Applications: Domain Name System Mitra Nasri ECE Department, University of Tehran Fall 2009

Applications:Domain Name System

Mitra Nasri

ECE Department, University of Tehran

Fall 2009

Table of Content

Internet Applications (Application Mix) DNS Measurement

Properties Challenges Tools DNS in Other Applications State of the Art

Mitra Nasri, Internet Measurement, Applications (Chapter 7), DNS 2

Internet Applications

Why do we study Internet applications? Applications are the visible part of the Internet Infrastructure supportes the flow of the traffic of

different applications


User

We want to examines the flow of Application’s Traffic over the Infrastructure

Application Mix

Application we will study

Mitra Nasri, Applications (Chapter 7), DNS 4

Web1 client <-> 1

ServerP2PN Peers

D N S

Online GamesClients and some central servers

Application Mix

Application Mix

FTP (1980s) It was transporting files in an Anonymous mode (unknown

clients).

Clients should know the server address.

In 1980s, Email and Telnet was based on FTP.

Network News Groups (1980s a bit after FTP)

WWW over HTTP protocol (1990) Became the majority of traffic after 1998.

P2P (end of 1990s) Napster had an Attractive content and young clients


Application Mix

Table of Content

Internet Applications (Application Mix)DNS Measurement



DNS Measurement Introduction Definition

DNS is a database distributed across servers that handles

name and address resolution on a hierarchical basis.

DNS uses UDP protocol Traffic in DNS is a query and a response both can fit in a

single datagram.

UDP scales much better for DNS app.

Note that zone transfers use TCP.


DNS | Introduction


DNS | Introduction

DNS Routing (by Iteration)


DNS | Introduction

Table of Content




DNS Properties of Interest to MeasureMeasured Property Why Where

Fraction of Internet traffic Guides other issues Across Internet

Availability Critical to infrastructure Root and Authoritative servers

Number of entities Performance Remote reverse engineering

Response latency Performance Targeted set of servers

TTL assigned CDN serer selection At sampled Local DNS server

Extent of caching Performance At multiple sites

Software configurations Correctness / Variance Locally

Location of DNS servers Mapping Globally

Characteristics of queries Correctness Local DNS servers

Validity of queries Access control Locally

Frequency of lookups Application popularity Locally


DNS | Properties

Fraction of Internet Traffic

Traffic Type for DNS Queries, Responses, Forwarding of queries and responses.

Fraction of Internet traffic of an application.

DNS is below 5% of current Internet traffic.


DNS | Properties

Availability

Availability is Critical for DNS servers DNS servers are in the front line of Attack on

the Internet. They are the weakest link in the chain!


DNS | Properties

Number of Entities

Entities: Clients and Local DNS servers: most of them are

hidden due to DNS caching. Authoritative DNS servers and Root Servers: Root

servers are usually static and well-known.


DNS | Properties

Response Latency

Response Latency is the time between the issuance of a DNS request and the receipt of the response.

It is related to availability of DNS servers and DNS caching.

Studies have explored the distribution of delays for popular servers or authoritative servers of popular domains.


DNS | Properties

Request Issuance Response ReceiptTime

Response Latency

TTL and Extent of Caching

A Time-To-Live value is the validity duration of the mapping

returned by authoritative DNS server and caching DNS server.

Web browsers do their own caching of DNS mappings.

TTLs represent a trade-off between:

Speed (to avoid repeated issuance of the same query)

Overall number of DNS messages


DNS | Properties

Software Configuration

Bad Configuration result in: Performance Problems Internal Information leak

Violating privacy of clients Providing information for competitors

Measuring such property requires to be aware of software implementation variants.


DNS | Properties

Location of DNS Server

Physical and Topological locations of DNS servers on the internet can provide a rough map of where the clients are. Clients tend to be close to their local DNS servers


DNS | Properties

Characteristics of Queries

The most common query type is the “name to address translation”.

But how much are there other types of queries? Address to name translation


DNS | Properties

Validity of Queries

Security -> limited access for some users through Access Control Lists (ACLs).

An estimation of the amount of failed queries (e.g. for sites in ACLs) is an interesting property.


DNS | Properties

Frequency and Count of Lookups Site Popularity view point:

The number of lookups for an address may be an indication of its popularity.

From the traffic view point: The amount of traffic that stays within a

network as opposed to the fraction that is visible outside, indicates the extent of caching.


DNS | Properties

Table of Content


Properties

Challenges Tools DNS in Other Applications State of the Art


DNS Measurement Challenges Degree of control exercised by local administrators is considerable

makes hard the measurement from outside.

Lots of hidden entities Lots of cached data


DNS | Challenges

Hidden Data (1)

There is no information about Clients behind a local DNS No published directory of local or authoritative

DNS servers Configuration parameters of local DNS servers

and its effect of more hidden data


DNS | Challenges

Hidden Data (2)

From traffic view point: local DNS servers hide information (e.g. traffic data) of their

clients from the outside world.

Access Control Lists prevent lookups behind a network.

Firewalls typically don’t allow UDP packets on the DNS port.

Some organizations handle their internal DNS requests on their

own.


DNS | Challenges

More Challenges

Hidden Layer As “any cast” is not implemented in many of DNS servers one

can not measure all nodes from single or a few locations. “Any cast” allows delivery of a datagram to one server in a set of

servers.

Hidden Entities Although “iterative mode” for DNS lookup allows a client to

contact directly to some servers, DNS caching may hide outside world from it and vice versa.


DNS | Challenges

Table of Content


Properties Challenges

Tools DNS in Other Applications State of the Art


DNS Measurement Tools

Source/ Name of the Tool

Primary function

Passive Measurement

•Netflow logs•DNS update logs•Graph representation•NeTraMet

•Local characterization of DNS traffic•Traffic characterization•Classifying DNS entities•DNS spectroscopy

Active Monitoring

•dnsstat•dnstop•dsc

•Local DNS statistics•Local DNS statistics, highlighting unusual events•Local DNS statistics filtered to aid troubleshooting

Active Measurement

•fpdns•dnschecker

• Identifying DNS implementation•Identifying nodes in DNS resolution path


DNS | Tools

Passive Measurement for Characterization (1)

Types of offline useful data here: DNS Logs

Usually available at root servers Rare at clients or local servers Good for Intrusion Detection at servers

Traffic Data (in the form of Netflow) Just by examining UDP/TCP traffic at port 53 Usually is presented by a directional graph

Packet Traces Can be done by mirroring DNS port and running

tcpdump on another host (not interfering root servers!)


DNS | Tools

Passive Measurement for Characterization (2)

NeTraMet (Network Traffic Flow Management Tool)

NeTraMet has passive access to packets. It is good to examine traffic at a narrow set of machines (13 root

servers). It is capable of logging time of request/response, the source and

destination IP address, the type of DNS query, and optional information.

TCPDrip Can capture packet traces and/or anonymize traces.

A flow is an arbitrary collection of bi-directional packets with a large number of attributes (+40).


DNS | Tools

Active Monitoring for Characterization (1) dnsstat (CADIA group)

Monitors port 53 and presents statistics about DNS queries.

It has to be able to see all DNS related traffic to the monitored entity (client or server), because it works in the same LAN.

Some dnsstat’s results on root servers: 75% of DNS queries are Name to Address translation. 8% are IP to Name conversions. It helped to optimizing the placement of DNS root servers.


DNS | Tools

dnstop (Measurement Factory group) Uses the libpcap library on top of

tcpdump generated traces to display DNS-Related information similar to dnsstat (with some additional info).

It can show buggy DNS server implementations which allows bad queries such as IP to IP translation.


DNS | ToolsActive Monitoring for Characterization (2)

Active Monitoring for Characterization(3)

dsc (an extension on dnstop) Collects statistics at busy DNS servers into XML format files and

displays them graphically. It can gather data on an alternate machine to which the DNS

server is connected over a switch and using port mirroring. It is good for busy servers.

It can generate a graphical representation of rate of DNS replies and their length in byte.


DNS | Tools

Active Measurement for Characterization (1)

They impose additional load to DNS servers so should be used carefully.

fpdns (a Perl script) It is capable of generating a rough fingerprint of DNS servers. It checks a variety of hypotheses much like a reverse engineering

tool by sending queries remotely. Results obtained using fpdns show that: 70% of name servers use BIND.

BIND (Berkeley Internet Name Domain) is an implementation of the DNS protocols and provides an openly redistributable reference implementation of the major components.


DNS | Tools


Fpdns Results: 70% of name servers use BIND.

BIND (Berkeley Internet Name Domain) is an implementation of the

DNS protocols and provides an openly redistributable reference

implementation of the major components.

98% of errors were query time out.

In German DNSs, more than 55000 DNS servers

exists while 87% of them use BIND.


DNS | Tools


dnschecker Lists all servers involved in a query resolution.

Checks correctness of response, changes in DNS records, paths taken by a DNS query and etc.

Gives an indication of server load balancing done and fraction of queries that would be answered by authoritative server.


DNS | Tools

Performance Measurement Tools (1)

Goals: How the query is spread over the root and top-

level DNS servers

How well the queries are handled

The actual impact of DNS on clients

The role plaid by caching and its effectiveness


DNS | Tools

Performance Measurement Tools (2) Methods:

Passive: Metrics are Availability, latency, number and rate of queries

handled at a busy server and extent of caching. It involves examining DNS logs at the application level.

Active: The goal is to get apparent latency felt by clients. It has been done via distributed tools to different client

locations.


DNS | Tools

Table of Content


Properties Challenges Tools

DNS in Other Applications State of the Art


Use of DNS in other Applications

Technique Use in Application

Content distribution Locating nearest replica

Load balancing Server selection

Examining nearness to clients Estimating latency between nodes

Piggybacking small messages Reducing latency in Web transaction

Examining lookup frequency Inferring popularity of applications

Blackhole lists and spam Spam avoidance

Tunneling non-DNS traffic through firewall

Attacks


DNS | DNS in Other Applications

How Akamai (A Content Distribution Network) Works


DNS | DNS in Other Applications

End-user

cnn.com (content provider) DNS root server Akamai server

1 2 3

4

Akamai high-level DNS server

Akamai low-level DNS server

Nearby matchingAkamai server

11

67

8

9

10

Get index.html

12

Get foo.jpg

5

Get /cnn.com/foo.jpg

Table of Content


Properties Challenges Tools DNS in Other Applications

State of the Art


State of the Art

Results in DNS Characterization

Results in DNS Performance

Using DNS for Other Applications


DNS | State of the Art

Results in DNS Characterization DNS was introduced in 1984 when there were barely 1000

hosts. -> in 1992, 14% of Internet traffic -> in 2001, 23% of queries had no result -> in 2003, 100 million query per day

Two types of research in the area: Techniques to solve previous challenges Demonstration of the problem of unreachability of some data.



DNS

Graph-based characterization of DNS Entities

45

DNS | State of the Art | Results in DNS characterization

Closer Look at DNS Root Servers

In late 2002, 150 million query was gathered in one day from a Root Server using port mirroring.

Nearly 400,000 unique source IP addresses were seen during that day.

They found that one organization was responsible for more than 15% of the traffic because of its bad configurations.

70% of queries was Identical Name to Address translations which were generated by Robots!

They also found that only 2% of the queries were really legitimate.

46

DNS | State of the Art | Results in DNS characterization


2002: a wide area research modified BIND (for auto logging capability) and installed the new version on 75 machines.

Performance Measures were Time to complete a lookup, RTT to server, number of retries, average

response time and etc.

Results: While success of results were consistent, response time varied

significantly. 20-30% of time spent in top-level domain name servers while root servers

had no delay. ¼ of the queries were aliases. Root servers will be able to handle the load of Denial of Service whereas

top-level domain servers can not.




2003: NeTraMet were used for two days.

Performance Measures were Response time, The choice of server that were selected,

repeated queries and query rates.

Results: Distribution of response times had a long tail and were correlated

to the geographical distance from measurement point to the root server.

They found a server that was sending a query for .net every two minutes!



Using DNS for Other Applications (1) Using nearness of DNS Servers to Clients

“King Tool Set” Assumptions: A large number of IP hosts are topologically close to their authoritative

name servers. Latency between any two name servers can be accurately measured by

using Recursive DNS queries. Latency between end hosts can be approximated as the latency between

their name servers



Using DNS for Other Applications (2) piggybacking on DNS (in DNS-Enhanced Web [2003])

Use of available space in DNS queries and DNS responses. 40 byte in DNS query, 512 byte in UDP response. Embed a HTTP request into available spaces in UDP packet.



Good for Content Distribution Networks

Delivering small images in DNS packets

Using DNS for Other Applications (3) Relative popularity of DNS.

If a particular application is Popular, then hits periodically on DNS caches.

It indicates what applications are popular in different sub-classes at the same time.

It can be used in assigning TTL to the local DNS servers.

dnscache (A different kind of snooping) An easy way to locate a list of misspellings is to query caches to see if

they occur often enough. It is useful for domain typo-squatters to suggest domain owners to by

new bad-spelled domains.



Using DNS for Other Applications (4) Blackhole lists and Spam

We can blackhole the domain of the spamming server by asking DNS resolvers not to reply to queries about those domains.

Reverse MX (RMX Group) Step 1: DNS asks for domains that are authorized for

sending mail behalf of popular mail servers. “DNS: Dear popular mail servers, please introduce your

authorized domains to me”

Step 2: Each mail receiver queries DNS to check about validity of “From domain” of the email sender.“SMTP server: Dear DNS, is this “From domain”, a valid one?”



DNS

Using DNS for Other Applications (5) Tunneling non-DNS traffic through Firewalls

As DNS is critical for most of Internet applications and it usually uses UDP, it became a good gateway for hackers and creators of Trojan horses to pass the firewalls.

Hackers can bypass firewalls using DNS-like-packets and sending a split file in a sequence of these queries.




Documents

Applications: Domain Name System Mitra Nasri ECE Department, University of Tehran Fall 2009