DNSwitness: A Generic Platform For DNS-based Measurementsmetroscope.eu/wp-content/uploads/2012/06/JMetroscope-240412-Af… · DNSwitness: A Generic Platform For DNS-based Measurements
Post on 17-Aug-2020
0 Views
Preview:
Transcript
DNSwitness: A Generic Platform For DNS-based Measurements
Journée « Mesures Internet », Paris, 24 April 2012
{Samia.Mtimet, Stephane.Bortzmeyer, Mohsen.Souissi} (at) afnic.fr
Overview
• Motivation
• Principles & Requirements
• Architecture
• Past & Current Uses
• Some results
• Conclusion & Prospective work
2
Motivation
DNS registry is seated on a “gold mine” of DNS data
What does DNS tell us? There is precious information to extract and use Our marketing team, technical team, management ask various
questions we may have the answer for: “How many of our domains are used for e-mail only? What has the penetration rate of IPv6, DNSSEC or phenomenon X evolved
over the last N years? Could you assess the technical quality of a given portfolio of DNS zones?
We focus on things that we can obtain by starting with the DNS
Either from the DNS itself Or by further exploring 3
Principles & Requirements Generic
Can do many different surveys Most known tools deal only with one survey
Automatic Works unattended (from cron, for instance), for periodic runs,
Store raw results Not just aggregates For long-term analysis
Free Software
Usable by small and medium actors Run it yourself, and keep your own data, share aggregated &
anonymized results No data to be sent to a centralized analysis fabric
4
Global Architecture
DNSwitness Platform: 2 main (free) software components DNSdelve, for active measurement
What we send out : active DNS queries sent to domains “Go on a fishing trip!” Typically: sampling in a zone TLD file vs comprehensive walk
DNSmezzo, for passive measurement What comes in: DNS queries sent name servers, passively monitored “Who’s knocking at our door?” Sampling by default (might take all the traffic for a given window of time)
A database to store results To allow long-term surveys and study the evolution To do benchmark with other partners based on uniform indicators/metrics
5
Architecture: Active Measurements Component (DNSdelve)
A framework To gather information from the DNS zones delegated by a registry To get start points to explore the Internet for further information
Composed of A generic basis:
Handles zone file parsing and parallel querying of the zones
Modules dedicated for targeted surveys: Perform the actual queries: ask explicit questions to the DNS Examples: IPv6, DNSSEC, SPF modules already available
6
Architecture: Passive Measurements Component (DNSmezzo)
Capture DNS traffic, analyze content and store in a Database By sniffing the DNS traffic on a server (port mirroring, tcpdump…) Storing structured info (what we have learnt) in a rDBMS
Do measurements/statistics by querying the DB Periodically, unattended or on-demand runs Examples:
Top N domains queried for (and more specifically those which yield a NXDOMAIN answer)
Percentage of queries targeting AAAA (wrt A) records Percentage of traffic transported on IPv6 (wrt IPv4) How many queries use EDNS0 and for which sizes? Percentage of recursive name servers patched against Kaminsky attack
(SPR) 7
Similar Work (DNS-based)
Active measurements “The Health of the Internet in Sweden” (annual reports):
https://www.iis.se/en/internet-for-alla/halsolaget
Passive Measurements: IIS.se dns2db http://opensource.iis.se/trac/dns2db ISC SIE https://sie.isc.org/ DSC http://dns.measurement-factory.com/tools/dsc/
8
Past & Current DNSwitness Uses
Feeding the French Annual DNS Industry Report with IPv6 figures http://www.afnic.fr/fr/ressources/publications/observatoire-du-marche-des-noms-de-domaine-en-
france-3.html
Contribution to the OECD Report on IPv6 Deployment Measurements in the world http://www.oecd.org/dataoecd/48/51/44953210.pdf
As a platform for Internet Resilience measurements in France “Observatoire de la Résilience de l’Internet en France” Jointly with ANSSI (the French Network and Information Security Agency) AFNIC’s contribution: from the DNS perspective Results unveiled at the DNS-OARC meeting (while waiting for the 1st
edition of the report to be published): https://www.dns-oarc.net/files/workshop-201203/OARC-London-2012.pdf
Surveys on demand (AFNIC or third parties) 9
Active measurements results
10 0,00%
5,00%
10,00%
15,00%
20,00%
25,00%
30,00%
35,00%
40,00%
45,00%
Q1-‐09 Q2-‐09 Q3-‐09 Q4-‐10 Q1-‐11 Q2-‐11 Q3-‐11 Q4-‐11 Q1-‐12 Q2-‐12
IPv6 penetra,on rate in domains under .fr
DNS
Web
IPv6-‐Enabled
IPv6-‐Full
Active measurements results (2)
11
36%
16% 11%
4%
3%
30%
Name Server distribu,on per for zones under .fr
AS x
AS y
AS z
AS t
AS u
Autres
Active measurements results (3)
12
71%
13%
11%
1% 1%
4%
Name Server distribu,on per country for zones under .fr
France
Allemagne
USA
Grande-‐Bretagne
Suisse
Autres
Passive measurements results
13
0,60 0,60
2,20
3,47
90%
91%
92%
93%
94%
95%
96%
97%
98%
99%
100%
2009 2010 2011 2012
% of DNS transport in IPv4 vs IPv6
IPv6 transport (%)
IPv4 transport (%)
Passive measurements results (2)
14
8,06 7,29 6,85 8,68
9,17 8,45 7,65 7,57
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
2011-‐07 2011-‐10 2011-‐11 2011-‐12 2012-‐01 2012-‐02 2012-‐03 2012-‐04
DNS Query type distribu,on for domain names under .fr
Others (%)
MX (%)
NS (%)
AAAA (%)
A (%)
Passive measurements results (3)
15
0
50
100
150
200
250
300
2011-‐11 2012-‐04
Number of DNSSEC-‐signed delega,ons (DS)
Nb DS
Conclusion & Prospective Work
DNSwitness is a generic measurements platform used in different contexts for different needs It has served multiple purposes so far The platform is running in production at AFNIC premises
Will evolve continuously in order to answer new needs Collaboration with researchers
Define metrics and get periodic measurements Put together results and get a joint analysis activity for a complete
and long-term view
New developments for: Additional resilience indicators measurements Additional services penetration rate measurements Added-value services for AFNIC and third parties
16
www.afnic.fr
contact@afnic.fr Twitter : @AFNIC
Facebook : afnic.fr
Merci !
top related