Upload
arabella-sims
View
213
Download
0
Embed Size (px)
Citation preview
DNS Measurement at a Root Server
Nevil Brownlee, kc Claffy and Evi Nemeth
Presented by Zhengxiang PanMar. 27th, 2003
Introduction
• DNS: Domain Name System
• BIND: Berkeley Internet Name Domain System
client Local Name Server Root Server
Local Name Server
Local Name Server
UDP
MethodologyPassive capture DNS packets at F.root-server.net
Use Tcpdump
& Error logs
Results
• A. query rate• Responds 93% of the input packets.
• B1. Repeated queries– Maybe the results of a broken nameserver or a
broken client.
• B2. Private Address Space– About 7% of the queries are asking for hostname
associated with an RFC 1918 address.– 2% - 3% of the queries have the source IP address in
RFC 1918 space.
Error taxonomy
Error taxonomy
• B3. Top Level Domains– In 1 hour trace of Jan. 7, 2001:– 16.5% of the servers asked only INVALID TLD– 37.1% of the servers asked at least one INVALID TLD
Error taxonomy
• B4. Bogus A Queries– A query: hostname IP address– 12-18% A queries target IP address
• B5. Source Port Zero– Port 0 is reserved and not valid in UDP / TCP.– Root servers never answer queries from port 0
Error Taxonomy
• B6. Dynamic Updates– DHCP can dynamic update local nameserver, should
not try to update root servers.
Results• Attacks
– Spoofing source IP, using root server as reflector, flooding the attack target with answers it did not ask.
– Scanning IP space.
• Microsoft’s DNS woes– Jan. 24, 2001 Microsoft nameserves down,
query load for Microsoft names go to over 25% of the total query load.
Summary
• Percentages of servers have bad behaviors:– 13% bogus A query– 35% invalid TLD– 35% leaking internal information
• Strategy– Diagnose and repair bugs in implementation– Deploy negative answers