SlideShare a Scribd company logo

Passive DNS Collection -- the 'dnstap' approach, by Paul Vixie [APNIC 38 / APOPS 2]

APNIC
APNIC

Passive DNS Collection -- the 'dnstap' approach, by Paul Vixie. A presentation given at APNIC 38 during the APOPS 2 session.

Internet
1 of 17
Passive DNS Collection and AnalysisThe 'dnstap' Approach Dr. Paul Vixie, CEOFarsight Security, Inc.
Importance of Measuring DNS •High volume low latency datagram protocol –sie-xyzzy1 547,128,709,757 bytes, 80 sources ( 82%) –sie-xyzzy2 40,787,371,148 bytes, 141 sources ( 6%) –sie-xyzzy3 21,650,049,219 bytes, 12 sources ( 3%) •Enables almost all other network flows –A, AAAA, MX, NS, SRV records •Traffic analysis: NetFlow vs. DNS –NetFlow tells you “what” –DNS tells you “why” (and “how”)
Challenges of Measuring DNS •Historically, turning on logging in a DNS server slows it down to the speed of the file system –Operationally, measurement loss is always better •So, success in DNS measurement has come from an asynchronous approach –BPF/pcap –NCAP (2006) –look for authoritative responses, reassembling UDP datagrams as necessary (EDNS) –NMSG (2009) –like NCAP but wants to also see requests, and log complete DNS transactions
Passive DNS Data Flow AuthorityServers RecursiveServers StubResolvers FarsightSIE PII Farsight DNSDB DNSCache
Problems with NMSG Approach •Blind to off-the-wire events like cache expiry due to DNS TTL, cache purge due to LRU. •Meaning is not tagged –NMSG receiver has to impute stub vs. cache miss transaction type. •Currently blind to TCP/53 –noting that there can be many transactions per TCP/53 session.
Enter ‘dnstap’ (DNS Tap) •Server-embedded •TCP output streams •Reliable front-loss •Transactions, events: all tagged •Apache licensed
‘dnstap’ Architecture
‘dnstap’ –Server-Embedded •‘dnstap’ messages are generated from within DNS implementations, via instrumentation •So, no UDP fragment reassembly, no matching of on-wire queries with on-wire responses, and no worries about TCP/53 •We have this working in ‘unbound’ and ‘knot’ •‘nsd’, ‘powerdns’ and BIND: coming
‘dnstap’ –TCP Output Streams •A ‘dnstap’ stream is a reliable byte stream •So it can be a file, or a TCP session –(Files? Some people really do like ‘rsync’) •TCP means we won’t use >80% of channel •TCP is easier on (inevitably) stateful firewalls •Yet, TCP is unfortunately very(too) reliable
‘dnstap’ –Reliable Front-Loss •TCP protocol vs. “Sockets API” –NonblockingUDP socket rejects full datagrams –NonblockingTCP socket rejects overflow octets •Which breaks “framing” unless sender keeps state •But we want total message loss in this case! •And we want such messages dropped early •Solution: ‘dnstap’ writer thread –Lockless SP/SC ring buffer –‘dnstap’ socket is blocking, so, thread can block –Reliable front-loss occurs when ring buffer is full
Congestion (Thanks:Van Jacobson)
‘dnstap’ –Message Types •Present: –Stub {Query, Response} –Authoritative {Q, R} –Resolver {Q, R} –Client {Q, R} –Forwarder {Q, R} •Prospective: –RRL bucket {Start, End} –Zone transfer in {S, E} –Zone transfer out {S, E} –Cache purge (LRU) –Cache expiry (TTL)
‘dnstap’ –Licensing/Packaging •Using Apache Open Source License V2.0 –We loved BSD/ISC license, but AOSL2 is “better” •Protocol, reference API, reference toolset •Our commercial interest is: wide adoption –So, it’s all on GitHub(see http://dnstap.info/) •We intend to patch all F/L/OSS DNS servers –‘dnstap’ is structured as a copy-in, not a dependency, noting that it depends on protobuf-c
Context of DNS Measurements •Farsight (was ISC) SIE –Security Info. Exchange –Commoditize security-relevant Internet telemetry –Channels for Passive DNS (raw, dedup’d, validated, filtered, chaff) •Filtered output goes into DNSDB –Hierarchical MTBL (Google Sorted String Table) –RESTfulAPI, JSON output –Stored everything from SIE since June 2010 •SIE and DNSDB are cash-free for nonprofit research/academia (pay us in data of like kind)
Passive DNS, SIE, DNSDB –Context
Demonstration •SIE –nmsgtool, tcpdump •DNSDB API –online “dnsdb_query” tool •SRA –SIE Remote Access •DNSDB UI –web user interface for LEA
Summary •Passive DNS monitoring (NCAP, NMSG) •‘dnstap’ (coming during 2014) •Worked example: SIE and DNSDB •More Information: –http://dnstap.info/ –https://dnsdb.info/ –https://api.dnsdb.info/ –http://github.com/farsightsec

Recommended

DoH, DoT and ESNI
DoH, DoT and ESNIDoH, DoT and ESNI
DoH, DoT and ESNI
Jisc
 
Introduction to DNS
Introduction to DNSIntroduction to DNS
Introduction to DNS
Jonathan Oxer
 
HTTP Analytics for 6M requests per second using ClickHouse, by Alexander Boc...
HTTP Analytics for 6M requests per second using ClickHouse, by Alexander Boc...HTTP Analytics for 6M requests per second using ClickHouse, by Alexander Boc...
HTTP Analytics for 6M requests per second using ClickHouse, by Alexander Boc...
Altinity Ltd
 
[211] HBase 기반 검색 데이터 저장소 (공개용)
[211] HBase 기반 검색 데이터 저장소 (공개용)[211] HBase 기반 검색 데이터 저장소 (공개용)
[211] HBase 기반 검색 데이터 저장소 (공개용)
NAVER D2
 
Domain name system
Domain name systemDomain name system
Domain name system
mahakant sharma
 
Load Balancing and Scaling with NGINX
Load Balancing and Scaling with NGINXLoad Balancing and Scaling with NGINX
Load Balancing and Scaling with NGINX
NGINX, Inc.
 
DHCP basics
DHCP basicsDHCP basics
DHCP basics
Mansi Kansara
 
Dns ppt
Dns pptDns ppt
Dns ppt
Bizuworkk Jemaneh
 

Recommended

DoH, DoT and ESNI
DoH, DoT and ESNIDoH, DoT and ESNI
DoH, DoT and ESNI
Jisc
 
Introduction to DNS
Introduction to DNSIntroduction to DNS
Introduction to DNS
Jonathan Oxer
 
HTTP Analytics for 6M requests per second using ClickHouse, by Alexander Boc...
HTTP Analytics for 6M requests per second using ClickHouse, by Alexander Boc...HTTP Analytics for 6M requests per second using ClickHouse, by Alexander Boc...
HTTP Analytics for 6M requests per second using ClickHouse, by Alexander Boc...
Altinity Ltd
 
[211] HBase 기반 검색 데이터 저장소 (공개용)
[211] HBase 기반 검색 데이터 저장소 (공개용)[211] HBase 기반 검색 데이터 저장소 (공개용)
[211] HBase 기반 검색 데이터 저장소 (공개용)
NAVER D2
 
Domain name system
Domain name systemDomain name system
Domain name system
mahakant sharma
 
Load Balancing and Scaling with NGINX
Load Balancing and Scaling with NGINXLoad Balancing and Scaling with NGINX
Load Balancing and Scaling with NGINX
NGINX, Inc.
 
DHCP basics
DHCP basicsDHCP basics
DHCP basics
Mansi Kansara
 
Dns ppt
Dns pptDns ppt
Dns ppt
Bizuworkk Jemaneh
 
DNS Fundamentals Presentation_PANDI-2022.pdf
DNS Fundamentals Presentation_PANDI-2022.pdfDNS Fundamentals Presentation_PANDI-2022.pdf
DNS Fundamentals Presentation_PANDI-2022.pdf
roemahtoedjoeh
 
Windows Server 2016 Webinar
Windows Server 2016 WebinarWindows Server 2016 Webinar
Windows Server 2016 Webinar
Men and Mice
 
톰캣 운영 노하우
톰캣 운영 노하우톰캣 운영 노하우
톰캣 운영 노하우
jieunsys
 
Local DNS with pfSense 2.4 - pfSense Hangout April 2018
Local DNS with pfSense 2.4 - pfSense Hangout April 2018Local DNS with pfSense 2.4 - pfSense Hangout April 2018
Local DNS with pfSense 2.4 - pfSense Hangout April 2018
Netgate
 
Nike tech-talk-intro-to-apache-ignite
Nike tech-talk-intro-to-apache-igniteNike tech-talk-intro-to-apache-ignite
Nike tech-talk-intro-to-apache-ignite
Dani Traphagen
 
Event-Driven Messaging and Actions using Apache Flink and Apache NiFi
Event-Driven Messaging and Actions using Apache Flink and Apache NiFiEvent-Driven Messaging and Actions using Apache Flink and Apache NiFi
Event-Driven Messaging and Actions using Apache Flink and Apache NiFi
DataWorks Summit
 
Introduction to Apache Kafka
Introduction to Apache KafkaIntroduction to Apache Kafka
Introduction to Apache Kafka
AIMDek Technologies
 
Squid
SquidSquid
Squid
Chirag Gupta
 
DNS - Domain Name System
DNS - Domain Name SystemDNS - Domain Name System
DNS - Domain Name System
Peter R. Egli
 
Encrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPSEncrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPS
Alex Mayrhofer
 
Using Redis at Facebook
Using Redis at FacebookUsing Redis at Facebook
Using Redis at Facebook
Redis Labs
 
PostgreSQL High-Availability and Geographic Locality using consul
PostgreSQL High-Availability and Geographic Locality using consulPostgreSQL High-Availability and Geographic Locality using consul
PostgreSQL High-Availability and Geographic Locality using consul
Sean Chittenden
 
Aerospike Hybrid Memory Architecture
Aerospike Hybrid Memory ArchitectureAerospike Hybrid Memory Architecture
Aerospike Hybrid Memory Architecture
Aerospike, Inc.
 
Hadoop REST API Security with Apache Knox Gateway
Hadoop REST API Security with Apache Knox GatewayHadoop REST API Security with Apache Knox Gateway
Hadoop REST API Security with Apache Knox Gateway
DataWorks Summit
 
Performance Acceleration: Summaries, Recommendation, MPP and more
Performance Acceleration: Summaries, Recommendation, MPP and morePerformance Acceleration: Summaries, Recommendation, MPP and more
Performance Acceleration: Summaries, Recommendation, MPP and more
Denodo
 
Clickhouse at Cloudflare. By Marek Vavrusa
Clickhouse at Cloudflare. By Marek VavrusaClickhouse at Cloudflare. By Marek Vavrusa
Clickhouse at Cloudflare. By Marek Vavrusa
Valery Tkachenko
 
Scaling server side web rtc applications the janus challenge by lorenzo miniero
Scaling server side web rtc applications the janus challenge by lorenzo minieroScaling server side web rtc applications the janus challenge by lorenzo miniero
Scaling server side web rtc applications the janus challenge by lorenzo miniero
Greg Kawere
 
Apples and Oranges - Comparing Kafka Streams and Flink with Bill Bejeck
Apples and Oranges - Comparing Kafka Streams and Flink with Bill BejeckApples and Oranges - Comparing Kafka Streams and Flink with Bill Bejeck
Apples and Oranges - Comparing Kafka Streams and Flink with Bill Bejeck
HostedbyConfluent
 
ETL Design for Impala Zero Touch Metadata.pptx
ETL Design for Impala Zero Touch Metadata.pptxETL Design for Impala Zero Touch Metadata.pptx
ETL Design for Impala Zero Touch Metadata.pptx
Manish Maheshwari
 
Scaling SolrCloud to a Large Number of Collections - Fifth Elephant 2014
Scaling SolrCloud to a Large Number of Collections - Fifth Elephant 2014Scaling SolrCloud to a Large Number of Collections - Fifth Elephant 2014
Scaling SolrCloud to a Large Number of Collections - Fifth Elephant 2014
Shalin Shekhar Mangar
 
Day 20.i pv6 lab
Day 20.i pv6 labDay 20.i pv6 lab
Day 20.i pv6 lab
CYBERINTELLIGENTS
 
Computer network (4)
Computer network (4)Computer network (4)
Computer network (4)
NYversity
 

More Related Content

What's hot

Nike tech-talk-intro-to-apache-ignite
Nike tech-talk-intro-to-apache-igniteNike tech-talk-intro-to-apache-ignite
Nike tech-talk-intro-to-apache-ignite
Dani Traphagen
 
Event-Driven Messaging and Actions using Apache Flink and Apache NiFi
Event-Driven Messaging and Actions using Apache Flink and Apache NiFiEvent-Driven Messaging and Actions using Apache Flink and Apache NiFi
Event-Driven Messaging and Actions using Apache Flink and Apache NiFi
DataWorks Summit
 
DNS - Domain Name System
DNS - Domain Name SystemDNS - Domain Name System
DNS - Domain Name System
Peter R. Egli
 
PostgreSQL High-Availability and Geographic Locality using consul
PostgreSQL High-Availability and Geographic Locality using consulPostgreSQL High-Availability and Geographic Locality using consul
PostgreSQL High-Availability and Geographic Locality using consul
Sean Chittenden
 
Hadoop REST API Security with Apache Knox Gateway
Hadoop REST API Security with Apache Knox GatewayHadoop REST API Security with Apache Knox Gateway
Hadoop REST API Security with Apache Knox Gateway
DataWorks Summit
 
Apples and Oranges - Comparing Kafka Streams and Flink with Bill Bejeck
Apples and Oranges - Comparing Kafka Streams and Flink with Bill BejeckApples and Oranges - Comparing Kafka Streams and Flink with Bill Bejeck
Apples and Oranges - Comparing Kafka Streams and Flink with Bill Bejeck
HostedbyConfluent
 
Scaling SolrCloud to a Large Number of Collections - Fifth Elephant 2014
Scaling SolrCloud to a Large Number of Collections - Fifth Elephant 2014Scaling SolrCloud to a Large Number of Collections - Fifth Elephant 2014
Scaling SolrCloud to a Large Number of Collections - Fifth Elephant 2014
Shalin Shekhar Mangar
 

What's hot (20)

DNS Fundamentals Presentation_PANDI-2022.pdf
DNS Fundamentals Presentation_PANDI-2022.pdfDNS Fundamentals Presentation_PANDI-2022.pdf
DNS Fundamentals Presentation_PANDI-2022.pdf
 
Windows Server 2016 Webinar
Windows Server 2016 WebinarWindows Server 2016 Webinar
Windows Server 2016 Webinar
 
톰캣 운영 노하우
톰캣 운영 노하우톰캣 운영 노하우
톰캣 운영 노하우
 
Local DNS with pfSense 2.4 - pfSense Hangout April 2018
Local DNS with pfSense 2.4 - pfSense Hangout April 2018Local DNS with pfSense 2.4 - pfSense Hangout April 2018
Local DNS with pfSense 2.4 - pfSense Hangout April 2018
 
Nike tech-talk-intro-to-apache-ignite
Nike tech-talk-intro-to-apache-igniteNike tech-talk-intro-to-apache-ignite
Nike tech-talk-intro-to-apache-ignite
 
Event-Driven Messaging and Actions using Apache Flink and Apache NiFi
Event-Driven Messaging and Actions using Apache Flink and Apache NiFiEvent-Driven Messaging and Actions using Apache Flink and Apache NiFi
Event-Driven Messaging and Actions using Apache Flink and Apache NiFi
 
Introduction to Apache Kafka
Introduction to Apache KafkaIntroduction to Apache Kafka
Introduction to Apache Kafka
 
Squid
SquidSquid
Squid
 
DNS - Domain Name System
DNS - Domain Name SystemDNS - Domain Name System
DNS - Domain Name System
 
Encrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPSEncrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPS
 
Using Redis at Facebook
Using Redis at FacebookUsing Redis at Facebook
Using Redis at Facebook
 
PostgreSQL High-Availability and Geographic Locality using consul
PostgreSQL High-Availability and Geographic Locality using consulPostgreSQL High-Availability and Geographic Locality using consul
PostgreSQL High-Availability and Geographic Locality using consul
 
Aerospike Hybrid Memory Architecture
Aerospike Hybrid Memory ArchitectureAerospike Hybrid Memory Architecture
Aerospike Hybrid Memory Architecture
 
Hadoop REST API Security with Apache Knox Gateway
Hadoop REST API Security with Apache Knox GatewayHadoop REST API Security with Apache Knox Gateway
Hadoop REST API Security with Apache Knox Gateway
 
Performance Acceleration: Summaries, Recommendation, MPP and more
Performance Acceleration: Summaries, Recommendation, MPP and morePerformance Acceleration: Summaries, Recommendation, MPP and more
Performance Acceleration: Summaries, Recommendation, MPP and more
 
Clickhouse at Cloudflare. By Marek Vavrusa
Clickhouse at Cloudflare. By Marek VavrusaClickhouse at Cloudflare. By Marek Vavrusa
Clickhouse at Cloudflare. By Marek Vavrusa
 
Scaling server side web rtc applications the janus challenge by lorenzo miniero
Scaling server side web rtc applications the janus challenge by lorenzo minieroScaling server side web rtc applications the janus challenge by lorenzo miniero
Scaling server side web rtc applications the janus challenge by lorenzo miniero
 
Apples and Oranges - Comparing Kafka Streams and Flink with Bill Bejeck
Apples and Oranges - Comparing Kafka Streams and Flink with Bill BejeckApples and Oranges - Comparing Kafka Streams and Flink with Bill Bejeck
Apples and Oranges - Comparing Kafka Streams and Flink with Bill Bejeck
 
ETL Design for Impala Zero Touch Metadata.pptx
ETL Design for Impala Zero Touch Metadata.pptxETL Design for Impala Zero Touch Metadata.pptx
ETL Design for Impala Zero Touch Metadata.pptx
 
Scaling SolrCloud to a Large Number of Collections - Fifth Elephant 2014
Scaling SolrCloud to a Large Number of Collections - Fifth Elephant 2014Scaling SolrCloud to a Large Number of Collections - Fifth Elephant 2014
Scaling SolrCloud to a Large Number of Collections - Fifth Elephant 2014
 

Similar to Passive DNS Collection -- the 'dnstap' approach, by Paul Vixie [APNIC 38 / APOPS 2]

Computer network (4)
Computer network (4)Computer network (4)
Computer network (4)
NYversity
 
Audio video ethernet (avb cobra net dante)
Audio video ethernet (avb cobra net dante)Audio video ethernet (avb cobra net dante)
Audio video ethernet (avb cobra net dante)
Jeff Green
 
All Day DevOps - FLiP Stack for Cloud Data Lakes
All Day DevOps - FLiP Stack for Cloud Data LakesAll Day DevOps - FLiP Stack for Cloud Data Lakes
All Day DevOps - FLiP Stack for Cloud Data Lakes
Timothy Spann
 

Similar to Passive DNS Collection -- the 'dnstap' approach, by Paul Vixie [APNIC 38 / APOPS 2] (20)

Day 20.i pv6 lab
Day 20.i pv6 labDay 20.i pv6 lab
Day 20.i pv6 lab
 
Computer network (4)
Computer network (4)Computer network (4)
Computer network (4)
 
IP Signal Distribution
IP Signal DistributionIP Signal Distribution
IP Signal Distribution
 
Applied Detection and Analysis with Flow Data - SO Con 2014
Applied Detection and Analysis with Flow Data - SO Con 2014Applied Detection and Analysis with Flow Data - SO Con 2014
Applied Detection and Analysis with Flow Data - SO Con 2014
 
DNS/DNSSEC by Nurul Islam
DNS/DNSSEC by Nurul IslamDNS/DNSSEC by Nurul Islam
DNS/DNSSEC by Nurul Islam
 
Backtrack Manual Part3
Backtrack Manual Part3Backtrack Manual Part3
Backtrack Manual Part3
 
Multi-Layer DDoS Mitigation Strategies
Multi-Layer DDoS Mitigation StrategiesMulti-Layer DDoS Mitigation Strategies
Multi-Layer DDoS Mitigation Strategies
 
DNS Survival Guide
DNS Survival GuideDNS Survival Guide
DNS Survival Guide
 
DNS Survival Guide.
DNS Survival Guide.DNS Survival Guide.
DNS Survival Guide.
 
Presentation oracle net services
Presentation oracle net servicesPresentation oracle net services
Presentation oracle net services
 
rpsec-4 (1).ppt
rpsec-4 (1).pptrpsec-4 (1).ppt
rpsec-4 (1).ppt
 
Network latency - measurement and improvement
Network latency - measurement and improvementNetwork latency - measurement and improvement
Network latency - measurement and improvement
 
Hadoop 3.0 - Revolution or evolution?
Hadoop 3.0 - Revolution or evolution?Hadoop 3.0 - Revolution or evolution?
Hadoop 3.0 - Revolution or evolution?
 
Audio video ethernet (avb cobra net dante)
Audio video ethernet (avb cobra net dante)Audio video ethernet (avb cobra net dante)
Audio video ethernet (avb cobra net dante)
 
DNS Measurements
DNS MeasurementsDNS Measurements
DNS Measurements
 
Apache Spark Components
Apache Spark ComponentsApache Spark Components
Apache Spark Components
 
Apache Samza Past, Present and Future
Apache Samza Past, Present and FutureApache Samza Past, Present and Future
Apache Samza Past, Present and Future
 
Domain Name System (DNS) Fundamentals
Domain Name System (DNS) FundamentalsDomain Name System (DNS) Fundamentals
Domain Name System (DNS) Fundamentals
 
«Scrapy internals» Александр Сибиряков, Scrapinghub
«Scrapy internals» Александр Сибиряков, Scrapinghub«Scrapy internals» Александр Сибиряков, Scrapinghub
«Scrapy internals» Александр Сибиряков, Scrapinghub
 
All Day DevOps - FLiP Stack for Cloud Data Lakes
All Day DevOps - FLiP Stack for Cloud Data LakesAll Day DevOps - FLiP Stack for Cloud Data Lakes
All Day DevOps - FLiP Stack for Cloud Data Lakes
 

More from APNIC

More from APNIC (20)

Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
 
APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27
 
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOG
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff Huston
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
 
Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6
 

Recently uploaded

Article writing on excessive use of internet.pptx
Article writing on excessive use of internet.pptxArticle writing on excessive use of internet.pptx
Article writing on excessive use of internet.pptx
abhinandnam9997
 
1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...
JeyaPerumal1
 
一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理
一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理
一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理
aagad
 

Recently uploaded (12)

The+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptxThe+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptx
 
How to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptxHow to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptx
 
The AI Powered Organization-Intro to AI-LAN.pdf
The AI Powered Organization-Intro to AI-LAN.pdfThe AI Powered Organization-Intro to AI-LAN.pdf
The AI Powered Organization-Intro to AI-LAN.pdf
 
ER(Entity Relationship) Diagram for online shopping - TAE
ER(Entity Relationship) Diagram for online shopping - TAEER(Entity Relationship) Diagram for online shopping - TAE
ER(Entity Relationship) Diagram for online shopping - TAE
 
Stay Ahead with 2024's Top Web Design Trends
Stay Ahead with 2024's Top Web Design TrendsStay Ahead with 2024's Top Web Design Trends
Stay Ahead with 2024's Top Web Design Trends
 
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesMulti-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
 
Article writing on excessive use of internet.pptx
Article writing on excessive use of internet.pptxArticle writing on excessive use of internet.pptx
Article writing on excessive use of internet.pptx
 
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shopHistory+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
 
1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...
 
The Best AI Powered Software - Intellivid AI Studio
The Best AI Powered Software - Intellivid AI StudioThe Best AI Powered Software - Intellivid AI Studio
The Best AI Powered Software - Intellivid AI Studio
 
The Use of AI in Indonesia Election 2024: A Case Study
The Use of AI in Indonesia Election 2024: A Case StudyThe Use of AI in Indonesia Election 2024: A Case Study
The Use of AI in Indonesia Election 2024: A Case Study
 
一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理
一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理
一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理
 

Passive DNS Collection -- the 'dnstap' approach, by Paul Vixie [APNIC 38 / APOPS 2]

  • 1. Passive DNS Collection and AnalysisThe 'dnstap' Approach Dr. Paul Vixie, CEOFarsight Security, Inc.
  • 2. Importance of Measuring DNS •High volume low latency datagram protocol –sie-xyzzy1 547,128,709,757 bytes, 80 sources ( 82%) –sie-xyzzy2 40,787,371,148 bytes, 141 sources ( 6%) –sie-xyzzy3 21,650,049,219 bytes, 12 sources ( 3%) •Enables almost all other network flows –A, AAAA, MX, NS, SRV records •Traffic analysis: NetFlow vs. DNS –NetFlow tells you “what” –DNS tells you “why” (and “how”)
  • 3. Challenges of Measuring DNS •Historically, turning on logging in a DNS server slows it down to the speed of the file system –Operationally, measurement loss is always better •So, success in DNS measurement has come from an asynchronous approach –BPF/pcap –NCAP (2006) –look for authoritative responses, reassembling UDP datagrams as necessary (EDNS) –NMSG (2009) –like NCAP but wants to also see requests, and log complete DNS transactions
  • 4. Passive DNS Data Flow AuthorityServers RecursiveServers StubResolvers FarsightSIE PII Farsight DNSDB DNSCache
  • 5. Problems with NMSG Approach •Blind to off-the-wire events like cache expiry due to DNS TTL, cache purge due to LRU. •Meaning is not tagged –NMSG receiver has to impute stub vs. cache miss transaction type. •Currently blind to TCP/53 –noting that there can be many transactions per TCP/53 session.
  • 6. Enter ‘dnstap’ (DNS Tap) •Server-embedded •TCP output streams •Reliable front-loss •Transactions, events: all tagged •Apache licensed
  • 8. ‘dnstap’ –Server-Embedded •‘dnstap’ messages are generated from within DNS implementations, via instrumentation •So, no UDP fragment reassembly, no matching of on-wire queries with on-wire responses, and no worries about TCP/53 •We have this working in ‘unbound’ and ‘knot’ •‘nsd’, ‘powerdns’ and BIND: coming
  • 9. ‘dnstap’ –TCP Output Streams •A ‘dnstap’ stream is a reliable byte stream •So it can be a file, or a TCP session –(Files? Some people really do like ‘rsync’) •TCP means we won’t use >80% of channel •TCP is easier on (inevitably) stateful firewalls •Yet, TCP is unfortunately very(too) reliable
  • 10. ‘dnstap’ –Reliable Front-Loss •TCP protocol vs. “Sockets API” –NonblockingUDP socket rejects full datagrams –NonblockingTCP socket rejects overflow octets •Which breaks “framing” unless sender keeps state •But we want total message loss in this case! •And we want such messages dropped early •Solution: ‘dnstap’ writer thread –Lockless SP/SC ring buffer –‘dnstap’ socket is blocking, so, thread can block –Reliable front-loss occurs when ring buffer is full
  • 12. ‘dnstap’ –Message Types •Present: –Stub {Query, Response} –Authoritative {Q, R} –Resolver {Q, R} –Client {Q, R} –Forwarder {Q, R} •Prospective: –RRL bucket {Start, End} –Zone transfer in {S, E} –Zone transfer out {S, E} –Cache purge (LRU) –Cache expiry (TTL)
  • 13. ‘dnstap’ –Licensing/Packaging •Using Apache Open Source License V2.0 –We loved BSD/ISC license, but AOSL2 is “better” •Protocol, reference API, reference toolset •Our commercial interest is: wide adoption –So, it’s all on GitHub(see http://dnstap.info/) •We intend to patch all F/L/OSS DNS servers –‘dnstap’ is structured as a copy-in, not a dependency, noting that it depends on protobuf-c
  • 14. Context of DNS Measurements •Farsight (was ISC) SIE –Security Info. Exchange –Commoditize security-relevant Internet telemetry –Channels for Passive DNS (raw, dedup’d, validated, filtered, chaff) •Filtered output goes into DNSDB –Hierarchical MTBL (Google Sorted String Table) –RESTfulAPI, JSON output –Stored everything from SIE since June 2010 •SIE and DNSDB are cash-free for nonprofit research/academia (pay us in data of like kind)
  • 15. Passive DNS, SIE, DNSDB –Context
  • 16. Demonstration •SIE –nmsgtool, tcpdump •DNSDB API –online “dnsdb_query” tool •SRA –SIE Remote Access •DNSDB UI –web user interface for LEA
  • 17. Summary •Passive DNS monitoring (NCAP, NMSG) •‘dnstap’ (coming during 2014) •Worked example: SIE and DNSDB •More Information: –http://dnstap.info/ –https://dnsdb.info/ –https://api.dnsdb.info/ –http://github.com/farsightsec