DNSwitness: A Generic Platform For DNS-based Measurementsmetroscope.eu/wp-content/uploads/2012/06/JMetroscope-240412-Af… · DNSwitness: A Generic Platform For DNS-based Measurements

DNSwitness: A Generic Platform For DNS-based Measurements

Journée « Mesures Internet », Paris, 24 April 2012

{Samia.Mtimet, Stephane.Bortzmeyer, Mohsen.Souissi} (at) afnic.fr

Overview

•  Motivation

•  Principles & Requirements

•  Architecture

•  Past & Current Uses

•  Some results

•  Conclusion & Prospective work

2

Motivation

  DNS registry is seated on a “gold mine” of DNS data

  What does DNS tell us?   There is precious information to extract and use   Our marketing team, technical team, management ask various

questions we may have the answer for:   “How many of our domains are used for e-mail only?  What has the penetration rate of IPv6, DNSSEC or phenomenon X evolved

over the last N years?  Could you assess the technical quality of a given portfolio of DNS zones?

  We focus on things that we can obtain by starting with the DNS

  Either from the DNS itself   Or by further exploring 3

Principles & Requirements   Generic

  Can do many different surveys   Most known tools deal only with one survey

  Automatic   Works unattended (from cron, for instance), for periodic runs,

  Store raw results   Not just aggregates   For long-term analysis

  Free Software

  Usable by small and medium actors   Run it yourself, and keep your own data, share aggregated &

anonymized results   No data to be sent to a centralized analysis fabric

4

Global Architecture

  DNSwitness Platform: 2 main (free) software components   DNSdelve, for active measurement

 What we send out : active DNS queries sent to domains   “Go on a fishing trip!”   Typically: sampling in a zone TLD file vs comprehensive walk

  DNSmezzo, for passive measurement  What comes in: DNS queries sent name servers, passively monitored   “Who’s knocking at our door?”   Sampling by default (might take all the traffic for a given window of time)

 A database to store results   To allow long-term surveys and study the evolution   To do benchmark with other partners based on uniform indicators/metrics

5

Architecture: Active Measurements Component (DNSdelve)

  A framework   To gather information from the DNS zones delegated by a registry   To get start points to explore the Internet for further information

  Composed of   A generic basis:

 Handles zone file parsing and parallel querying of the zones

  Modules dedicated for targeted surveys:   Perform the actual queries: ask explicit questions to the DNS   Examples: IPv6, DNSSEC, SPF modules already available

6

Architecture: Passive Measurements Component (DNSmezzo)

  Capture DNS traffic, analyze content and store in a Database   By sniffing the DNS traffic on a server (port mirroring, tcpdump…)   Storing structured info (what we have learnt) in a rDBMS

  Do measurements/statistics by querying the DB   Periodically, unattended or on-demand runs   Examples:

  Top N domains queried for (and more specifically those which yield a NXDOMAIN answer)

  Percentage of queries targeting AAAA (wrt A) records   Percentage of traffic transported on IPv6 (wrt IPv4)  How many queries use EDNS0 and for which sizes?   Percentage of recursive name servers patched against Kaminsky attack

(SPR) 7

Similar Work (DNS-based)

  Active measurements   “The Health of the Internet in Sweden” (annual reports):

https://www.iis.se/en/internet-for-alla/halsolaget

  Passive Measurements:   IIS.se dns2db http://opensource.iis.se/trac/dns2db   ISC SIE https://sie.isc.org/   DSC http://dns.measurement-factory.com/tools/dsc/

8

Past & Current DNSwitness Uses

  Feeding the French Annual DNS Industry Report with IPv6 figures   http://www.afnic.fr/fr/ressources/publications/observatoire-du-marche-des-noms-de-domaine-en-

france-3.html

  Contribution to the OECD Report on IPv6 Deployment Measurements in the world   http://www.oecd.org/dataoecd/48/51/44953210.pdf

  As a platform for Internet Resilience measurements in France   “Observatoire de la Résilience de l’Internet en France”   Jointly with ANSSI (the French Network and Information Security Agency)   AFNIC’s contribution: from the DNS perspective   Results unveiled at the DNS-OARC meeting (while waiting for the 1st

edition of the report to be published): https://www.dns-oarc.net/files/workshop-201203/OARC-London-2012.pdf

  Surveys on demand (AFNIC or third parties) 9

Active measurements results

10 0,00%  

5,00%  

10,00%  

15,00%  

20,00%  

25,00%  

30,00%  

35,00%  

40,00%  

45,00%  

Q1-­‐09   Q2-­‐09   Q3-­‐09   Q4-­‐10   Q1-­‐11   Q2-­‐11   Q3-­‐11   Q4-­‐11   Q1-­‐12   Q2-­‐12  

IPv6  penetra,on  rate  in  domains  under  .fr  

DNS  

Web  

Mail  

IPv6-­‐Enabled  

IPv6-­‐Full  

Active measurements results (2)

11

36%  

16%  11%  

4%  

3%  

30%  

Name  Server  distribu,on  per  for  zones  under  .fr  

AS  x  

AS  y  

AS  z  

AS  t  

AS  u  

Autres  

Active measurements results (3)

12

71%  

13%  

11%  

1%   1%  

4%  

Name  Server  distribu,on  per  country  for  zones  under  .fr  

France  

Allemagne  

USA  

Grande-­‐Bretagne  

Suisse  

Autres  

Passive measurements results

13

0,60   0,60  

2,20  

3,47  

90%  

91%  

92%  

93%  

94%  

95%  

96%  

97%  

98%  

99%  

100%  

2009   2010   2011   2012  

%  of  DNS  transport  in  IPv4  vs  IPv6    

IPv6  transport  (%)  

IPv4  transport  (%)  

Passive measurements results (2)

14

8,06   7,29   6,85  8,68  

9,17  8,45   7,65   7,57  

0%  

10%  

20%  

30%  

40%  

50%  

60%  

70%  

80%  

90%  

100%  

2011-­‐07   2011-­‐10   2011-­‐11   2011-­‐12   2012-­‐01   2012-­‐02   2012-­‐03   2012-­‐04  

DNS  Query  type  distribu,on  for  domain  names  under  .fr  

Others  (%)  

MX  (%)  

NS  (%)  

AAAA  (%)  

A  (%)  

Passive measurements results (3)

15

0  

50  

100  

150  

200  

250  

300  

2011-­‐11   2012-­‐04  

Number  of  DNSSEC-­‐signed  delega,ons  (DS)  

Nb  DS  

Conclusion & Prospective Work

  DNSwitness is a generic measurements platform used in different contexts for different needs   It has served multiple purposes so far   The platform is running in production at AFNIC premises

  Will evolve continuously in order to answer new needs  Collaboration with researchers

 Define metrics and get periodic measurements  Put together results and get a joint analysis activity for a complete

and long-term view

 New developments for:  Additional resilience indicators measurements  Additional services penetration rate measurements  Added-value services for AFNIC and third parties

16

www.afnic.fr

[email protected] Twitter : @AFNIC

Facebook : afnic.fr

Merci !