• No results found

Gijs van den Broek Graduate Intern at SURFnet

N/A
N/A
Info
Downloaden
Protected

Academic year: 2021

Share "Gijs van den Broek Graduate Intern at SURFnet"

Copied!
14
0
0

Bezig met laden.... (Bekijk nu de volledige tekst)

Download het nu ( 14 pagina )

Hele tekst

(1)

Improving Response Deliverability in DNS(SEC)

Gijs van den Broek

Gijs van den Broek

, Roland van Rijswijk

ǂ

, Aiko Pras*, Anna Sperotto*

*University of Twente, Enschede, The Netherlands

(2)

Contents

Problem Overview

Extent of the Problem

Proposal for Two Solutions

Comparison

(3)

Problem Overview

Description

1 DNS query sent to authoritative name server

2 DNS response returned

3 DNS response fragmented into IP fragments due to lower MTU

4 First IP fragment of DNS response arrives at resolver

5 Second IP fragment of DNS response is blocked at firewall

(4)

Extent of the Problem (1/3)

28%

57%

0%

25%

50%

75%

Fragmented Responses

Fragment Receiving Resolvers

Percentage of all UDP DNS responses being fragmented and percentage of all

resolvers receiving fragments (measured at ns3.surfnet.nl)

(5)

Extent of the Problem (2/3)

25%

2%

2%

69%

2%

Advertised Max Response Size in Queries (bytes)

No EDNS0

512

1400-1500

4096

Other

EDNS0 Headers in DNS queries contain a field ‘Maximum UDP Payload’ [1], indicating

the maximum response size for the querying resolver (measured at ns3.surfnet.nl)

(6)

Extent of the Problem (3/3)

Resolver Behavioural Characteristics

Unique Resolvers

Case 1: Sending ICMP Fragment Reassembly Time Exceeded (FRTE) 1.1%

Case 2: Removal of EDNS0 header in retries

2.4%

Case 3: Retries for large (>512 bytes) responses exceed 4%

9.7%

Case 4: Reduced advertised buffer size in retries

3.5%

Case 5: TCP fallback w/o truncated UDP response preceding it

<0.1%

Note 1: these cases are not mutually exclusive

Note 2: an estimated 9% of all hosts cannot receive fragmented UDP [2]. We will likely

see a lower value, since we consider the perspective of an authoritative name server,

which predominantly handles queries from (caching) resolvers from ISPs

(7)
(8)

Solution 2 – Name Server

• Between BIND and Internet is

DNSRM as host proxy

• DNSRM forwards DNS traffic

feed to sensor; alters queries

from problem resolvers only

(9)

Solution 2 - Sensor

• Receives live DNS traffic feed

from name servers

• Detects problem resolvers

• Returns IP addresses of

(10)
(11)

Comparison of Experiments

Solution 1

– Very simple (i.e. usually limited to one server variable)

– Affects every querying resolver

– Rewards bad behaviour, ‘punishes’ good behaviour

Solution 2

– More complex setup required

– Affects only problem resolvers

– To some extent problem resolvers keep feeling the

pain by not helping them intermittently

(12)

Final Remarks

Problems with fragmented DNS responses are

not limited to DNSSEC

At least 1%* of all resolvers will be marked as a

problem resolver, likely much more

Issues with EDNS0 headers and UDP packets

> 512 bytes in some firewalls/routers may

remain [3]

(13)

W

j.g.vandenbroek@student.utwente.nl

jgvandenbroek

dnssec.surfnet.nl

Creative Commons “Attribution” license:

http://creativecommons.org/licenses/by/3.0/

(14)

References

[1] Vixie, RFC 2671: “Extension Mechanisms for DNS (EDNS0)”, chapter 4.5, August 1999 [2] Weaver, et al.: “Implications of Netalyzr’s DNS Measurements”, April 2011

Referenties

Download het nu ( PDF - 14 pagina - 712.35 KB )

GERELATEERDE DOCUMENTEN

1 niet 2 niet 3 wel 4 wel

[r]

1 2 3 1 2 3 1 2 3

KVB= Kortdurende Verblijf LG= Lichamelijke Handicap LZA= Langdurig zorg afhankelijk Nah= niet aangeboren hersenafwijking. PG= Psychogeriatrische aandoening/beperking

= 1 = 4 = 2 = 2 = 7 = 3 = 4 = 2 = 1 = 1 = 3 = 1 = 1 1 3 5 1 3 6 1 3 7 17 31 1 2 blok 7

[r]

4 1-2

Anders dan basisgroep - begeleid deze kinderen tijdens het zelfstandig werken aan de instructietafel. zie basisgroep

4 1-2

- kunnen de categorieën met regels benoemen tijdens de instructie en het oefendictee.. - maken tijdens het zelfstandig werken minimaal

4 blok 1, 2 en 3

² Doelen uit les 11 zijn noodzakelijke ervaringen en geen toetsdoelen, die een basis vormen voor doelen die wel schriftelijk worden

1 OPDRACHT 4 OPDRACHT 3 OPDRACHT 2 OPDRACHT 1

Ik knoei niet op mijn oudste, maar op mijn n broek.. De pieten zijn niet stil, maar ze

5. 4. 3. 2. 1.

Begin mei vroegen de Bomenridders per mail aandacht voor het verdwijnen van groen op de bouwkavels Nijverheidsweg.. Diezelfde dag nog reageerde een projectleider en beloofde hier op