OARC Spring 2013 Workshop (Dublin)

Classifying Resolver Capabilities

12 May 2013, 14:00

20m

Burlington Hotel

OARC Public Workshop DNS Reflection Attacks

Speaker

Olafur Gudmundsson (Shinkuro)

Description

In our attempt to quantify/qualify whether a particular DNS resolver is DNSSEC-compliant, we realized that it is important to test for a resolver's major functional behaviors rather than looking for compliance with all possible corner cases. Based on this idea, we designed a series of tests and grades for resolvers based on each test's results. Based on the tests' outcomes we classify resolvers into categories.

Summary

However, while looking at a large population of resolvers we sometimes get inconsistent results. As best we can determine, these results are at least sometimes a function of differences in the configuration of individual DNS resolvers in an anycast cloud. We may also have probed test configurations that responded in a non-standard way, or perhaps probed misconfigured DNS resolvers.

The test suite is called DNSSEC_resolver_check and is implemented as an application and a browser applet. 
As our main interest was in determining the state of DNSSEC deployment, we saw an opportunity to attempt to classify the capabilities of open resolvers. We designed a test that both searched for open resolvers and gave us insight into how different organizations set up their DNS resolution, as most of the open "resolvers" are simple forwarders. During this test we attempted to gather more information about the systems that react or respond to DNS queries using both version queries and DNS fingerprinting. A side effect of this test was that we were able to determine whether the targets of forwarding validate or not.

Presentation materials

Slides

Classifying_resolvers.pdf