Cluster in OpenStack CloudPatrick McGarry
 
NZNOG 2013 - Experiments in DNSSEC
NZNOG 2013 - Experiments in DNSSECNZNOG 2013 - Experiments in DNSSEC
NZNOG 2013 - Experiments in DNSSECAPNIC
 
Screen Shots of Building Linux IPv6 DNS Server
Screen Shots of Building Linux IPv6 DNS Server Screen Shots of Building Linux IPv6 DNS Server
Screen Shots of Building Linux IPv6 DNS Server Hari
 
Improving HDFS Availability with Hadoop RPC Quality of Service
Improving HDFS Availability with Hadoop RPC Quality of ServiceImproving HDFS Availability with Hadoop RPC Quality of Service
Improving HDFS Availability with Hadoop RPC Quality of ServiceMing Ma
 
Quick-and-Easy Deployment of a Ceph Storage Cluster with SLES
Quick-and-Easy Deployment of a Ceph Storage Cluster with SLESQuick-and-Easy Deployment of a Ceph Storage Cluster with SLES
Quick-and-Easy Deployment of a Ceph Storage Cluster with SLESJan Kalcic
 

What's hot (20)

Thoughts about DNS for DDoS
Thoughts about DNS for DDoSThoughts about DNS for DDoS
Thoughts about DNS for DDoS
 
State of the Art Thin Provisioning
State of the Art Thin ProvisioningState of the Art Thin Provisioning
State of the Art Thin Provisioning
 
Ceph Day Melbourne - Scale and performance: Servicing the Fabric and the Work...
Ceph Day Melbourne - Scale and performance: Servicing the Fabric and the Work...Ceph Day Melbourne - Scale and performance: Servicing the Fabric and the Work...
Ceph Day Melbourne - Scale and performance: Servicing the Fabric and the Work...
 
Stabilizing Ceph
Stabilizing CephStabilizing Ceph
Stabilizing Ceph
 
Encrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPSEncrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPS
 
What can QNAP Turbo NAS do for your business
What can QNAP Turbo NAS do for your businessWhat can QNAP Turbo NAS do for your business
What can QNAP Turbo NAS do for your business
 
Windows Server 2016 Webinar
Windows Server 2016 WebinarWindows Server 2016 Webinar
Windows Server 2016 Webinar
 
Namespaces for Local Networks
Namespaces for Local NetworksNamespaces for Local Networks
Namespaces for Local Networks
 
Ceph Day London 2014 - Best Practices for Ceph-powered Implementations of Sto...
Ceph Day London 2014 - Best Practices for Ceph-powered Implementations of Sto...Ceph Day London 2014 - Best Practices for Ceph-powered Implementations of Sto...
Ceph Day London 2014 - Best Practices for Ceph-powered Implementations of Sto...
 
Putting Wings on the Elephant
Putting Wings on the ElephantPutting Wings on the Elephant
Putting Wings on the Elephant
 
[B4]deview 2012-hdfs
[B4]deview 2012-hdfs[B4]deview 2012-hdfs
[B4]deview 2012-hdfs
 
Red Hat Storage 2014 - Product(s) Overview
Red Hat Storage 2014 - Product(s) OverviewRed Hat Storage 2014 - Product(s) Overview
Red Hat Storage 2014 - Product(s) Overview
 
Building Linux IPv6 DNS Server (Complete Presentation)
Building Linux IPv6 DNS Server (Complete Presentation)Building Linux IPv6 DNS Server (Complete Presentation)
Building Linux IPv6 DNS Server (Complete Presentation)
 
Developing a Ceph Appliance for Secure Environments
Developing a Ceph Appliance for Secure EnvironmentsDeveloping a Ceph Appliance for Secure Environments
Developing a Ceph Appliance for Secure Environments
 
HBaseCon 2013: How to Get the MTTR Below 1 Minute and More
HBaseCon 2013: How to Get the MTTR Below 1 Minute and MoreHBaseCon 2013: How to Get the MTTR Below 1 Minute and More
HBaseCon 2013: How to Get the MTTR Below 1 Minute and More
 
Journey to Stability: Petabyte Ceph Cluster in OpenStack Cloud
Journey to Stability: Petabyte Ceph Cluster in OpenStack CloudJourney to Stability: Petabyte Ceph Cluster in OpenStack Cloud
Journey to Stability: Petabyte Ceph Cluster in OpenStack Cloud
 
NZNOG 2013 - Experiments in DNSSEC
NZNOG 2013 - Experiments in DNSSECNZNOG 2013 - Experiments in DNSSEC
NZNOG 2013 - Experiments in DNSSEC
 
Screen Shots of Building Linux IPv6 DNS Server
Screen Shots of Building Linux IPv6 DNS Server Screen Shots of Building Linux IPv6 DNS Server
Screen Shots of Building Linux IPv6 DNS Server
 
Improving HDFS Availability with Hadoop RPC Quality of Service
Improving HDFS Availability with Hadoop RPC Quality of ServiceImproving HDFS Availability with Hadoop RPC Quality of Service
Improving HDFS Availability with Hadoop RPC Quality of Service
 
Quick-and-Easy Deployment of a Ceph Storage Cluster with SLES
Quick-and-Easy Deployment of a Ceph Storage Cluster with SLESQuick-and-Easy Deployment of a Ceph Storage Cluster with SLES
Quick-and-Easy Deployment of a Ceph Storage Cluster with SLES
 

Similar to Re-Engineering the DNS – One Resolver at a Time

Introduction DNSSec
Introduction DNSSecIntroduction DNSSec
Introduction DNSSecAFRINIC
 
How DNS works and How to secure it: An Introduction
How DNS works and How to secure it: An IntroductionHow DNS works and How to secure it: An Introduction
How DNS works and How to secure it: An Introductionyasithbagya1
 
Testing Rolling Roots
Testing Rolling RootsTesting Rolling Roots
Testing Rolling RootsAPNIC
 
Domain Name Server
Domain Name ServerDomain Name Server
Domain Name Servervipulvaid
 
Wireshark Lab DNS v6.01 Supplement to Computer Networkin.docx
Wireshark Lab DNS v6.01  Supplement to Computer Networkin.docxWireshark Lab DNS v6.01  Supplement to Computer Networkin.docx
Wireshark Lab DNS v6.01 Supplement to Computer Networkin.docxalanfhall8953
 
Domain Name System and Dynamic Host Configuration Protocol.pptx
Domain Name System and Dynamic Host Configuration Protocol.pptxDomain Name System and Dynamic Host Configuration Protocol.pptx
Domain Name System and Dynamic Host Configuration Protocol.pptxUsmanAhmed269749
 
Running a Local Copy of the DNS Root Zone
Running a Local Copy of the DNS Root ZoneRunning a Local Copy of the DNS Root Zone
Running a Local Copy of the DNS Root ZoneAPNIC
 
DNSSEC Tutorial; USENIX LISA 2013
DNSSEC Tutorial; USENIX LISA 2013DNSSEC Tutorial; USENIX LISA 2013
DNSSEC Tutorial; USENIX LISA 2013Shumon Huque
 
Domain Name System (DNS) - Domain Registration and Website Hosting Basics
Domain Name System (DNS) - Domain Registration and Website Hosting BasicsDomain Name System (DNS) - Domain Registration and Website Hosting Basics
Domain Name System (DNS) - Domain Registration and Website Hosting BasicsAsif Shahzad
 
23rd PITA AGM and Conference: DNS Security - A holistic view
23rd PITA AGM and Conference: DNS Security - A holistic view 23rd PITA AGM and Conference: DNS Security - A holistic view
23rd PITA AGM and Conference: DNS Security - A holistic view APNIC
 
NANOG 84: DNS Openness
NANOG 84: DNS OpennessNANOG 84: DNS Openness
NANOG 84: DNS OpennessAPNIC
 
DNS Openness
DNS OpennessDNS Openness
DNS OpennessAPNIC
 

Similar to Re-Engineering the DNS – One Resolver at a Time (20)

2 technical-dns-workshop-day1
2 technical-dns-workshop-day12 technical-dns-workshop-day1
2 technical-dns-workshop-day1
 
DNS Attacks
DNS AttacksDNS Attacks
DNS Attacks
 
Hands-on DNSSEC Deployment
Hands-on DNSSEC DeploymentHands-on DNSSEC Deployment
Hands-on DNSSEC Deployment
 
Domain name system
Domain name systemDomain name system
Domain name system
 
Introduction DNSSec
Introduction DNSSecIntroduction DNSSec
Introduction DNSSec
 
How DNS works and How to secure it: An Introduction
How DNS works and How to secure it: An IntroductionHow DNS works and How to secure it: An Introduction
How DNS works and How to secure it: An Introduction
 
Testing Rolling Roots
Testing Rolling RootsTesting Rolling Roots
Testing Rolling Roots
 
ION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSECION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSEC
 
Domain Name Server
Domain Name ServerDomain Name Server
Domain Name Server
 
Wireshark Lab DNS v6.01 Supplement to Computer Networkin.docx
Wireshark Lab DNS v6.01  Supplement to Computer Networkin.docxWireshark Lab DNS v6.01  Supplement to Computer Networkin.docx
Wireshark Lab DNS v6.01 Supplement to Computer Networkin.docx
 
Domain Name System and Dynamic Host Configuration Protocol.pptx
Domain Name System and Dynamic Host Configuration Protocol.pptxDomain Name System and Dynamic Host Configuration Protocol.pptx
Domain Name System and Dynamic Host Configuration Protocol.pptx
 
Running a Local Copy of the DNS Root Zone
Running a Local Copy of the DNS Root ZoneRunning a Local Copy of the DNS Root Zone
Running a Local Copy of the DNS Root Zone
 
DNSSEC Tutorial; USENIX LISA 2013
DNSSEC Tutorial; USENIX LISA 2013DNSSEC Tutorial; USENIX LISA 2013
DNSSEC Tutorial; USENIX LISA 2013
 
Session 4.1 Roy Arends
Session 4.1 Roy ArendsSession 4.1 Roy Arends
Session 4.1 Roy Arends
 
Domain Name System (DNS) - Domain Registration and Website Hosting Basics
Domain Name System (DNS) - Domain Registration and Website Hosting BasicsDomain Name System (DNS) - Domain Registration and Website Hosting Basics
Domain Name System (DNS) - Domain Registration and Website Hosting Basics
 
23rd PITA AGM and Conference: DNS Security - A holistic view
23rd PITA AGM and Conference: DNS Security - A holistic view 23rd PITA AGM and Conference: DNS Security - A holistic view
23rd PITA AGM and Conference: DNS Security - A holistic view
 
Dns
DnsDns
Dns
 
NANOG 84: DNS Openness
NANOG 84: DNS OpennessNANOG 84: DNS Openness
NANOG 84: DNS Openness
 
Dns interview
Dns interviewDns interview
Dns interview
 
DNS Openness
DNS OpennessDNS Openness
DNS Openness
 

More from Bangladesh Network Operators Group

Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and CephAccelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and CephBangladesh Network Operators Group
 
Contents Localization Initiatives to get better User Experience
Contents Localization Initiatives to get better User ExperienceContents Localization Initiatives to get better User Experience
Contents Localization Initiatives to get better User ExperienceBangladesh Network Operators Group
 
Re-define network visibility for capacity planning & forecasting with Grafana
Re-define network visibility for capacity planning & forecasting with GrafanaRe-define network visibility for capacity planning & forecasting with Grafana
Re-define network visibility for capacity planning & forecasting with GrafanaBangladesh Network Operators Group
 

More from Bangladesh Network Operators Group (20)

Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and CephAccelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
 
Recent IRR changes by Yoshinobu Matsuzaki, IIJ
Recent IRR changes by Yoshinobu Matsuzaki, IIJRecent IRR changes by Yoshinobu Matsuzaki, IIJ
Recent IRR changes by Yoshinobu Matsuzaki, IIJ
 
Fact Sheets : Network Status in Bangladesh
Fact Sheets : Network Status in BangladeshFact Sheets : Network Status in Bangladesh
Fact Sheets : Network Status in Bangladesh
 
AI Driven Wi-Fi for the Bottom of the Pyramid
AI Driven Wi-Fi for the Bottom of the PyramidAI Driven Wi-Fi for the Bottom of the Pyramid
AI Driven Wi-Fi for the Bottom of the Pyramid
 
IPv6 Security Overview by QS Tahmeed, APNIC RCT
IPv6 Security Overview by QS Tahmeed, APNIC RCTIPv6 Security Overview by QS Tahmeed, APNIC RCT
IPv6 Security Overview by QS Tahmeed, APNIC RCT
 
Network eWaste : Community role to manage end of life Product
Network eWaste : Community role to manage end of life ProductNetwork eWaste : Community role to manage end of life Product
Network eWaste : Community role to manage end of life Product
 
A plenarily integrated SIEM solution and it’s Deployment
A plenarily integrated SIEM solution and it’s DeploymentA plenarily integrated SIEM solution and it’s Deployment
A plenarily integrated SIEM solution and it’s Deployment
 
IPv6 Deployment in South Asia 2022
IPv6 Deployment in South Asia  2022IPv6 Deployment in South Asia  2022
IPv6 Deployment in South Asia 2022
 
Introduction to Software Defined Networking (SDN)
Introduction to Software Defined Networking (SDN)Introduction to Software Defined Networking (SDN)
Introduction to Software Defined Networking (SDN)
 
RPKI Deployment Status in Bangladesh
RPKI Deployment Status in BangladeshRPKI Deployment Status in Bangladesh
RPKI Deployment Status in Bangladesh
 
An Overview about open UDP Services
An Overview about open UDP ServicesAn Overview about open UDP Services
An Overview about open UDP Services
 
12 Years in DNS Security As a Defender
12 Years in DNS Security As a Defender12 Years in DNS Security As a Defender
12 Years in DNS Security As a Defender
 
Contents Localization Initiatives to get better User Experience
Contents Localization Initiatives to get better User ExperienceContents Localization Initiatives to get better User Experience
Contents Localization Initiatives to get better User Experience
 
BdNOG-20220625-MT-v6.0.pptx
BdNOG-20220625-MT-v6.0.pptxBdNOG-20220625-MT-v6.0.pptx
BdNOG-20220625-MT-v6.0.pptx
 
Route Leak Prevension with BGP Community
Route Leak Prevension with BGP CommunityRoute Leak Prevension with BGP Community
Route Leak Prevension with BGP Community
 
Tale of a New Bangladeshi NIX
Tale of a New Bangladeshi NIXTale of a New Bangladeshi NIX
Tale of a New Bangladeshi NIX
 
MANRS for Network Operators
MANRS for Network OperatorsMANRS for Network Operators
MANRS for Network Operators
 
Re-define network visibility for capacity planning & forecasting with Grafana
Re-define network visibility for capacity planning & forecasting with GrafanaRe-define network visibility for capacity planning & forecasting with Grafana
Re-define network visibility for capacity planning & forecasting with Grafana
 
RPKI ROA updates
RPKI ROA updatesRPKI ROA updates
RPKI ROA updates
 
Blockchain Demystified
Blockchain DemystifiedBlockchain Demystified
Blockchain Demystified
 

Recently uploaded

Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxDyna Gilbert
 
Internet of Things Presentation (IoT).pptx
Internet of Things Presentation (IoT).pptxInternet of Things Presentation (IoT).pptx
Internet of Things Presentation (IoT).pptxErYashwantJagtap
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一z xss
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Paul Calvano
 
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Sonam Pathan
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书zdzoqco
 
NSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentationNSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentationMarko4394
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhimiss dipika
 
Unidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptxUnidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptxmibuzondetrabajo
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书rnrncn29
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa494f574xmv
 
Q4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxQ4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxeditsforyah
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书rnrncn29
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作ys8omjxb
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predieusebiomeyer
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationLinaWolf1
 

Recently uploaded (17)

Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptx
 
Internet of Things Presentation (IoT).pptx
Internet of Things Presentation (IoT).pptxInternet of Things Presentation (IoT).pptx
Internet of Things Presentation (IoT).pptx
 
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in  Rk Puram 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in  Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24
 
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
 
NSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentationNSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentation
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhi
 
Unidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptxUnidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptx
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa
 
Q4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxQ4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptx
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predi
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 Documentation
 

Re-Engineering the DNS – One Resolver at a Time

  • 1. 1 Re-engineering the DNS – One Resolver at a Time Paul Wilson Director General APNIC …channeling Geoff Huston APNIC Chief Scientist
  • 2. In this presentation… • the DNS, and root servers in particular • vulnerabilities of the DNS to DDoS attack, and current mitigations • new mitigation techniques relying on DNSSEC • a recent initiative by APNIC to try and improve the situation. 2
  • 4. DNS naming • The Domain Name System (DNS) is a distributed database representing the hierarchical structure of domain names • DNS names read left-to-right 1. The “www” service 2. In the “bdnog” domain 3. In the “org” TLD www.bdnog.org.
  • 5. DNS delegation • The DNS involves delegation of authority from the “root” registry, to a top-level domain, to a domain owner. • DNS delegations read right-to-left 1. The “root” or “.” zone… 2. Delegates to authority for ”org”… 3. Delegates to authority for ”bdnog”… 4. Defines terminal label “www” www.bdnog.org.
  • 7. DNS caching • Full resolution of DNS names is expensive! • Recursive name servers use caches to remember recent query results – This decentralises the DNS “database” across millions of servers – The root server is only queried when a domain name, and its parent zone, are not cached in local name caches • NOTE, name servers don’t cache names that don’t exist – The vast majority (66%) of queries to the root zone servers generate a “no-such-name” (NXDOMAIN) response
  • 10. How to be Bad 10 If an attacker can prevent the root servers from answering queries then the entire DNS will suffer! Every DNS resolution starts with a query to the root!
  • 11. How to be Bad 11 But caching ensures that the DNS is distributed and the root servers are shielded. To reach the root servers you need to get past DNS resolver caches. This can be done by querying for non-existent names, which creates the opportunity for a DDoS attack.
  • 12. 12 Root Servers are a highly visible attack target If root servers can be effectively attacked, resolvers will stop getting answers from the root, and will stop answering queries as their local cache expires. This will cause a DNS outage and major disruption.
  • 14. How can we defend the Root? • Larger Root Server platforms? • More Root Server Letters? • More Anycast Instances? 14 1. DDoS attacks are growing faster than upgrades can handle 2. Limit of 13 distinct servers within UDP packet constraint. In any case more letters will not help!
  • 15. Anycast Root Servers • 12 of the 13 root server operators use “anycast” – All the servers in a constellation share the same public IP addresses – The routing system will direct queries to the “closest” server • Anycast provides… – Faster responses to queries to the root for many DNS resolvers – Greater resilience by load sharing widely distributed attacks across the entire anycast constellation • As root server load increases, we keep on adding more instances to the existing anycast clouds – Is it scalable?
  • 17. How can we defend the Root? • Larger Root Server platforms? • More Root Server Letters? • More Anycast Instances? • Change DNS behaviour? 17
  • 19. DNSSEC changes Everything • Before DNSSEC we assumed that if we queried a root server, then the response was genuine • With DNSSEC, a signed response assures us that the answer is genuine • Because it is signed, that response can come from anywhere • How can we use this?
  • 20.
  • 21. RFC7706 – Local rootserver • RFC7706 proposes the use of a local rootserver, carrying a local copy of the root zone • DNSSEC signing ensures the root zone is valid • However: – Significant operational overhead in maintenance of this server – Fragility in case of failure of server, or failure to update the root zone
  • 22.
  • 23. RFC 8198 – NSEC caching • 66% of queries seen at the root are for non-existent domains, due to non- caching of “non-existent” domain names. • DNS does provide the NXT record type to allow non-existent ranges to be identified. • With DNSSEC, the NSEC record type (Nxt-SECure) is a signed version of the NXT record, allowing these non-existent ranges to be reliably identified. • If resolvers cached this range and the signed response, they can then answer a query (negatively) for any name that falls within the same label range. • This will prevent queries for non-existent domains from being passed to the root and other nameservers
  • 24. Example If we query the root server for the non-existent name www.example. the returned response says that there are NO TLDS between everbank. and exchange. The identical response can be used to respond (negatively) to queries for any TLD between these labels. So we can cache this signed response and use it to respond to subsequent queries that fall into the same range. Name server software upgrade is required, but no operational impact in involved. 24
  • 25. Impacts… • Instead of relying on endless scaling of the root server system, existing deployed resolvers can help mitigate DNS DDoS attacks • This will also improve overall DNS efficiency by absorbing most of the current root query load in the resolvers • Also, individual resolvers will operate more efficiently in both response time (for failed queries) and cache performance. • Win, Win, Win! 25
  • 27. Coming to a Bind Resolver near you • APNIC has sponsored the inclusion of NSEC caching in the forthcoming Bind 9.12 release – Enabled by default – Available early 2018 • Then… – To be included in Linux distros – Replicated in other DNS resolvers? – Operators must upgrade: OS or Bind, or both
  • 28. In the meantime • Anycast rootserver deployment continues – At request of rootserver operators, since recent attacks • APNIC working with F, I, K, M – Especially at neutral IXPs – Especially in developing countries • Let APNIC know if we can help • Stay tuned! 28