Oartech dns recursion
This presentation is the property of its rightful owner.
Sponsored Links
1 / 13

OARtech DNS Recursion PowerPoint PPT Presentation


  • 71 Views
  • Uploaded on
  • Presentation posted in: General

OARtech DNS Recursion. April 9th, 2008. Purpose. What is Recursion. Why and what are we changing. What else. What is Recursion. A DNS server is Recursive if it can process request for domains it does not maintain.

Download Presentation

OARtech DNS Recursion

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Oartech dns recursion

OARtechDNS Recursion

April 9th, 2008


Purpose

Purpose

What is Recursion

Why and what are we changing

What else


What is recursion

What is Recursion

A DNS server is Recursive if it can process request for domains it does not maintain.

A DNS server is an open recursive server if it allows anyone to query it and gives responses.

NS1.oar.net and ns2.oar.net are open recursive servers


What are the problems with recusion

What are the problems with Recusion

cache poisoning – somehow incorrect information is injected into the cache of the DNS server, which then feeds this information out when queries for those records

Reflector attacks

Mr Malicious creates a zone (usually of large size)‏

He then creates a query crafted to look like it is form the attack target to open recursive servers

the open server will cache the zone information lower the cost associated on the attack side, allowing repeated crafted queries that can DOS the target


What to do to turn off recursion

What to do to Turn Off Recursion

Ensure nameservers only answer queries from other nameservers

Turn off or restrict recursion


What we oscnet is doing

What we (oscnet) is doing

Restricting zone transfers

Creating Caching only servers for OSCnet community use (with anycast addressing)‏

Turning off Recursion on ns1 and ns2 to outside OSCnet

Turning off Recursion on ns1 and ns2 to everyone


What effect this will have on the community restricting zone transfers

What Effect This Will Have on the CommunityRestricting Zone Transfers

Little effect

May need to change troubleshooting paradigms


What effect this will have on the community turning off recursion to non oscnet

What Effect This Will Have on the CommunityTurning Off Recursion to Non OSCnet

No effect within community

OSCnet nameservers will only answer for their own authoritative domains

Outside OSCnet space, nameservers will be of little use in resolving

If you use OSCnet servers for your home cable connection, they will stop working


What effect this will have on the community creating caching only servers

What Effect This Will Have on the CommunityCreating Caching Only Servers

Larger effect

Resolvers should be configured to new namerservers (likely ns3.oar.net)‏

all clients that use ns1.oar.net should be reconfigured

any nat/dhcp devices that give out namerservers should be reconfigured

Caching servers will be configured from the beginning only for the OSCnet community


What effect this will have on the community changing caching servers to anycast addresses

What Effect This Will Have on the CommunityChanging Caching Servers to Anycast Addresses

Planned in connection with deployment, so no effect


What effect this will have on the community turning off recursion completely

What Effect This Will Have on the CommunityTurning Off Recursion Completely

  • (Hopefully) No Effect!

  • (Hopefully) All OSCnet clients that use OSCnet's namerserver will have been moved to the new anycast caching server by this point

  • We are investigating ways to determine who is still using ns1 and ns2 as a resolver so that all clients can be warned prior to making these final changes


What effect this will have on the community timeline

What Effect This Will Have on the CommunityTimeline

  • Undetermined at this point.

  • We hope to deploy caching only servers through out the summer


What else

What Else?

  • We are also bringing up Ipv6

    • We already hand AAAAs and are designing our in-addr.arpa space

    • Have not yet enabled listening on pure v6 networks

  • General cleanup

    • You might be hearing from the NOC about log errors


  • Login