30.9.2017

Primings Ranking Third Most Popular ????

Priming Queries

Short Refresher

Priming Query & Answer

;; QUESTION SECTION:
;; .    IN      NS
;; ANSWER SECTION:
.       518400  IN      NS      a.root-servers.net.
.       518400  IN      NS      b.root-servers.net.
.       518400  IN      NS      c.root-servers.net.
.       518400  IN      NS      d.root-servers.net.
.       518400  IN      NS      e.root-servers.net.
.       518400  IN      NS      f.root-servers.net.
.       518400  IN      NS      g.root-servers.net.
.       518400  IN      NS      h.root-servers.net.
.       518400  IN      NS      i.root-servers.net.
.       518400  IN      NS      j.root-servers.net.
.       518400  IN      NS      k.root-servers.net.
.       518400  IN      NS      l.root-servers.net.
.       518400  IN      NS      m.root-servers.net.

Priming Query Answer with DNSSEC

;; ANSWER SECTION:
.       518400  IN      NS      a.root-servers.net.
.       518400  IN      NS      b.root-servers.net.
.       518400  IN      NS      c.root-servers.net.
.       518400  IN      NS      d.root-servers.net.
.       518400  IN      NS      e.root-servers.net.
.       518400  IN      NS      f.root-servers.net.
.       518400  IN      NS      g.root-servers.net.
.       518400  IN      NS      h.root-servers.net.
.       518400  IN      NS      i.root-servers.net.
.       518400  IN      NS      j.root-servers.net.
.       518400  IN      NS      k.root-servers.net.
.       518400  IN      NS      l.root-servers.net.
.       518400  IN      NS      m.root-servers.net.
.       518400  IN      RRSIG   NS 8 0 518400 20171011170000 20170928160000 15768 .
                                I3gouajLijb8zG6Nfjn3cPBETomC0RpHzEW ...
;; MSG SIZE  rcvd: 525

Take Aways

* Answer unchanged since 1995

  • TTL: 6 days

  • Answer Sizes
    • < 512 bytes Unsigned
    • 525 bytes Signed

* It is all about the Additional Section !

Priming Query Additional Section

;; ADDITIONAL SECTION:
a.root-servers.net.     518400  IN      A       198.41.0.4
a.root-servers.net.     518400  IN      AAAA    2001:503:ba3e::2:30
b.root-servers.net.     518400  IN      A       192.228.79.201
b.root-servers.net.     518400  IN      AAAA    2001:500:200::b
c.root-servers.net.     518400  IN      A       192.33.4.12
c.root-servers.net.     518400  IN      AAAA    2001:500:2::c
d.root-servers.net.     518400  IN      A       199.7.91.13
d.root-servers.net.     518400  IN      AAAA    2001:500:2d::d
e.root-servers.net.     518400  IN      A       192.203.230.10
e.root-servers.net.     518400  IN      AAAA    2001:500:a8::e
f.root-servers.net.     518400  IN      A       192.5.5.241
f.root-servers.net.     518400  IN      AAAA    2001:500:2f::f
g.root-servers.net.     518400  IN      A       192.112.36.4
g.root-servers.net.     518400  IN      AAAA    2001:500:12::d0d
...

Priming Query Additional Section

h.root-servers.net.     518400  IN      A       198.97.190.53
h.root-servers.net.     518400  IN      AAAA    2001:500:1::53
i.root-servers.net.     518400  IN      A       192.36.148.17
i.root-servers.net.     518400  IN      AAAA    2001:7fe::53
j.root-servers.net.     518400  IN      A       192.58.128.30
j.root-servers.net.     518400  IN      AAAA    2001:503:c27::2:30
k.root-servers.net.     518400  IN      A       193.0.14.129
k.root-servers.net.     518400  IN      AAAA    2001:7fd::1
l.root-servers.net.     518400  IN      A       199.7.83.42
l.root-servers.net.     518400  IN      AAAA    2001:500:9f::42
m.root-servers.net.     518400  IN      A       202.12.27.33
m.root-servers.net.     518400  IN      AAAA    2001:dc3::35

;; Query time: 5 msec
;; SERVER: 2001:7fd::1
;; EDNS: version 0; flags: ; udp: 4096
;; MSG SIZE  rcvd: 811

DNSSEC Variant

;; ADDITIONAL SECTION:
a.root-servers.net.     518400  IN      A       198.41.0.4
a.root-servers.net.     518400  IN      AAAA    2001:503:ba3e::2:30
b.root-servers.net.     518400  IN      A       192.228.79.201
b.root-servers.net.     518400  IN      AAAA    2001:500:200::b
c.root-servers.net.     518400  IN      A       192.33.4.12
c.root-servers.net.     518400  IN      AAAA    2001:500:2::c
...
k.root-servers.net.     518400  IN      A       193.0.14.129
k.root-servers.net.     518400  IN      AAAA    2001:7fd::1
l.root-servers.net.     518400  IN      A       199.7.83.42
l.root-servers.net.     518400  IN      AAAA    2001:500:9f::42
m.root-servers.net.     518400  IN      A       202.12.27.33
m.root-servers.net.     518400  IN      AAAA    2001:dc3::35
;; EDNS: version 0; flags: ; udp: 4096
;; MSG SIZE  rcvd: 1097

No EDNS: Variant 1

;; ADDITIONAL SECTION:
a.root-servers.net.     518400  IN      A       198.41.0.4
b.root-servers.net.     518400  IN      A       192.228.79.201
c.root-servers.net.     518400  IN      A       192.33.4.12
d.root-servers.net.     518400  IN      A       199.7.91.13
e.root-servers.net.     518400  IN      A       192.203.230.10
f.root-servers.net.     518400  IN      A       192.5.5.241
g.root-servers.net.     518400  IN      A       192.112.36.4
h.root-servers.net.     518400  IN      A       198.97.190.53
i.root-servers.net.     518400  IN      A       192.36.148.17
j.root-servers.net.     518400  IN      A       192.58.128.30
k.root-servers.net.     518400  IN      A       193.0.14.129
l.root-servers.net.     518400  IN      A       199.7.83.42
m.root-servers.net.     518400  IN      A       202.12.27.33
a.root-servers.net.     518400  IN      AAAA    2001:503:ba3e::2:30
b.root-servers.net.     518400  IN      AAAA    2001:500:200::b

;; SERVER: 193.0.14.129
;; MSG SIZE  rcvd: 492

No EDNS: Variant 2 (IPv6 Client)

;; ADDITIONAL SECTION:
a.root-servers.net.     518400  IN      AAAA    2001:503:ba3e::2:30
b.root-servers.net.     518400  IN      AAAA    2001:500:200::b
c.root-servers.net.     518400  IN      AAAA    2001:500:2::c
d.root-servers.net.     518400  IN      AAAA    2001:500:2d::d
e.root-servers.net.     518400  IN      AAAA    2001:500:a8::e
f.root-servers.net.     518400  IN      AAAA    2001:500:2f::f
g.root-servers.net.     518400  IN      AAAA    2001:500:12::d0d
h.root-servers.net.     518400  IN      AAAA    2001:500:1::53
i.root-servers.net.     518400  IN      AAAA    2001:7fe::53
j.root-servers.net.     518400  IN      AAAA    2001:503:c27::2:30

;; SERVER: 2001:7fd::1
;; MSG SIZE  rcvd: 508

No EDNS: Variant 3 (IPv6 Client)

;; ADDITIONAL SECTION:
a.root-servers.net.     518400  IN      A       198.41.0.4
a.root-servers.net.     518400  IN      AAAA    2001:503:ba3e::2:30
b.root-servers.net.     518400  IN      A       192.228.79.201
b.root-servers.net.     518400  IN      AAAA    2001:500:200::b
c.root-servers.net.     518400  IN      A       192.33.4.12
c.root-servers.net.     518400  IN      AAAA    2001:500:2::c
d.root-servers.net.     518400  IN      A       199.7.91.13
d.root-servers.net.     518400  IN      AAAA    2001:500:2d::d
e.root-servers.net.     518400  IN      A       192.203.230.10
e.root-servers.net.     518400  IN      AAAA    2001:500:a8::e
f.root-servers.net.     518400  IN      A       192.5.5.241
f.root-servers.net.     518400  IN      AAAA    2001:500:2f::f
g.root-servers.net.     518400  IN      A       192.112.36.4

;; SERVER: 2001:7fd::1
;; MSG SIZE  rcvd: 508

More Variants

Take Aways

Via UDP:

Non EDNS Queries will get partial ADDITIONAL sections.

DNSSEC Queries with buffer sizes < 1097 bytes too.

DNSSEC Queries with buffer sizes < 525 bytes will get truncated answers.

Curiosity

Primings Ranking Third Most Popular ????

How Many Well Behaved Clients ?

Why Use the Front of the Envelope ?

> 1 Billion Clients ?

Not Really ! — Not even with MAX-TTL=1d !

Research

A Work in Progress

Suggestions Welcome

Get Data

  • Ask for PCAPs from all K instances and use packetq thus:

    select * from dns where qname='.' and qtype=2 and dst_port=53;
  • Anonymised Data Available

First Observation 2017-07-14 00:00:10
Last Observation 2017-07-21 00:04:50
Days Observed 7
Number of Queries 1,193,621,459
Average Queries/s 1,972 ~ DSC

Some Descriptive Statistics

IPv6 211,415,981 17.71%
DNSSEC OK 1,139,619,012 95.48%
UDP 1,138,980,406 95.42%
EDNS 1,142,886,210 95.75% >nUDP
Unique Source Addresses 4,081,183 << 10^9

Hyperactive Clients

Take Aways

  • Only just over 60% of Clients 'Well Behaved'

    • <= 1/day on average
  • 10 % of Clients 'Hyperactive'

    • > 1/hour on average

Really Hyperactive !

Had to Ask

Me: What is happening? Are you under attack?

Them: Oops! No that was us. Fixed.

Me: How did you manage?

Them: We configured unbound thus:

cache-min-ttl:0 (default:0)
cache-max-ttl:0 (default:86400)
rrset-cache-size:0 (default: 4m)
msg-cache-size:0 (default: 4m)

Me: Why ?

Them: We needed uncached answers.

Me: <speechless>

Take Aways

  • In DNS there is always another surprise

  • DNS software should have safeties

Loads of Queries (95:10)

Hyperactives Keep At It

Well Behaved

Take Aways

"Almost all queries to the root name servers are not useful for DNS resolution."

Even for Priming Queries …

  • 'Well Behaved': ~1% of the load

  • Probably not useful: 95% of the load

Is this good engineering ?

EDNS Sizes

Take Away

Bigger responses acceptable than back in 1995.

More service addresses could probably be added.

Further Work

  • Write the paper

  • Classify client behavior

    • Identify individual clients
    • Identify individual implementations
    • Attack patterns
  • Do bigger responses actually reach the client?

  • Include root-servers.net queries

Soapbox

Add more addresses / root name server operators ?

Probably possible, but why?

Distribute/cache root zone more agressively !

Move away from roots having to take all possible abuse.
Yes definitely!

There are better ways to distribute a 2MB file !

Applause

Questions & Answers