Comments on DNS Robustness Mark Allman Reformed IETF Native - - PowerPoint PPT Presentation

comments on dns robustness
SMART_READER_LITE
LIVE PREVIEW

Comments on DNS Robustness Mark Allman Reformed IETF Native - - PowerPoint PPT Presentation

Nov 21, 2023 146 likes •415 views

Comments on DNS Robustness Mark Allman Reformed IETF Native Applied Networking Research Workshop July 2018 Been away so long I hardly knew the place, Gee, it's good to be back home Observation #1 Allman 2 Observation #2 1.6 SLDs

slide-1
SLIDE 1

”Been away so long I hardly knew the place, Gee, it's good to be back home”

Mark Allman Reformed IETF Native Applied Networking Research Workshop July 2018

Comments on DNS Robustness

slide-2
SLIDE 2

Allman

Observation #1

2

slide-3
SLIDE 3

Allman

Observation #2

3

1 1.1 1.2 1.3 1.4 1.5 1.6 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 Growth Rate SLDs

slide-4
SLIDE 4

Allman

Observation #2

4

1 1.1 1.2 1.3 1.4 1.5 1.6 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 Growth Rate A RRs SLDs

slide-5
SLIDE 5

Allman

How Robust Is DNS?

  • “Good Enough”

  • But, … um … ahem …


5

1 1.1 1.2 1.3 1.4 1.5 1.6 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 Growth Rate A RRs SLDs

slide-6
SLIDE 6

Allman

How Robust Is DNS?

  • What do we mean by “robust”?
  • many dimensions
  • our focus:
  • always able to communicate with an auth

server holding the DNS record we seek

6

slide-7
SLIDE 7

DNS Robustness

7

root .edu .com .org

.eff.org .icir.org .cnn.com .ebay.com .case.edu .berkeley.edu .icsi.berkeley.edu imaphost.icsi.berkeley.edu git.icir.org

slide-8
SLIDE 8

DNS Robustness

8

root .edu .com .org

.eff.org .icir.org .cnn.com .ebay.com .case.edu .berkeley.edu .icsi.berkeley.edu imaphost.icsi.berkeley.edu git.icir.org

  • Community infrastructure
  • Many named replicas


e.g., a-root, b-root, etc.

  • Many unnamed replicas


i.e., via anycast routing

slide-9
SLIDE 9

DNS Robustness

9

root .edu .com .org

.eff.org .icir.org .cnn.com .ebay.com .case.edu .berkeley.edu .icsi.berkeley.edu imaphost.icsi.berkeley.edu git.icir.org

  • Few named replicas


~80% of SLDs have <= 2 named auth servers

  • Unknown / variable use of anycast replicas
  • Myriad operators / policies
slide-10
SLIDE 10

Allman

How Robust Is DNS?

  • Let’s measure some facets of the system at the

SLD level that bear on robustness

10

slide-11
SLIDE 11

Allman

Datasets

11

.com zone file

Alexa Top 1M

.net zone file .org zone file Winnowed Zone File

Once / Month Apr 09 - Apr 18

Data courtesy of Verisign, Alexa, Emile Aben (RIPE) and Quirin Scheitle (TUM)

slide-12
SLIDE 12

Allman

Robustness Specifications

  • RFC 1034: must have multiple authoritative

nameservers for robustness

  • RFC 2182: authoritative nameservers must be

geographically and topologically diverse

12

slide-13
SLIDE 13

Allman

What Is Network Diversity?

  • We start cheap & conservative:
  • use /24 address blocks to define diversity
  • two addresses in one /24: no diversity
  • two addresses in two /24s: diversity


(but, really, who knows?!)

  • Future work includes using historical routing

data

13

slide-14
SLIDE 14

Allman

  • Spec. vs. Reality

14 10 15 20 25 30 35 40 45 50 55 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 Percentage of SLDs = Min

slide-15
SLIDE 15

Allman

  • Spec. vs. Reality

15 10 15 20 25 30 35 40 45 50 55 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 Percentage of SLDs = Min > Min

slide-16
SLIDE 16

Allman

  • Spec. vs. Reality

16 10 15 20 25 30 35 40 45 50 55 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 Percentage of SLDs = Min < Min > Min

Upper Bound Lower Bound

slide-17
SLIDE 17

Shared Infrastructure

17

root .edu .com .org

.eff.org .icir.org .cnn.com .ebay.com .case.edu .berkeley.edu .icsi.berkeley.edu imaphost.icsi.berkeley.edu git.icir.org

slide-18
SLIDE 18

Shared Infrastructure

18

root .edu .com .org

.eff.org .icir.org .cnn.com .ebay.com .case.edu .berkeley.edu .icsi.berkeley.edu imaphost.icsi.berkeley.edu git.icir.org

  • Different parts of the

tree, but rely on same auth servers

slide-19
SLIDE 19

Shared Infrastructure

  • Hierarchy belies much concentration
  • Concentration compounds issues
  • Perhaps concentration invites trouble

19

slide-20
SLIDE 20

Nameserver-Level Analysis

  • For each SLD, determine the number of other

SLDs that use the same set of nameservers (by IP address)

  • Repeat for each month in dataset

20

slide-21
SLIDE 21

Nameserver-Level Analysis

21 10 100 1000 10000 100000 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 Number of Overlapping SLDs Maximum Median

Distributions are fairly stable across time. Half the SLDs share the same nameservers as > 100 other SLDs. 9-10K SLDs share the same set of nameservers.

slide-22
SLIDE 22

Network-Level Analysis

  • For each SLD determine the number of other

SLDs whose nameservers fall within the same
 /24 address blocks

  • Repeat for each month in dataset

22

slide-23
SLIDE 23

Network-Level Analysis

23 10 100 1000 10000 100000 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 Number of Overlapping SLDs Maximum Median

Nameserver concentration is increasing over time. 2x 25x Half the SLDs are in groups with > 3K other SLDs

slide-24
SLIDE 24

Top 10 SLD Groups

24

Rank

  • Num. SLDs
  • Num. /24s

Same Last Hop 1 71,472 2 ✓ 2 69,637 2 3 15,421 2 ✓ 4 13,044 2 ✓ 5 8,347 2 6 6,111 2 ✓ 7 5,568 3 ✗ 8 5,076 2 9 4,788 2 10 4,611 4 Total 204,075 23

> 20% of the popular SLDs rely on 19 edge networks! > 20% of the popular SLDs fall within 23 /24 blocks!

slide-25
SLIDE 25

Conclusions

  • DNS sky is not falling
  • But, we have some unhealthy habits …
  • too little auth server replication
  • too much auth server concentration
  • Note: concentration is not wholly bad

25

slide-26
SLIDE 26

Questions? Comments?

Mark Allman, mallman@icir.org https://www.icir.org/mallman/ @mallman_icsi Draft paper:
 https://www.icir.org/mallman/pubs/All18