Upload
denis-stone
View
215
Download
0
Embed Size (px)
Citation preview
Applications:Domain Name System
Mitra Nasri
ECE Department, University of Tehran
Fall 2009
Table of Content
Internet Applications (Application Mix) DNS Measurement
Properties Challenges Tools DNS in Other Applications State of the Art
Mitra Nasri, Internet Measurement, Applications (Chapter 7), DNS 2
Internet Applications
Why do we study Internet applications? Applications are the visible part of the Internet Infrastructure supportes the flow of the traffic of
different applications
Mitra Nasri, Internet Measurement, Applications (Chapter 7), DNS 3
User
We want to examines the flow of Application’s Traffic over the Infrastructure
Application Mix
Application we will study
Mitra Nasri, Applications (Chapter 7), DNS 4
Web1 client <-> 1
ServerP2PN Peers
D N S
Online GamesClients and some central servers
Application Mix
Application Mix
FTP (1980s) It was transporting files in an Anonymous mode (unknown
clients).
Clients should know the server address.
In 1980s, Email and Telnet was based on FTP.
Network News Groups (1980s a bit after FTP)
WWW over HTTP protocol (1990) Became the majority of traffic after 1998.
P2P (end of 1990s) Napster had an Attractive content and young clients
Mitra Nasri, Applications (Chapter 7), DNS 5
Application Mix
Table of Content
Internet Applications (Application Mix)DNS Measurement
Properties Challenges Tools DNS in Other Applications State of the Art
Mitra Nasri, Internet Measurement, Applications (Chapter 7), DNS 6
DNS Measurement Introduction Definition
DNS is a database distributed across servers that handles
name and address resolution on a hierarchical basis.
DNS uses UDP protocol Traffic in DNS is a query and a response both can fit in a
single datagram.
UDP scales much better for DNS app.
Note that zone transfers use TCP.
Mitra Nasri, Applications (Chapter 7), DNS 7
DNS | Introduction
Mitra Nasri, Applications (Chapter 7), DNS 8
DNS | Introduction
DNS Routing (by Iteration)
Mitra Nasri, Applications (Chapter 7), DNS 9
DNS | Introduction
Table of Content
Internet Applications (Application Mix)DNS Measurement
Properties Challenges Tools DNS in Other Applications State of the Art
Mitra Nasri, Internet Measurement, Applications (Chapter 7), DNS 10
DNS Properties of Interest to MeasureMeasured Property Why Where
Fraction of Internet traffic Guides other issues Across Internet
Availability Critical to infrastructure Root and Authoritative servers
Number of entities Performance Remote reverse engineering
Response latency Performance Targeted set of servers
TTL assigned CDN serer selection At sampled Local DNS server
Extent of caching Performance At multiple sites
Software configurations Correctness / Variance Locally
Location of DNS servers Mapping Globally
Characteristics of queries Correctness Local DNS servers
Validity of queries Access control Locally
Frequency of lookups Application popularity Locally
Mitra Nasri, Applications (Chapter 7), DNS 11
DNS | Properties
Fraction of Internet Traffic
Traffic Type for DNS Queries, Responses, Forwarding of queries and responses.
Fraction of Internet traffic of an application.
DNS is below 5% of current Internet traffic.
Mitra Nasri, Applications (Chapter 7), DNS 12
DNS | Properties
Availability
Availability is Critical for DNS servers DNS servers are in the front line of Attack on
the Internet. They are the weakest link in the chain!
Mitra Nasri, Applications (Chapter 7), DNS 13
DNS | Properties
Number of Entities
Entities: Clients and Local DNS servers: most of them are
hidden due to DNS caching. Authoritative DNS servers and Root Servers: Root
servers are usually static and well-known.
Mitra Nasri, Applications (Chapter 7), DNS 14
DNS | Properties
Response Latency
Response Latency is the time between the issuance of a DNS request and the receipt of the response.
It is related to availability of DNS servers and DNS caching.
Studies have explored the distribution of delays for popular servers or authoritative servers of popular domains.
Mitra Nasri, Applications (Chapter 7), DNS 15
DNS | Properties
Request Issuance Response ReceiptTime
Response Latency
TTL and Extent of Caching
A Time-To-Live value is the validity duration of the mapping
returned by authoritative DNS server and caching DNS server.
Web browsers do their own caching of DNS mappings.
TTLs represent a trade-off between:
Speed (to avoid repeated issuance of the same query)
Overall number of DNS messages
Mitra Nasri, Applications (Chapter 7), DNS 16
DNS | Properties
Software Configuration
Bad Configuration result in: Performance Problems Internal Information leak
Violating privacy of clients Providing information for competitors
Measuring such property requires to be aware of software implementation variants.
Mitra Nasri, Applications (Chapter 7), DNS 17
DNS | Properties
Location of DNS Server
Physical and Topological locations of DNS servers on the internet can provide a rough map of where the clients are. Clients tend to be close to their local DNS servers
Mitra Nasri, Applications (Chapter 7), DNS 18
DNS | Properties
Characteristics of Queries
The most common query type is the “name to address translation”.
But how much are there other types of queries? Address to name translation
Mitra Nasri, Applications (Chapter 7), DNS 19
DNS | Properties
Validity of Queries
Security -> limited access for some users through Access Control Lists (ACLs).
An estimation of the amount of failed queries (e.g. for sites in ACLs) is an interesting property.
Mitra Nasri, Applications (Chapter 7), DNS 20
DNS | Properties
Frequency and Count of Lookups Site Popularity view point:
The number of lookups for an address may be an indication of its popularity.
From the traffic view point: The amount of traffic that stays within a
network as opposed to the fraction that is visible outside, indicates the extent of caching.
Mitra Nasri, Applications (Chapter 7), DNS 21
DNS | Properties
Table of Content
Internet Applications (Application Mix)DNS Measurement
Properties
Challenges Tools DNS in Other Applications State of the Art
Mitra Nasri, Internet Measurement, Applications (Chapter 7), DNS 22
DNS Measurement Challenges Degree of control exercised by local administrators is considerable
makes hard the measurement from outside.
Lots of hidden entities Lots of cached data
Mitra Nasri, Applications (Chapter 7), DNS 23
DNS | Challenges
Hidden Data (1)
There is no information about Clients behind a local DNS No published directory of local or authoritative
DNS servers Configuration parameters of local DNS servers
and its effect of more hidden data
Mitra Nasri, Applications (Chapter 7), DNS 24
DNS | Challenges
Hidden Data (2)
From traffic view point: local DNS servers hide information (e.g. traffic data) of their
clients from the outside world.
Access Control Lists prevent lookups behind a network.
Firewalls typically don’t allow UDP packets on the DNS port.
Some organizations handle their internal DNS requests on their
own.
Mitra Nasri, Applications (Chapter 7), DNS 25
DNS | Challenges
More Challenges
Hidden Layer As “any cast” is not implemented in many of DNS servers one
can not measure all nodes from single or a few locations. “Any cast” allows delivery of a datagram to one server in a set of
servers.
Hidden Entities Although “iterative mode” for DNS lookup allows a client to
contact directly to some servers, DNS caching may hide outside world from it and vice versa.
Mitra Nasri, Applications (Chapter 7), DNS 26
DNS | Challenges
Table of Content
Internet Applications (Application Mix)DNS Measurement
Properties Challenges
Tools DNS in Other Applications State of the Art
Mitra Nasri, Internet Measurement, Applications (Chapter 7), DNS 27
DNS Measurement Tools
Source/ Name of the Tool
Primary function
Passive Measurement
•Netflow logs•DNS update logs•Graph representation•NeTraMet
•Local characterization of DNS traffic•Traffic characterization•Classifying DNS entities•DNS spectroscopy
Active Monitoring
•dnsstat•dnstop•dsc
•Local DNS statistics•Local DNS statistics, highlighting unusual events•Local DNS statistics filtered to aid troubleshooting
Active Measurement
•fpdns•dnschecker
• Identifying DNS implementation•Identifying nodes in DNS resolution path
Mitra Nasri, Applications (Chapter 7), DNS 28
DNS | Tools
Passive Measurement for Characterization (1)
Types of offline useful data here: DNS Logs
Usually available at root servers Rare at clients or local servers Good for Intrusion Detection at servers
Traffic Data (in the form of Netflow) Just by examining UDP/TCP traffic at port 53 Usually is presented by a directional graph
Packet Traces Can be done by mirroring DNS port and running
tcpdump on another host (not interfering root servers!)
Mitra Nasri, Applications (Chapter 7), DNS 29
DNS | Tools
Passive Measurement for Characterization (2)
NeTraMet (Network Traffic Flow Management Tool)
NeTraMet has passive access to packets. It is good to examine traffic at a narrow set of machines (13 root
servers). It is capable of logging time of request/response, the source and
destination IP address, the type of DNS query, and optional information.
TCPDrip Can capture packet traces and/or anonymize traces.
A flow is an arbitrary collection of bi-directional packets with a large number of attributes (+40).
Mitra Nasri, Applications (Chapter 7), DNS 30
DNS | Tools
Active Monitoring for Characterization (1) dnsstat (CADIA group)
Monitors port 53 and presents statistics about DNS queries.
It has to be able to see all DNS related traffic to the monitored entity (client or server), because it works in the same LAN.
Some dnsstat’s results on root servers: 75% of DNS queries are Name to Address translation. 8% are IP to Name conversions. It helped to optimizing the placement of DNS root servers.
Mitra Nasri, Applications (Chapter 7), DNS 31
DNS | Tools
dnstop (Measurement Factory group) Uses the libpcap library on top of
tcpdump generated traces to display DNS-Related information similar to dnsstat (with some additional info).
It can show buggy DNS server implementations which allows bad queries such as IP to IP translation.
Mitra Nasri, Applications (Chapter 7), DNS 32
DNS | ToolsActive Monitoring for Characterization (2)
Active Monitoring for Characterization(3)
dsc (an extension on dnstop) Collects statistics at busy DNS servers into XML format files and
displays them graphically. It can gather data on an alternate machine to which the DNS
server is connected over a switch and using port mirroring. It is good for busy servers.
It can generate a graphical representation of rate of DNS replies and their length in byte.
Mitra Nasri, Applications (Chapter 7), DNS 33
DNS | Tools
Active Measurement for Characterization (1)
They impose additional load to DNS servers so should be used carefully.
fpdns (a Perl script) It is capable of generating a rough fingerprint of DNS servers. It checks a variety of hypotheses much like a reverse engineering
tool by sending queries remotely. Results obtained using fpdns show that: 70% of name servers use BIND.
BIND (Berkeley Internet Name Domain) is an implementation of the DNS protocols and provides an openly redistributable reference implementation of the major components.
Mitra Nasri, Applications (Chapter 7), DNS 34
DNS | Tools
Active Measurement for Characterization (1)
Fpdns Results: 70% of name servers use BIND.
BIND (Berkeley Internet Name Domain) is an implementation of the
DNS protocols and provides an openly redistributable reference
implementation of the major components.
98% of errors were query time out.
In German DNSs, more than 55000 DNS servers
exists while 87% of them use BIND.
Mitra Nasri, Applications (Chapter 7), DNS 35
DNS | Tools
Active Measurement for Characterization (3)
dnschecker Lists all servers involved in a query resolution.
Checks correctness of response, changes in DNS records, paths taken by a DNS query and etc.
Gives an indication of server load balancing done and fraction of queries that would be answered by authoritative server.
Mitra Nasri, Applications (Chapter 7), DNS 36
DNS | Tools
Performance Measurement Tools (1)
Goals: How the query is spread over the root and top-
level DNS servers
How well the queries are handled
The actual impact of DNS on clients
The role plaid by caching and its effectiveness
Mitra Nasri, Applications (Chapter 7), DNS 37
DNS | Tools
Performance Measurement Tools (2) Methods:
Passive: Metrics are Availability, latency, number and rate of queries
handled at a busy server and extent of caching. It involves examining DNS logs at the application level.
Active: The goal is to get apparent latency felt by clients. It has been done via distributed tools to different client
locations.
Mitra Nasri, Applications (Chapter 7), DNS 38
DNS | Tools
Table of Content
Internet Applications (Application Mix)DNS Measurement
Properties Challenges Tools
DNS in Other Applications State of the Art
Mitra Nasri, Internet Measurement, Applications (Chapter 7), DNS 39
Use of DNS in other Applications
Technique Use in Application
Content distribution Locating nearest replica
Load balancing Server selection
Examining nearness to clients Estimating latency between nodes
Piggybacking small messages Reducing latency in Web transaction
Examining lookup frequency Inferring popularity of applications
Blackhole lists and spam Spam avoidance
Tunneling non-DNS traffic through firewall
Attacks
Mitra Nasri, Applications (Chapter 7), DNS 40
DNS | DNS in Other Applications
How Akamai (A Content Distribution Network) Works
Mitra Nasri, Applications (Chapter 7), DNS 41
DNS | DNS in Other Applications
End-user
cnn.com (content provider) DNS root server Akamai server
1 2 3
4
Akamai high-level DNS server
Akamai low-level DNS server
Nearby matchingAkamai server
11
67
8
9
10
Get index.html
12
Get foo.jpg
5
Get /cnn.com/foo.jpg
Table of Content
Internet Applications (Application Mix)DNS Measurement
Properties Challenges Tools DNS in Other Applications
State of the Art
Mitra Nasri, Internet Measurement, Applications (Chapter 7), DNS 42
State of the Art
Results in DNS Characterization
Results in DNS Performance
Using DNS for Other Applications
Mitra Nasri, Internet Measurement, Applications (Chapter 7), DNS 43
DNS | State of the Art
Results in DNS Characterization DNS was introduced in 1984 when there were barely 1000
hosts. -> in 1992, 14% of Internet traffic -> in 2001, 23% of queries had no result -> in 2003, 100 million query per day
Two types of research in the area: Techniques to solve previous challenges Demonstration of the problem of unreachability of some data.
Mitra Nasri, Internet Measurement, Applications (Chapter 7), DNS 44
DNS | State of the Art
DNS
Graph-based characterization of DNS Entities
45
DNS | State of the Art | Results in DNS characterization
Closer Look at DNS Root Servers
In late 2002, 150 million query was gathered in one day from a Root Server using port mirroring.
Nearly 400,000 unique source IP addresses were seen during that day.
They found that one organization was responsible for more than 15% of the traffic because of its bad configurations.
70% of queries was Identical Name to Address translations which were generated by Robots!
They also found that only 2% of the queries were really legitimate.
46
DNS | State of the Art | Results in DNS characterization
Results in DNS Performance
2002: a wide area research modified BIND (for auto logging capability) and installed the new version on 75 machines.
Performance Measures were Time to complete a lookup, RTT to server, number of retries, average
response time and etc.
Results: While success of results were consistent, response time varied
significantly. 20-30% of time spent in top-level domain name servers while root servers
had no delay. ¼ of the queries were aliases. Root servers will be able to handle the load of Denial of Service whereas
top-level domain servers can not.
Mitra Nasri, Internet Measurement, Applications (Chapter 7), DNS 47
DNS | State of the Art
Results in DNS Performance
2003: NeTraMet were used for two days.
Performance Measures were Response time, The choice of server that were selected,
repeated queries and query rates.
Results: Distribution of response times had a long tail and were correlated
to the geographical distance from measurement point to the root server.
They found a server that was sending a query for .net every two minutes!
Mitra Nasri, Internet Measurement, Applications (Chapter 7), DNS 48
DNS | State of the Art
Using DNS for Other Applications (1) Using nearness of DNS Servers to Clients
“King Tool Set” Assumptions: A large number of IP hosts are topologically close to their authoritative
name servers. Latency between any two name servers can be accurately measured by
using Recursive DNS queries. Latency between end hosts can be approximated as the latency between
their name servers
Mitra Nasri, Internet Measurement, Applications (Chapter 7), DNS 49
DNS | State of the Art
Using DNS for Other Applications (2) piggybacking on DNS (in DNS-Enhanced Web [2003])
Use of available space in DNS queries and DNS responses. 40 byte in DNS query, 512 byte in UDP response. Embed a HTTP request into available spaces in UDP packet.
Mitra Nasri, Internet Measurement, Applications (Chapter 7), DNS 50
DNS | State of the Art
Good for Content Distribution Networks
Delivering small images in DNS packets
Using DNS for Other Applications (3) Relative popularity of DNS.
If a particular application is Popular, then hits periodically on DNS caches.
It indicates what applications are popular in different sub-classes at the same time.
It can be used in assigning TTL to the local DNS servers.
dnscache (A different kind of snooping) An easy way to locate a list of misspellings is to query caches to see if
they occur often enough. It is useful for domain typo-squatters to suggest domain owners to by
new bad-spelled domains.
Mitra Nasri, Internet Measurement, Applications (Chapter 7), DNS 51
DNS | State of the Art
Using DNS for Other Applications (4) Blackhole lists and Spam
We can blackhole the domain of the spamming server by asking DNS resolvers not to reply to queries about those domains.
Reverse MX (RMX Group) Step 1: DNS asks for domains that are authorized for
sending mail behalf of popular mail servers. “DNS: Dear popular mail servers, please introduce your
authorized domains to me”
Step 2: Each mail receiver queries DNS to check about validity of “From domain” of the email sender.“SMTP server: Dear DNS, is this “From domain”, a valid one?”
Mitra Nasri, Internet Measurement, Applications (Chapter 7), DNS 52
DNS | State of the Art
DNS
Using DNS for Other Applications (5) Tunneling non-DNS traffic through Firewalls
As DNS is critical for most of Internet applications and it usually uses UDP, it became a good gateway for hackers and creators of Trojan horses to pass the firewalls.
Hackers can bypass firewalls using DNS-like-packets and sending a split file in a sequence of these queries.
Mitra Nasri, Internet Measurement, Applications (Chapter 7), DNS 53
DNS | State of the Art
Mitra Nasri, Applications (Chapter 7), DNS 54