OARtech DNS Recursion
-
Upload
tanek-webster -
Category
Documents
-
view
27 -
download
0
description
Transcript of OARtech DNS Recursion
![Page 1: OARtech DNS Recursion](https://reader035.fdocuments.in/reader035/viewer/2022062422/5681351f550346895d9c81ef/html5/thumbnails/1.jpg)
OARtechDNS Recursion
April 9th, 2008
![Page 2: OARtech DNS Recursion](https://reader035.fdocuments.in/reader035/viewer/2022062422/5681351f550346895d9c81ef/html5/thumbnails/2.jpg)
2
What is Recursion
Why and what are we changing
What else
Purpose
![Page 3: OARtech DNS Recursion](https://reader035.fdocuments.in/reader035/viewer/2022062422/5681351f550346895d9c81ef/html5/thumbnails/3.jpg)
3
What is Recursion
• A DNS server is Recursive if it can process request for domains it does not maintain.
• A DNS server is an open recursive server if it allows anyone to query it and gives responses.
• NS1.oar.net and ns2.oar.net are open recursive servers
![Page 4: OARtech DNS Recursion](https://reader035.fdocuments.in/reader035/viewer/2022062422/5681351f550346895d9c81ef/html5/thumbnails/4.jpg)
4
What are the problems with Recusion
• cache poisoning – somehow incorrect information is injected into the cache of the DNS server, which then feeds this information out when queries for those records
• Reflector attacks – Mr Malicious creates a zone (usually of large size)– He then creates a query crafted to look like it is form
the attack target to open recursive servers – the open server will cache the zone information lower
the cost associated on the attack side, allowing repeated crafted queries that can DOS the target
![Page 5: OARtech DNS Recursion](https://reader035.fdocuments.in/reader035/viewer/2022062422/5681351f550346895d9c81ef/html5/thumbnails/5.jpg)
5
What to do to Turn Off Recursion
• Ensure nameservers only answer queries from other nameservers
• Turn off or restrict recursion
![Page 6: OARtech DNS Recursion](https://reader035.fdocuments.in/reader035/viewer/2022062422/5681351f550346895d9c81ef/html5/thumbnails/6.jpg)
6
What we (oscnet) is doing
• Restricting zone transfers
• Creating Caching only servers for OSCnet community use (with anycast addressing)
• Turning off Recursion on ns1 and ns2 to outside OSCnet
• Turning off Recursion on ns1 and ns2 to everyone
![Page 7: OARtech DNS Recursion](https://reader035.fdocuments.in/reader035/viewer/2022062422/5681351f550346895d9c81ef/html5/thumbnails/7.jpg)
7
What Effect This Will Have on the CommunityRestricting Zone Transfers
• Little effect
• May need to change troubleshooting paradigms
![Page 8: OARtech DNS Recursion](https://reader035.fdocuments.in/reader035/viewer/2022062422/5681351f550346895d9c81ef/html5/thumbnails/8.jpg)
8
What Effect This Will Have on the CommunityTurning Off Recursion to Non OSCnet
• No effect within community
• OSCnet nameservers will only answer for their own authoritative domains
• Outside OSCnet space, nameservers will be of little use in resolving
• If you use OSCnet servers for your home cable connection, they will stop working
![Page 9: OARtech DNS Recursion](https://reader035.fdocuments.in/reader035/viewer/2022062422/5681351f550346895d9c81ef/html5/thumbnails/9.jpg)
9
What Effect This Will Have on the CommunityCreating Caching Only Servers
• Larger effect
• Resolvers should be configured to new namerservers (likely ns3.oar.net)
– all clients that use ns1.oar.net should be reconfigured– any nat/dhcp devices that give out namerservers
should be reconfigured
• Caching servers will be configured from the beginning only for the OSCnet community
![Page 10: OARtech DNS Recursion](https://reader035.fdocuments.in/reader035/viewer/2022062422/5681351f550346895d9c81ef/html5/thumbnails/10.jpg)
10
What Effect This Will Have on the CommunityChanging Caching Servers to Anycast Addresses
• Planned in connection with deployment, so no effect
![Page 11: OARtech DNS Recursion](https://reader035.fdocuments.in/reader035/viewer/2022062422/5681351f550346895d9c81ef/html5/thumbnails/11.jpg)
11
What Effect This Will Have on the CommunityTurning Off Recursion Completely
• (Hopefully) No Effect!
• (Hopefully) All OSCnet clients that use OSCnet's namerserver will have been moved to the new anycast caching server by this point
• We are investigating ways to determine who is still using ns1 and ns2 as a resolver so that all clients can be warned prior to making these final changes
![Page 12: OARtech DNS Recursion](https://reader035.fdocuments.in/reader035/viewer/2022062422/5681351f550346895d9c81ef/html5/thumbnails/12.jpg)
12
What Effect This Will Have on the CommunityTimeline
• Undetermined at this point.
• We hope to deploy caching only servers through out the summer
![Page 13: OARtech DNS Recursion](https://reader035.fdocuments.in/reader035/viewer/2022062422/5681351f550346895d9c81ef/html5/thumbnails/13.jpg)
13
What Else?
• We are also bringing up Ipv6
• We already hand AAAAs and are designing our in-addr.arpa space
• Have not yet enabled listening on pure v6 networks
• General cleanup
•You might be hearing from the NOC about log errors