1 / 13

OARtech DNS Recursion

OARtech DNS Recursion. April 9th, 2008. Purpose. What is Recursion. Why and what are we changing. What else. What is Recursion . A DNS server is Recursive if it can process request for domains it does not maintain.

Download Presentation

OARtech DNS Recursion

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. OARtechDNS Recursion April 9th, 2008

  2. Purpose What is Recursion Why and what are we changing What else

  3. What is Recursion A DNS server is Recursive if it can process request for domains it does not maintain. A DNS server is an open recursive server if it allows anyone to query it and gives responses. NS1.oar.net and ns2.oar.net are open recursive servers

  4. What are the problems with Recusion cache poisoning – somehow incorrect information is injected into the cache of the DNS server, which then feeds this information out when queries for those records Reflector attacks Mr Malicious creates a zone (usually of large size)‏ He then creates a query crafted to look like it is form the attack target to open recursive servers the open server will cache the zone information lower the cost associated on the attack side, allowing repeated crafted queries that can DOS the target

  5. What to do to Turn Off Recursion Ensure nameservers only answer queries from other nameservers Turn off or restrict recursion

  6. What we (oscnet) is doing Restricting zone transfers Creating Caching only servers for OSCnet community use (with anycast addressing)‏ Turning off Recursion on ns1 and ns2 to outside OSCnet Turning off Recursion on ns1 and ns2 to everyone

  7. What Effect This Will Have on the CommunityRestricting Zone Transfers Little effect May need to change troubleshooting paradigms

  8. What Effect This Will Have on the CommunityTurning Off Recursion to Non OSCnet No effect within community OSCnet nameservers will only answer for their own authoritative domains Outside OSCnet space, nameservers will be of little use in resolving If you use OSCnet servers for your home cable connection, they will stop working

  9. What Effect This Will Have on the CommunityCreating Caching Only Servers Larger effect Resolvers should be configured to new namerservers (likely ns3.oar.net)‏ all clients that use ns1.oar.net should be reconfigured any nat/dhcp devices that give out namerservers should be reconfigured Caching servers will be configured from the beginning only for the OSCnet community

  10. What Effect This Will Have on the CommunityChanging Caching Servers to Anycast Addresses Planned in connection with deployment, so no effect

  11. What Effect This Will Have on the CommunityTurning Off Recursion Completely • (Hopefully) No Effect! • (Hopefully) All OSCnet clients that use OSCnet's namerserver will have been moved to the new anycast caching server by this point • We are investigating ways to determine who is still using ns1 and ns2 as a resolver so that all clients can be warned prior to making these final changes

  12. What Effect This Will Have on the CommunityTimeline • Undetermined at this point. • We hope to deploy caching only servers through out the summer

  13. What Else? • We are also bringing up Ipv6 • We already hand AAAAs and are designing our in-addr.arpa space • Have not yet enabled listening on pure v6 networks • General cleanup • You might be hearing from the NOC about log errors

More Related