This document discusses strategies for improving the resilience of the Domain Name System (DNS) against distributed denial-of-service (DDoS) attacks. It outlines how caching of DNSSEC-signed responses for non-existent domain names can help prevent unnecessary queries from reaching the DNS root servers. The document details an initiative by APNIC to sponsor the inclusion of this NSEC caching in the upcoming BIND 9.12 release, which would help distribute DNS query load more efficiently and mitigate DDoS attacks targeting the root servers.
bdNOG 7 - Re-engineering the DNS - one resolver at a timeAPNIC
APNIC Director General, Paul Wilson, talks about APNIC's support of updates to BIND to implement caching of NSEC responses to reduce root server query load.
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionSam Bowne
Slides for a college course based on "DNS Security" by Anestis Karasaridis.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/40/40_F18.shtml
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionSam Bowne
Slides for a college course based on "DNS Security" by Anestis Karasaridis.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/40/40_F16.shtml
The document discusses using an experimental system that can perform thousands of DNS and HTTP measurements per day on random internet users to test DNSSEC implementation. It proposes configuring five domains - one validly signed, one invalidly signed, one with IPv6-only NS, one with large IPv6 responses, and one without DNSSEC - to test clients' DNSSEC support, validation, IPv6 capability, and response handling. Initial results from testing 1.8 million clients worldwide found 4.4% of resolvers and 14.15% of clients appear to support DNSSEC. Further analysis of 7,500 New Zealand experiments identified variability between internet providers in estimated DNSSEC support rates. Future work to improve DNSSEC activity detection is proposed
CNIT 40: 4: Monitoring and detecting security breachesSam Bowne
Used in this "DNS Security" course:
https://samsclass.info/40/40_F17.shtml
Based on "DNS Security" by Anestis Karasaridis, Amazon Digital Services, Inc., ASIN: B007ZW50WE
This document discusses strategies for improving the resilience of the Domain Name System (DNS) against distributed denial-of-service (DDoS) attacks. It outlines how caching of DNSSEC-signed responses for non-existent domain names can help prevent unnecessary queries from reaching the DNS root servers. The document details an initiative by APNIC to sponsor the inclusion of this NSEC caching in the upcoming BIND 9.12 release, which would help distribute DNS query load more efficiently and mitigate DDoS attacks targeting the root servers.
bdNOG 7 - Re-engineering the DNS - one resolver at a timeAPNIC
APNIC Director General, Paul Wilson, talks about APNIC's support of updates to BIND to implement caching of NSEC responses to reduce root server query load.
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionSam Bowne
Slides for a college course based on "DNS Security" by Anestis Karasaridis.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/40/40_F18.shtml
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionSam Bowne
Slides for a college course based on "DNS Security" by Anestis Karasaridis.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/40/40_F16.shtml
The document discusses using an experimental system that can perform thousands of DNS and HTTP measurements per day on random internet users to test DNSSEC implementation. It proposes configuring five domains - one validly signed, one invalidly signed, one with IPv6-only NS, one with large IPv6 responses, and one without DNSSEC - to test clients' DNSSEC support, validation, IPv6 capability, and response handling. Initial results from testing 1.8 million clients worldwide found 4.4% of resolvers and 14.15% of clients appear to support DNSSEC. Further analysis of 7,500 New Zealand experiments identified variability between internet providers in estimated DNSSEC support rates. Future work to improve DNSSEC activity detection is proposed
CNIT 40: 4: Monitoring and detecting security breachesSam Bowne
Used in this "DNS Security" course:
https://samsclass.info/40/40_F17.shtml
Based on "DNS Security" by Anestis Karasaridis, Amazon Digital Services, Inc., ASIN: B007ZW50WE
Slides for a college course based on "DNS Security" by Anestis Karasaridis.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/40/40_F16.shtml
The Domain Name System (DNS) is a critical part of Internet infrastructure and the largest distributed Internet directory service. DNS translates names to IP addresses, a required process for web navigation, email delivery, and other Internet functions. However, the DNS infrastructure is not secure enough unless the security mechanisms such as Transaction Signatures (TSIG) and DNS Security Extensions (DNSSEC) are implemented. To guarantee the availability and the secure Internet services, it is important for networking professionals to understand DNS concepts, DNS Security, configurations, and operations.
This course will discuss the concept of DNS Operations in detail, mechanisms to authenticate the communication between DNS Servers, mechanisms to establish authenticity, and integrity of DNS data and mechanisms to delegate trust to public keys of third parties. Participant will be involved in Lab exercises and do configurations based on number of scenarios.
The Domain Name System (DNS) is a critical part of Internet infrastructure and the largest distributed Internet directory service. DNS translates names to IP addresses, a required process for web navigation, email delivery, and other Internet functions. However, the DNS infrastructure is not secure enough unless the security mechanisms such as Transaction Signatures (TSIG) and DNS Security Extensions (DNSSEC) are implemented. To guarantee the availability and the secure Internet services, it is important for networking professionals to understand DNS concepts, DNS Security, configurations, and operations.
This course will discuss the concept of DNS Operations in detail, mechanisms to authenticate the communication between DNS Servers, mechanisms to establish authenticity, and integrity of DNS data and mechanisms to delegate trust to public keys of third parties. Participant will be involved in Lab exercises and do configurations based on number of scenarios.
The document discusses various methods for securing DNS, including restricting zone transfers to prevent enumeration of internal hosts, restricting dynamic updates to authorized sources, protecting against spoofing by disabling recursion and restricting queries, and implementing a split DNS configuration to control external visibility of internal domains. It provides configuration examples for BIND and Microsoft DNS servers to implement these security remedies.
This document provides an overview and introduction to DNS and DNSSEC. It begins with introducing the presenter, Nurul Islam Roman, and his background and areas of expertise. The overview section lists the topics to be covered, including DNS overview, forward and reverse DNS, DNS security overview, TSIG, and DNSSEC. The document then delves into explanations of DNS overview, how it works, its features and components. It also covers IP addresses vs domain names, the DNS tree hierarchy, domains, root servers, resolvers, authoritative and recursive nameservers. Finally, it discusses resource records, common RR types, reverse DNS, delegation, glue records and responsibilities around APNIC and ISPs for reverse delegations.
A presentation on DNS concepts. It covers the topics DNS Introduction, DNS Hierarchy, DNS Resolution Process,
DNS Components, DNS Types, DNSSEC, DNS over TLS (DoT) & HTTPS (DoH), Oblivious DNS (ODoH).
Dns protocol design attacks and securityMichael Earls
The document discusses DNS security and attacks such as cache poisoning, denial of service attacks through query flooding, and man-in-the-middle attacks through DNS hijacking. It provides examples using tools like dnsFlood.pl and dnshijacker to demonstrate these attacks, and recommends mitigations like restricting queries, preventing unauthorized zone transfers, using DNSSEC, and configuring TSIG to secure DNS messages.
Slides for a college course based on "DNS Security" by Anestis Karasaridis.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/40/40_F16.shtml
Understanding Data Consistency in Apache CassandraDataStax
This document provides an overview of data consistency in Apache Cassandra. It discusses how Cassandra writes data to commit logs and memtables before flushing to SSTables. It also reviews the CAP theorem and how Cassandra offers tunable consistency levels for both reads and writes. Strategies for choosing consistency levels for writes, such as ANY, ONE, QUORUM, and ALL are presented. The document also covers read repair and hinted handoffs in Cassandra. Examples of CQL queries with different consistency levels are given and information on where to download Cassandra is provided at the end.
CNIT 40: 1: The Importance of DNS SecuritySam Bowne
Slides for a college course based on "DNS Security" by Anestis Karasaridis.
Teacher: Sam Bowne
Website: https://samsclass.info/40/40_F16.shtml
Updated 8-21-17
The document discusses DNS attacks and how to prevent them. It begins by explaining what DNS is and how it works to translate domain names to IP addresses. It then outlines several common attacks against DNS like cache poisoning, amplification attacks, and DDoS attacks. The document recommends approaches to secure DNS like DNSSEC, which adds digital signatures to authenticate DNS data and prevent spoofing. It provides details on how DNSSEC works through cryptographic signing of DNS records and validation of signatures up the DNS hierarchy.
This document summarizes the key aspects of a public cloud archive storage solution. It offers affordable and unlimited storage using standard transfer protocols. Data is stored using erasure coding for redundancy and fault tolerance. Accessing archived data takes 10 minutes to 12 hours depending on previous access patterns, with faster access for inactive archives. The solution uses middleware to handle sealing and unsealing archives along with tracking access patterns to regulate retrieval times.
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS AttacksFindWhitePapers
Domain Name System (DNS) provides one of the most basic but critical functions on the Internet. If DNS isn't working, then your business likely isn't either. Secure your business and web presence with Domain Name System Security Extensions (DNSSEC).
Google File System (GFS) is a distributed file system designed for large streaming reads and appends on inexpensive commodity hardware. It uses a master-chunk server architecture to manage the placement of large files across multiple machines, provides fault tolerance through replication and versioning, and aims to balance high throughput and availability even in the presence of frequent failures. The consistency model allows for defined and undefined regions to support the needs of batch-oriented, data-intensive applications like MapReduce.
The document discusses DNS security and various DNS attacks. It begins with an overview of the DNS protocol and infrastructure, then describes common DNS attacks like spoofing, cache poisoning, and reflection attacks. It also covers mitigation techniques like DNSSEC and discusses fast flux networks used by malware to evade detection. The document provides technical details on securing DNS servers and domains through configurations, software updates, and cryptographic protocols.
The document is a slide deck for a DNSSEC tutorial presented at the USENIX LISA conference in 2013. It provides an overview of DNSSEC, including how it uses public key cryptography and digital signatures to authenticate DNS data and establish a chain of trust. It also covers topics like configuring DNSSEC in BIND, using the dig tool to perform queries, and prospects for new applications of DNSSEC. The presentation was given by Shumon Huque, an IT director at the University of Pennsylvania.
The Google File System is a distributed file system designed by Google to provide scalability, fault tolerance, and high performance on commodity hardware. It uses a master-slave architecture with one master and multiple chunkservers. Files are divided into 64MB chunks which are replicated across servers. The master maintains metadata and controls operations like replication and load balancing. Writes are replicated to replicas in order by the primary chunkserver holding the lease. The system provides high availability and reliability through replication and fast recovery from failures. It has been shown to achieve high throughput for Google's large-scale data processing workloads.
SignalFx engineer Rajiv Kurian's presentation on why we wrote our own Kafka consumer, the performance goals, and the performance gains achieved.
Download the slides to see animations showing hardware details. These slides were converged from Keynote to Powerpoint, so there may be some oddness with slide transitions!
The document summarizes Google File System (GFS), which was designed to provide reliable, scalable storage for Google's large data processing needs. GFS uses a master server to manage metadata and chunk servers to store file data in large chunks (64MB). It replicates chunks across multiple servers for reliability. The architecture supports high throughput by minimizing interaction between clients and the master, and allowing clients to read from the closest replica of a chunk.
APNIC Director General Paul Wilson discusses APNIC’s support of updates to BIND to implement caching of NSEC responses, to reduce root server query loads.
The Domain Name System (DNS) is a critical part of Internet infrastructure and the largest distributed Internet directory service. DNS translates names to IP addresses, a required process for web navigation, email delivery, and other Internet functions. However, the DNS infrastructure is not secure enough unless the security mechanisms such as Transaction Signatures (TSIG) and DNS Security Extensions (DNSSEC) are implemented. To guarantee the availability and the secure Internet services, it is important for networking professionals to understand DNS concepts, DNS Security, configurations, and operations.
This course will discuss the concept of DNS Operations in detail, mechanisms to authenticate the communication between DNS Servers, mechanisms to establish authenticity, and integrity of DNS data and mechanisms to delegate trust to public keys of third parties. Participant will be involved in Lab exercises and do configurations based on number of scenarios.
Slides for a college course based on "DNS Security" by Anestis Karasaridis.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/40/40_F16.shtml
The Domain Name System (DNS) is a critical part of Internet infrastructure and the largest distributed Internet directory service. DNS translates names to IP addresses, a required process for web navigation, email delivery, and other Internet functions. However, the DNS infrastructure is not secure enough unless the security mechanisms such as Transaction Signatures (TSIG) and DNS Security Extensions (DNSSEC) are implemented. To guarantee the availability and the secure Internet services, it is important for networking professionals to understand DNS concepts, DNS Security, configurations, and operations.
This course will discuss the concept of DNS Operations in detail, mechanisms to authenticate the communication between DNS Servers, mechanisms to establish authenticity, and integrity of DNS data and mechanisms to delegate trust to public keys of third parties. Participant will be involved in Lab exercises and do configurations based on number of scenarios.
The Domain Name System (DNS) is a critical part of Internet infrastructure and the largest distributed Internet directory service. DNS translates names to IP addresses, a required process for web navigation, email delivery, and other Internet functions. However, the DNS infrastructure is not secure enough unless the security mechanisms such as Transaction Signatures (TSIG) and DNS Security Extensions (DNSSEC) are implemented. To guarantee the availability and the secure Internet services, it is important for networking professionals to understand DNS concepts, DNS Security, configurations, and operations.
This course will discuss the concept of DNS Operations in detail, mechanisms to authenticate the communication between DNS Servers, mechanisms to establish authenticity, and integrity of DNS data and mechanisms to delegate trust to public keys of third parties. Participant will be involved in Lab exercises and do configurations based on number of scenarios.
The document discusses various methods for securing DNS, including restricting zone transfers to prevent enumeration of internal hosts, restricting dynamic updates to authorized sources, protecting against spoofing by disabling recursion and restricting queries, and implementing a split DNS configuration to control external visibility of internal domains. It provides configuration examples for BIND and Microsoft DNS servers to implement these security remedies.
This document provides an overview and introduction to DNS and DNSSEC. It begins with introducing the presenter, Nurul Islam Roman, and his background and areas of expertise. The overview section lists the topics to be covered, including DNS overview, forward and reverse DNS, DNS security overview, TSIG, and DNSSEC. The document then delves into explanations of DNS overview, how it works, its features and components. It also covers IP addresses vs domain names, the DNS tree hierarchy, domains, root servers, resolvers, authoritative and recursive nameservers. Finally, it discusses resource records, common RR types, reverse DNS, delegation, glue records and responsibilities around APNIC and ISPs for reverse delegations.
A presentation on DNS concepts. It covers the topics DNS Introduction, DNS Hierarchy, DNS Resolution Process,
DNS Components, DNS Types, DNSSEC, DNS over TLS (DoT) & HTTPS (DoH), Oblivious DNS (ODoH).
Dns protocol design attacks and securityMichael Earls
The document discusses DNS security and attacks such as cache poisoning, denial of service attacks through query flooding, and man-in-the-middle attacks through DNS hijacking. It provides examples using tools like dnsFlood.pl and dnshijacker to demonstrate these attacks, and recommends mitigations like restricting queries, preventing unauthorized zone transfers, using DNSSEC, and configuring TSIG to secure DNS messages.
Slides for a college course based on "DNS Security" by Anestis Karasaridis.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/40/40_F16.shtml
Understanding Data Consistency in Apache CassandraDataStax
This document provides an overview of data consistency in Apache Cassandra. It discusses how Cassandra writes data to commit logs and memtables before flushing to SSTables. It also reviews the CAP theorem and how Cassandra offers tunable consistency levels for both reads and writes. Strategies for choosing consistency levels for writes, such as ANY, ONE, QUORUM, and ALL are presented. The document also covers read repair and hinted handoffs in Cassandra. Examples of CQL queries with different consistency levels are given and information on where to download Cassandra is provided at the end.
CNIT 40: 1: The Importance of DNS SecuritySam Bowne
Slides for a college course based on "DNS Security" by Anestis Karasaridis.
Teacher: Sam Bowne
Website: https://samsclass.info/40/40_F16.shtml
Updated 8-21-17
The document discusses DNS attacks and how to prevent them. It begins by explaining what DNS is and how it works to translate domain names to IP addresses. It then outlines several common attacks against DNS like cache poisoning, amplification attacks, and DDoS attacks. The document recommends approaches to secure DNS like DNSSEC, which adds digital signatures to authenticate DNS data and prevent spoofing. It provides details on how DNSSEC works through cryptographic signing of DNS records and validation of signatures up the DNS hierarchy.
This document summarizes the key aspects of a public cloud archive storage solution. It offers affordable and unlimited storage using standard transfer protocols. Data is stored using erasure coding for redundancy and fault tolerance. Accessing archived data takes 10 minutes to 12 hours depending on previous access patterns, with faster access for inactive archives. The solution uses middleware to handle sealing and unsealing archives along with tracking access patterns to regulate retrieval times.
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS AttacksFindWhitePapers
Domain Name System (DNS) provides one of the most basic but critical functions on the Internet. If DNS isn't working, then your business likely isn't either. Secure your business and web presence with Domain Name System Security Extensions (DNSSEC).
Google File System (GFS) is a distributed file system designed for large streaming reads and appends on inexpensive commodity hardware. It uses a master-chunk server architecture to manage the placement of large files across multiple machines, provides fault tolerance through replication and versioning, and aims to balance high throughput and availability even in the presence of frequent failures. The consistency model allows for defined and undefined regions to support the needs of batch-oriented, data-intensive applications like MapReduce.
The document discusses DNS security and various DNS attacks. It begins with an overview of the DNS protocol and infrastructure, then describes common DNS attacks like spoofing, cache poisoning, and reflection attacks. It also covers mitigation techniques like DNSSEC and discusses fast flux networks used by malware to evade detection. The document provides technical details on securing DNS servers and domains through configurations, software updates, and cryptographic protocols.
The document is a slide deck for a DNSSEC tutorial presented at the USENIX LISA conference in 2013. It provides an overview of DNSSEC, including how it uses public key cryptography and digital signatures to authenticate DNS data and establish a chain of trust. It also covers topics like configuring DNSSEC in BIND, using the dig tool to perform queries, and prospects for new applications of DNSSEC. The presentation was given by Shumon Huque, an IT director at the University of Pennsylvania.
The Google File System is a distributed file system designed by Google to provide scalability, fault tolerance, and high performance on commodity hardware. It uses a master-slave architecture with one master and multiple chunkservers. Files are divided into 64MB chunks which are replicated across servers. The master maintains metadata and controls operations like replication and load balancing. Writes are replicated to replicas in order by the primary chunkserver holding the lease. The system provides high availability and reliability through replication and fast recovery from failures. It has been shown to achieve high throughput for Google's large-scale data processing workloads.
SignalFx engineer Rajiv Kurian's presentation on why we wrote our own Kafka consumer, the performance goals, and the performance gains achieved.
Download the slides to see animations showing hardware details. These slides were converged from Keynote to Powerpoint, so there may be some oddness with slide transitions!
The document summarizes Google File System (GFS), which was designed to provide reliable, scalable storage for Google's large data processing needs. GFS uses a master server to manage metadata and chunk servers to store file data in large chunks (64MB). It replicates chunks across multiple servers for reliability. The architecture supports high throughput by minimizing interaction between clients and the master, and allowing clients to read from the closest replica of a chunk.
APNIC Director General Paul Wilson discusses APNIC’s support of updates to BIND to implement caching of NSEC responses, to reduce root server query loads.
The Domain Name System (DNS) is a critical part of Internet infrastructure and the largest distributed Internet directory service. DNS translates names to IP addresses, a required process for web navigation, email delivery, and other Internet functions. However, the DNS infrastructure is not secure enough unless the security mechanisms such as Transaction Signatures (TSIG) and DNS Security Extensions (DNSSEC) are implemented. To guarantee the availability and the secure Internet services, it is important for networking professionals to understand DNS concepts, DNS Security, configurations, and operations.
This course will discuss the concept of DNS Operations in detail, mechanisms to authenticate the communication between DNS Servers, mechanisms to establish authenticity, and integrity of DNS data and mechanisms to delegate trust to public keys of third parties. Participant will be involved in Lab exercises and do configurations based on number of scenarios.
This document provides an introduction to DNSSEC (Domain Name System Security Extensions) in 3 parts:
1. It explains the purpose of DNSSEC is to address vulnerabilities in the DNS like cache poisoning and lack of data integrity by cryptographically signing DNS records.
2. It discusses some of the operational implications of DNSSEC like increased response sizes requiring EDNS0, using multiple keys (KSK and ZSK), and developing a DNSSEC Policy and Practice Statement.
3. It provides resources for further learning including open source DNSSEC software, mailing lists, and examples of deployed DNSSEC at the root zone and in some top-level domains.
Module 3: Configuring and Troubleshooting DNS
This module introduces you to Domain Name System (DNS), which is the foundation name service in Windows Server 2008 R2. It is vital that you understand how to deploy, configure, manage, and troubleshoot this critical service.
Lessons
Installing the DNS Server Role
Configuring the DNS Server Role
Configuring DNS Zones
Configuring DNS Zone Transfers
Managing and Troubleshooting DNS
Lab : Configuring and Troubleshooting DNS
Selecting a DNS Configuration
Deploying and Configuring DNS
Troubleshooting DNS
After completing this module, students will be able to:
Install the DNS server role.
Configure the DNS server role.
Create and configure DNS zones.
Configure zone transfers.
Manage and troubleshoot DNS.
DNS is a distributed system that maps domain names to IP addresses. It uses a hierarchy of servers, with root servers at the top level responsible for top-level domains like .com and .org. DNS servers answer queries recursively or iteratively to lookup IP addresses. The Time-To-Live (TTL) field of DNS records determines how long caches store the records before refreshing from authoritative servers.
This document describes research into developing a discovery method to ensure DNSSEC information can be delivered to end hosts. Measurements using RIPE ATLAS probes found that 64% of recursive resolvers could perform basic DNSSEC queries, while only 40% could process authenticated wildcard information. The proposed discovery method has stub resolvers first try the default recursive resolver, then the ISP resolver, a public resolver, or full recursion if needed, to balance functionality and efficiency.
The document discusses re-engineering the root of the DNS to improve its resilience against attacks. It describes how the DNS and root servers currently work, and issues like anycast root servers and caching. Recent initiatives by APNIC aim to leverage DNSSEC to have recursive resolvers cache NXDOMAIN responses for non-existent domain ranges from the root zone. This would allow resolvers to directly answer 70% of queries, reducing root server load. Features like local root secondaries and NSEC caching are presented as ways to distribute the root load to edge resolvers through caching, rather than amplifying queries to the root.
Signing DNSSEC answers on the fly at the edge: challenges and solutionsAPNIC
Signing DNSSEC answers on the fly at the edge: challenges and solutions, by Jono Bergquist.
A presentation given at the APNIC 40 APOPS 2 session on Tue, 8 Sep 2015.
APNIC Chief Scientist Geoff Huston briefly explains DNSSEC and the role of the KSK, and the way in which we can measure the possible impact of this planned roll.
1. The DNS is widely used but lacks security measures like encryption, making it easy to monitor users' activities and inject false responses.
2. Efforts to add authenticity through DNSSEC have had limited success due to technical challenges and lack of adoption.
3. The DNS is increasingly being used for application-level functions through extensions, but this increases the privacy risks as DNS queries reveal more user intentions.
4. Solutions exist like DNS over TLS and DNS over HTTPS to provide encryption, but full deployment faces economic and technical barriers, risking further fragmentation of the DNS.
This document discusses using Internet measurements and the RIPE Atlas platform to monitor DNS performance. RIPE Atlas allows monitoring DNS infrastructure like root name servers from thousands of global vantage points. It can troubleshoot problems, validate peering strategies, and help with content distribution planning. Both active and passive DNS measurements are covered, including analyzing zone files to assess IPv6 and DNSSEC deployment. Use cases demonstrated include monitoring root server performance and which instances clients use.
This document provides an overview of configuring and managing a DNS server, including:
1. Installing the DNS server role and configuring zones, records, and name resolution.
2. Describing DNS namespaces, zones, primary/secondary servers, and record types like SOA, NS, A, MX and SRV.
3. Explaining how DNS servers resolve queries using root hints, recursion, caching, and forwarders.
This document discusses using DNS delegation to load balance traffic across application servers without a single point of failure. It describes configuring multiple nameservers each with their own zone file that resolves the domain's A record to the nameserver's own IP address. When a user resolves the domain, they will be routed to one of the nameservers randomly, load balancing traffic. It provides steps for implementing this using Puppet including opening ports, configuring the bind9 module and zone file, deploying, and testing.
OARD 30: What part of 'NO' is so hard for the DNS to understand?APNIC
APNIC Chief Scientist Geoff Huston presents on 'What part of 'NO" is so hard for the DNS to understand' at OARC 30 in Bangkok, Thailand from 12 to 13 May 2019.
The document discusses estimating the impact of rolling the root zone key signing key (KSK) in the Domain Name System Security Extensions (DNSSEC). It finds that approximately 12% of users use DNSSEC-validating resolvers and would be impacted if they fail to pick up the new KSK. There are also concerns that some resolvers may be unable to handle the larger DNS responses during the dual signature period of the rollover. However, the impact is estimated to be small, as many users of failing resolvers would just switch to a non-validating resolver temporarily. The key risks are resolvers that do not follow the RFC for rolling keys or cannot receive responses over 1400 bytes.
This document provides an overview of the Domain Name System (DNS) including how DNS works, the record types stored in DNS, caching and authoritative servers, and delegation. It discusses how DNS queries work by recursively searching through the DNS hierarchy from the root servers down. Key record types like A, AAAA, NS, MX and SOA are described. The roles of caching servers, which forward queries on behalf of clients, and authoritative servers, which serve data from their own zone files, are compared. Delegation allows separate administration of different domains through the hierarchical structure of DNS.
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...APNIC
Adli Wahid, Senior Internet Security Specialist at APNIC, delivered a presentation titled 'Honeypots Unveiled: Proactive Defense Tactics for Cyber Security' at the Phoenix Summit held in Dhaka, Bangladesh from 23 to 24 May 2024.
Securing BGP: Operational Strategies and Best Practices for Network Defenders...APNIC
Md. Zobair Khan,
Network Analyst and Technical Trainer at APNIC, presented 'Securing BGP: Operational Strategies and Best Practices for Network Defenders' at the Phoenix Summit held in Dhaka, Bangladesh from 23 to 24 May 2024.
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC
Ellisha Heppner, Grant Management Lead, presented an update on APNIC Foundation to the PNG DNS Forum held from 6 to 10 May, 2024 in Port Moresby, Papua New Guinea.
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...APNIC
Chimi Dorji, Internet Resource Analyst at APNIC, presented on Registry Data Accuracy Improvements at SANOG 41 jointly held with INNOG 7 in Mumbai, India from 25 to 30 April 2024.
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC
Sunny Chendi, Senior Advisor, Membership and Policy at APNIC, presents 'APNIC Policy Roundup' at the 5th ICANN APAC-TWNIC Engagement Forum and 41st TWNIC OPM in Taipei, Taiwan from 23 to 24 April.
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024APNIC
Dave Phelan, Senior Network Analyst/Technical Trainer at APNIC, presents 'DDoS In Oceania and the Pacific' at NZNOG 2024 held in Nelson, New Zealand from 8 to 12 April 2024.
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...APNIC
Geoff Huston, Chief Scientist at APNIC deliver keynote presentation on the 'Future Evolution of the Internet' at the Everything Open 2024 conference in Gladstone, Australia from 16 to 18 April 2024.
IP addressing and IPv6, presented by Paul Wilson at IETF 119APNIC
Paul Wilson, Director General of APNIC delivers a presentation on IP addressing and IPv6 to the Policymakers Program during IETF 119 in Brisbane Australia from 16 to 22 March 2024.
draft-harrison-sidrops-manifest-number-01, presented at IETF 119APNIC
Tom Harrison, Product and Delivery Manager at APNIC presents at the Registration Protocols Extensions working group during IETF 119 in Brisbane, Australia from 16-22 March 2024
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...APNIC
Che-Hoo Cheng, Senior Director, Development at APNIC presents on the "Benefits of doing Internet peering and running an Internet Exchange (IX)" at the Communications Regulatory Commission of Mongolia's IPv6, IXP, Datacenter - Policy and Regulation International Trends Forum in Ulaanbaatar, Mongolia on 7 March 2024
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC
APNIC Senior Advisor, Membership and Policy, Sunny Chendi presented on APNIC updates and RIR Policies for ccTLDs at APTLD 85 in Goa, India from 19-22 February 2024.
Decentralized Justice in Gaming and EsportsFederico Ast
Discover how Kleros is transforming the landscape of dispute resolution in the gaming and eSports industry through the power of decentralized justice.
This presentation, delivered by Federico Ast, CEO of Kleros, explores the innovative application of blockchain technology, crowdsourcing, and incentivized mechanisms to create fair and efficient arbitration processes.
Key Highlights:
- Introduction to Decentralized Justice: Learn about the foundational principles of Kleros and how it combines blockchain with crowdsourcing to develop a novel justice system.
- Challenges in Traditional Arbitration: Understand the limitations of conventional arbitration methods, such as high costs and long resolution times, particularly for small claims in the gaming sector.
- How Kleros Works: A step-by-step guide on the functioning of Kleros, from the initiation of a smart contract to the final decision by a jury of peers.
- Case Studies in eSports: Explore real-world scenarios where Kleros has been applied to resolve disputes in eSports, including issues like cheating, governance, player behavior, and contractual disagreements.
- Practical Implementation: Detailed walkthroughs of how disputes are handled in eSports tournaments, emphasizing speed, cost-efficiency, and fairness.
- Enhanced Transparency: The role of blockchain in providing an immutable and transparent record of proceedings, ensuring trust in the resolution process.
- Future Prospects: The potential expansion of decentralized justice mechanisms across various sectors within the gaming industry.
For more information, visit kleros.io or follow Federico Ast and Kleros on social media:
• Twitter: @federicoast
• Twitter: @kleros_io
2. What is NSEC Caching?
RFC 8198, July 2017:
• If a DNS zone is pre-signed then each zone entry is
“connected” to the next with a NSEC (or NSEC3) record
• Proof of non-existence of a name is provided by a signed NSEC
record that “spans” the query name
• If a DNSSEC-validating recursive resolver receives an NSEC
record it can cache this record and use it to answer all
subsequent queries for names in the NSEC span for the TTL of
the record
3. NSEC Caching Benefits
(according to RFC8198)
• Reduced Latency
• Decreased Recursive Resolver Load
• Decreased Authoritative Server Load
• Random name attack mitigation
4. Does it Deliver?
Random Subdomain Attack Traffic
• Petr Špaček’s report to DNS OARC 28 (2018)
https://indico.dns-oarc.net/event/28/contributions/509/attachments/479/786/DNS-OARC-28-presentation-RFC8198.pdf
5. Does it Deliver?
• Petr Špaček’s report to DNS OARC 28 (2018)
https://indico.dns-oarc.net/event/28/contributions/509/attachments/479/786/DNS-OARC-28-presentation-RFC8198.pdf
6. Benchtop vs Live Measurement
• Petr’s results were obtained by feeding a log of query data into
a resolver and measuring the query traffic from the resolver to
the authoritative server(s)
• We thought it would be useful to see if these results are
reproducible in the Internet:
• To what extent is NSEC caching visible in the DNS today?
• How well does NSEC caching work?
7. Measurement Setup
• We use APNIC Lab’s Ad-based measurement platform in conjunction
with a set of servers
• The Ad campaign delivers some 8M – 12M ads per day to eyeball
networks across the entire Internet
• Each ad contains an HTML5 script that runs the NSEC experiment:
– Generate unique label name within a DNSSEC-signed domain name and
query
– The DNSSEC response is an NXDOMAIN code with an NSEC record that
includes a span across the label name space in the domain
– Wait 2 seconds
– Generate a new unique label name sits within the span of the NSEC record
8. Measurement Setup
Controls:
• We use a pair of unique labels that generate a CNAME
response to a unique non-existent name
– That way the authoritative server will see the query that generates
the CNAME response and depending on whether the recursive
resolver is performing NSEC caching the authoritative server may (or
may not) see the second CNAME target name query
• We use a second pair of labels that are generated within an
unsigned zone where the server always returns NXDOMAIN
11. Measurement Details
3
We should not see this query
if the recursive resolver is
performing NSEC caching
We might not see this query
either if a previous NSEC
record has been cached
12. Predictions
• How many users sit behind DNSSEC validating resolvers?
• In this case the NSEC record is validly signed, so we are
interested only in the user’s “first choice” resolver
13. DNSSEC Validation Rates
30% of users send
queries to DNS
resolvers that
perform DNSSEC
validation
https://stats.labs.apnic.net/dnssec/XA
14. Predictions
• In up to 30% of these measurements we expect to see a query
pattern consistent with DNSSEC validation being performed by
the recursive resolver
• The maximum NSEC caching rate would therefore be visible for
some 30% of users
– While some resolver code has NSEC caching enabled by default other
code sets have it as a configurable option
– Somewhere between 0% and 30% of all measurements is the range
of possible outcomes from this experiment
16. This is lower than we had
anticipated
• And some open resolvers that we had thought were NSEC
caching were showing variable behaviour
– Sometimes they queried as if they were NSEC caching and other
times not
What’s going on?
17. DNS Load Balancing
The scenario of a stub resolver sending queries to a single
instance of a DNS recursive resolver is being overshadowed by
DNS load balancing scenarios
Stub Resolver
Recursive Resolvers
DNS
Load Balancer
Resolver selection
Auth Server
18. Measuring Load Balancing by IP
addresses
• Over the 98 day period we observed 559,357 distinct IP addresses that
queried the experiment’s authoritative name servers with query names
generated by the experiment
• If we group these addresses using a /24 (IPv4) and /48 (IPv6) subnet we
observed 295,546 distinct subnets
• More than one half of the visible recursive resolver set share a
common subnet with other recursive resolvers
19. Query Distribution in Resolver
Farms
• How do you distribute DNS queries in a resolver farm and
maximise cache performance?
– Run some form of cache memory bus across the resolvers to
share cached data across all members of the resolver farm
or
– Hash the query name so that the same resolver handles all
queries for a given name
21. Does NSEC Caching Deliver?
• The results are not all that promising for conventional query
traffic
• Despite a large number of recursive resolvers performing
DNSSEC validation (and possibly even performing NSEC
caching) the apparent widespread use of qname-hashing DNS
load balancers works against NSEC caching
22. What about NSEC caching as a response
to Random Subdomain Attack?
• It depends…
• If the attack query pattern is widely distributed then each recursive
resolver may not experience sufficient query intensity to load all
resolver farm members with the cached NSEC records
But
– We didn’t test this scenario using the ad platform using a very high query
intensity as we don’t have the capacity in this platform to operate at very
high query loads over sustained periods
23. NSEC Caching?
☹The recursive resolver needs to perform range checks against its
help cache state - this may make lookups into the cache database
slightly slower
😊The cache does not contain individual NXDOMAIN entries for signed
zones, so the cache efficiency increases with NSEC caching
☹Commonly used DNS load balancers appear to spread query names
across individual resolver engines and this appears to reduce the
effectiveness of NSEC caching for the resolver farm as a whole
24. NSEC Caching?
Mostly Harmless!
• NSEC caching does not appear to be harmful to the DNS
• But in today’s resolver environment the interplay between
commonly used load balancers and queries for non-existent
names tends to negate much of the potential benefit of NSEC
caching
25. One more thing…
• The observed model of DNS operational deployment at scale is
diverging from the classical stub-resolver-authoritative model
that many still use as a reference
• Caching has long been a fundamental property of DNS but the
current deployment model with extensive use of DNS load
balancers alters aggregate cache behaviour
• Is it time to consider how DNS load balancers fit within the
larger DNS architecture?
26. Standards?
• This is similar to the situation with NATs for many years
• The absence of standard specifications that describe how such
units should behave mean that individual implementors are
able to make their own choices
• And this can result in unexpected variance in behaviours for
aspects of DNS resolution