30.9.2017
Primings Ranking Third Most Popular ????
Priming Queries
Short Refresher
Priming Query & Answer
;; QUESTION SECTION: ;; . IN NS
;; ANSWER SECTION: . 518400 IN NS a.root-servers.net. . 518400 IN NS b.root-servers.net. . 518400 IN NS c.root-servers.net. . 518400 IN NS d.root-servers.net. . 518400 IN NS e.root-servers.net. . 518400 IN NS f.root-servers.net. . 518400 IN NS g.root-servers.net. . 518400 IN NS h.root-servers.net. . 518400 IN NS i.root-servers.net. . 518400 IN NS j.root-servers.net. . 518400 IN NS k.root-servers.net. . 518400 IN NS l.root-servers.net. . 518400 IN NS m.root-servers.net.
Priming Query Answer with DNSSEC
;; ANSWER SECTION:
. 518400 IN NS a.root-servers.net.
. 518400 IN NS b.root-servers.net.
. 518400 IN NS c.root-servers.net.
. 518400 IN NS d.root-servers.net.
. 518400 IN NS e.root-servers.net.
. 518400 IN NS f.root-servers.net.
. 518400 IN NS g.root-servers.net.
. 518400 IN NS h.root-servers.net.
. 518400 IN NS i.root-servers.net.
. 518400 IN NS j.root-servers.net.
. 518400 IN NS k.root-servers.net.
. 518400 IN NS l.root-servers.net.
. 518400 IN NS m.root-servers.net.
. 518400 IN RRSIG NS 8 0 518400 20171011170000 20170928160000 15768 .
I3gouajLijb8zG6Nfjn3cPBETomC0RpHzEW ...
;; MSG SIZE rcvd: 525
Take Aways
* Answer unchanged since 1995
TTL: 6 days
- Answer Sizes
- < 512 bytes Unsigned
- 525 bytes Signed
* It is all about the Additional Section !
Priming Query Additional Section
;; ADDITIONAL SECTION: a.root-servers.net. 518400 IN A 198.41.0.4 a.root-servers.net. 518400 IN AAAA 2001:503:ba3e::2:30 b.root-servers.net. 518400 IN A 192.228.79.201 b.root-servers.net. 518400 IN AAAA 2001:500:200::b c.root-servers.net. 518400 IN A 192.33.4.12 c.root-servers.net. 518400 IN AAAA 2001:500:2::c d.root-servers.net. 518400 IN A 199.7.91.13 d.root-servers.net. 518400 IN AAAA 2001:500:2d::d e.root-servers.net. 518400 IN A 192.203.230.10 e.root-servers.net. 518400 IN AAAA 2001:500:a8::e f.root-servers.net. 518400 IN A 192.5.5.241 f.root-servers.net. 518400 IN AAAA 2001:500:2f::f g.root-servers.net. 518400 IN A 192.112.36.4 g.root-servers.net. 518400 IN AAAA 2001:500:12::d0d ...
Priming Query Additional Section
h.root-servers.net. 518400 IN A 198.97.190.53 h.root-servers.net. 518400 IN AAAA 2001:500:1::53 i.root-servers.net. 518400 IN A 192.36.148.17 i.root-servers.net. 518400 IN AAAA 2001:7fe::53 j.root-servers.net. 518400 IN A 192.58.128.30 j.root-servers.net. 518400 IN AAAA 2001:503:c27::2:30 k.root-servers.net. 518400 IN A 193.0.14.129 k.root-servers.net. 518400 IN AAAA 2001:7fd::1 l.root-servers.net. 518400 IN A 199.7.83.42 l.root-servers.net. 518400 IN AAAA 2001:500:9f::42 m.root-servers.net. 518400 IN A 202.12.27.33 m.root-servers.net. 518400 IN AAAA 2001:dc3::35 ;; Query time: 5 msec ;; SERVER: 2001:7fd::1
;; EDNS: version 0; flags: ; udp: 4096 ;; MSG SIZE rcvd: 811
DNSSEC Variant
;; ADDITIONAL SECTION: a.root-servers.net. 518400 IN A 198.41.0.4 a.root-servers.net. 518400 IN AAAA 2001:503:ba3e::2:30 b.root-servers.net. 518400 IN A 192.228.79.201 b.root-servers.net. 518400 IN AAAA 2001:500:200::b c.root-servers.net. 518400 IN A 192.33.4.12 c.root-servers.net. 518400 IN AAAA 2001:500:2::c ... k.root-servers.net. 518400 IN A 193.0.14.129 k.root-servers.net. 518400 IN AAAA 2001:7fd::1 l.root-servers.net. 518400 IN A 199.7.83.42 l.root-servers.net. 518400 IN AAAA 2001:500:9f::42 m.root-servers.net. 518400 IN A 202.12.27.33 m.root-servers.net. 518400 IN AAAA 2001:dc3::35
;; EDNS: version 0; flags: ; udp: 4096 ;; MSG SIZE rcvd: 1097
No EDNS: Variant 1
;; ADDITIONAL SECTION: a.root-servers.net. 518400 IN A 198.41.0.4 b.root-servers.net. 518400 IN A 192.228.79.201 c.root-servers.net. 518400 IN A 192.33.4.12 d.root-servers.net. 518400 IN A 199.7.91.13 e.root-servers.net. 518400 IN A 192.203.230.10 f.root-servers.net. 518400 IN A 192.5.5.241 g.root-servers.net. 518400 IN A 192.112.36.4 h.root-servers.net. 518400 IN A 198.97.190.53 i.root-servers.net. 518400 IN A 192.36.148.17 j.root-servers.net. 518400 IN A 192.58.128.30 k.root-servers.net. 518400 IN A 193.0.14.129 l.root-servers.net. 518400 IN A 199.7.83.42 m.root-servers.net. 518400 IN A 202.12.27.33 a.root-servers.net. 518400 IN AAAA 2001:503:ba3e::2:30 b.root-servers.net. 518400 IN AAAA 2001:500:200::b ;; SERVER: 193.0.14.129 ;; MSG SIZE rcvd: 492
No EDNS: Variant 2 (IPv6 Client)
;; ADDITIONAL SECTION: a.root-servers.net. 518400 IN AAAA 2001:503:ba3e::2:30 b.root-servers.net. 518400 IN AAAA 2001:500:200::b c.root-servers.net. 518400 IN AAAA 2001:500:2::c d.root-servers.net. 518400 IN AAAA 2001:500:2d::d e.root-servers.net. 518400 IN AAAA 2001:500:a8::e f.root-servers.net. 518400 IN AAAA 2001:500:2f::f g.root-servers.net. 518400 IN AAAA 2001:500:12::d0d h.root-servers.net. 518400 IN AAAA 2001:500:1::53 i.root-servers.net. 518400 IN AAAA 2001:7fe::53 j.root-servers.net. 518400 IN AAAA 2001:503:c27::2:30 ;; SERVER: 2001:7fd::1 ;; MSG SIZE rcvd: 508
No EDNS: Variant 3 (IPv6 Client)
;; ADDITIONAL SECTION: a.root-servers.net. 518400 IN A 198.41.0.4 a.root-servers.net. 518400 IN AAAA 2001:503:ba3e::2:30 b.root-servers.net. 518400 IN A 192.228.79.201 b.root-servers.net. 518400 IN AAAA 2001:500:200::b c.root-servers.net. 518400 IN A 192.33.4.12 c.root-servers.net. 518400 IN AAAA 2001:500:2::c d.root-servers.net. 518400 IN A 199.7.91.13 d.root-servers.net. 518400 IN AAAA 2001:500:2d::d e.root-servers.net. 518400 IN A 192.203.230.10 e.root-servers.net. 518400 IN AAAA 2001:500:a8::e f.root-servers.net. 518400 IN A 192.5.5.241 f.root-servers.net. 518400 IN AAAA 2001:500:2f::f g.root-servers.net. 518400 IN A 192.112.36.4 ;; SERVER: 2001:7fd::1 ;; MSG SIZE rcvd: 508
More Variants
…
Take Aways
Via UDP:
Non EDNS Queries will get partial ADDITIONAL sections.
DNSSEC Queries with buffer sizes < 1097 bytes too.
DNSSEC Queries with buffer sizes < 525 bytes will get truncated answers.
Curiosity
Primings Ranking Third Most Popular ????
How Many Well Behaved Clients ?
Why Use the Front of the Envelope ?
> 1 Billion Clients ?
Not Really ! — Not even with MAX-TTL=1d !
Research
A Work in Progress
Suggestions Welcome
Get Data
Ask for PCAPs from all K instances and use packetq thus:
select * from dns where qname='.' and qtype=2 and dst_port=53;
Anonymised Data Available
| First Observation | 2017-07-14 00:00:10 | |
| Last Observation | 2017-07-21 00:04:50 | |
| Days Observed | 7 | |
| Number of Queries | 1,193,621,459 | |
| Average Queries/s | 1,972 | ~ DSC |
Some Descriptive Statistics
| IPv6 | 211,415,981 | 17.71% |
| DNSSEC OK | 1,139,619,012 | 95.48% |
| UDP | 1,138,980,406 | 95.42% |
| EDNS | 1,142,886,210 | 95.75% >nUDP |
| Unique Source Addresses | 4,081,183 | << 10^9 |
Hyperactive Clients
Take Aways
Only just over 60% of Clients 'Well Behaved'
- <= 1/day on average
10 % of Clients 'Hyperactive'
- > 1/hour on average
Really Hyperactive !
Had to Ask
Me: What is happening? Are you under attack?
Them: Oops! No that was us. Fixed.
Me: How did you manage?
Them: We configured unbound thus:
cache-min-ttl:0 (default:0) cache-max-ttl:0 (default:86400) rrset-cache-size:0 (default: 4m) msg-cache-size:0 (default: 4m)
Me: Why ?
Them: We needed uncached answers.
Me: <speechless>
Take Aways
In DNS there is always another surprise
DNS software should have safeties
Loads of Queries (95:10)
Hyperactives Keep At It
Well Behaved
Take Aways
"Almost all queries to the root name servers are not useful for DNS resolution."
Even for Priming Queries …
'Well Behaved': ~1% of the load
Probably not useful: 95% of the load
Is this good engineering ?
EDNS Sizes
Take Away
Bigger responses acceptable than back in 1995.
More service addresses could probably be added.
Further Work
Write the paper
Classify client behavior
- Identify individual clients
- Identify individual implementations
- Attack patterns
- …
Do bigger responses actually reach the client?
Include root-servers.net queries
Soapbox
Add more addresses / root name server operators ?
Probably possible, but why?
Distribute/cache root zone more agressively !
Move away from roots having to take all possible abuse. Yes definitely!
There are better ways to distribute a 2MB file !
Applause
Questions & Answers