Documente Academic
Documente Profesional
Documente Cultură
assisted by
Applic. browser
Cache
Server OS
[13],[14]
Tx device
[4] [2] [5] [6] [16]
Focus of DNS analysis has been on resolver and authoritative bulk data analysis
Key question: How will DNSSEC change the behavior of DNS client querying? More specific How do DNS stub resolvers react to response types such as ServFail, responses > 512 Bytes, ?
Experiments
Impact
11-3-2011
Experimental set-up
OS: Windows XP, Windows 7, Ubuntu Linux, Mac OSX Browsers: IE, Firefox, Chrome, Safari not all combis, but quite some
DNS Resolver
Client
Test execution
query via ping (=> OS only) and via browser (=> browser & OS) repeat query once to check impact of caching
and IPv4?
Safari x1 x1 x1 x1
Total x1 x2 x4 1+TCP
IE x1 x1 x1 x1
Chrome x1 x1 x1 x1
Windows XP x1 x1 x5 1+TCP
Windows XP x1 x1 x5 1+TCP
Total x1 x1 x5 1+TCP
Total x1 x1 x5 1+TCP
In fact, same behaviour for IE, Chrome, Firefox, Safari on Windows XP or Windows 7
Browser pre-fetching
Firefox by default queries anticipated next URLs for a page Chrome pre-fetches stored, successfully retrieved URLs, when started
Valid, NXdomain and truncated responses are cached TCP session for truncated responses is handled by resolver
DNS Resolver
Experiments
Impact
13
11-3-2011
Repeat query
User
1,0E-01
Firefox
9,0E-02
Linux
9,0E-02
Resid.GW
BIND9
900 1,98 0,00 22,32 67,0 0,00 0,0 0,09 1,3 0,00 0,0 0,00 0,0 0,00 0,0 900.000 682.200
2,2E-03
2,2E-03 4,5E-03 0,0E+00 0,0E+00 9,0E-06 1,8E-05 0,0E+00 0,0E+00 0,0E+00 0,0E+00
2,2E-03 8,9E-03 0,0E+00 0,0E+00 9,0E-06 7,2E-05 0,0E+00 0,0E+00 0,0E+00 0,0E+00
Repeat-NXdomain Partial Repeat-Partial Servfail Repeat-Servfail Timeout Repeat-Timeout Refused Repeat-Refused Truncated Repeat-Truncated Query to TLD Valid Valid (>512B) Nxdomain Repeat-NXdomain Partial Repeat-Partial Servfail Repeat-Servfail Timeout Repeat-Timeout Refused Repeat-Refused Truncated Repeat-Truncated Query to SLD Valid Valid (>512B) Nxdomain Repeat-NXdomain Partial Repeat-Partial Servfail Repeat-Servfail Timeout Repeat-Timeout Refused Repeat-Refused Truncated Repeat-Truncated
6,4E-04 3,2E-04 1,7E-04 3,2E-04 0,0E+00 2,9E-02 1,5E-04 1,6E-03 1,8E-04 0,0E+00 1,8E-04 0,0E+00 0,0E+00 0,0E+00 9,0E-06 0,0E+00
181.980 127,39 1,82 9,10 27,3 0,00 0,0 1,82 25,5 0,00 0,0 1,82 12,7 3,64 3,6 69.152
9,1E-04
9,1E-04 1,8E-03 0,0E+00 0,0E+00 1,8E-04 3,6E-04 0,0E+00 0,0E+00 1,8E-04 3,6E-04
9,1E-04 3,6E-03 0,0E+00 0,0E+00 1,8E-04 1,5E-03 0,0E+00 0,0E+00 1,8E-04 1,5E-03
31.285
2,2E-02 1,5E-04 1,6E-03 3,2E-03 0,0E+00 0,0E+00 3,2E-04 6,4E-04 1,7E-04 3,4E-04 3,2E-04 6,4E-04 6,4E-04 2,2E-02 1,5E-04 1,6E-03 6,4E-03 0,0E+00 0,0E+00 3,2E-04 2,6E-03 1,7E-04 1,3E-03 3,2E-04 2,6E-03 6,4E-04 0,0E+00 3,2E-04
SLD
224,03 3,20 16,00 48,0 0,00 0,0 3,20 44,8 0,00 0,0 3,20 22,4 6,40 6,4
12.162
Applic. browser
Cache
-3%
Authoritative TLD
Cache
Predicted query load reduction as result of modifying aggressive Linux/Mac behavior is small
penetration of Linux / Mac OSX relatively low behavior occurs in case of exceptions (ServFail, NXdomain, )
Impact outlook
- scenario: 10% DNSSEC validation error for SLD
CLIENT Resolver (DNS proxy)
-1% DNS resolver SW Operating system DNS stub Server OS -10% Tx device -3% Authoritative SLD
Cache
Applic. browser
Cache
-3%
Authoritative TLD
Cache
DNSSEC configuration errors at a domain will attract more traffic, due to observed behavior
Impact outlook
- scenario: NXdomain caching disabled at resolver
CLIENT Resolver (DNS proxy)
-15% DNS resolver SW Operating system DNS stub Server OS -3% Tx device -2% Authoritative SLD
Cache
Applic. browser
Cache
-3%
Authoritative TLD
Cache
Experiments
Impact
18
11-3-2011
Summary
Linux and Mac clients display aggressive DNS behavior, in case of non-valid responses
Resolvers partly damp aggressive behavior, but also amplify it
Although, for some particular cases the behavior amplifies traffic volume and rate
Next steps
Share experiences with other experts Contribute to improving DNS function in the glibc(?)
alternative for pinpointed code part causing the amplification