Impact of Configuration Errors on DNS Robustness

Vasileios Pappas, Zhiguo Xu, Songwu Lu, Daniel Massey, Andreas Terzis, Lixia Zhang

SIGCOMM 2004Presented by: Keith Mayoral

What this paper is about

• Analysis of different types of configuration errors in DNS.

• How they affect DNS performance, availability, robustness

Motivation

• Jan. 2001: All Authoritative servers for Microsoft DNS domain became inaccessible.

• Unforeseen effect: # of DNS queries for Microsoft domain seen at F root server went from 0.003% of all queries to greater than 25%.

caching server

client

bar zone

foo zone

com zone

root zone

asking for www.bar.foo.comanswer:

www.bar.foo.com A 10.10.10.10

referral:com NS RRscom A RRs

referral:foo NS RRsfoo A RRs

referral:bar NS RRsbar A RRs

Slide taken from V. Pappas ppt on paper

Methodology

• Combination of passive and active measurements over a 6 month period– Observe extent of misconfigurations in global DNS

infrastructure– See how they affect response times and availability

• Passive: collected DNS traces of over 3 million queries as seen from UCLA CS network

• Active: queried random sample set of DNS zones

• Count only the DNS traffic exchanges with external sites• Measure the delay between first query packet and final response• Possible bias incurred since all data taken

in University setting

Passive Measurements

Active Measurements• Purpose to overcome bias in passive

measurements• Implemented specialized DNS resolver• Queried randomly selected subset of DNS

namespace• Also used BGP tables, geo-location info to

estimate server locations.

What constitutes a misconfiguration?

• Reliable DNS operations depend on the following:– Appropriate placement of redundant servers for

high availability– Manual input of each zone’s database for correct

setting– Coordination between parent and child zones for

consistency• Any of the above is considered a configuration

error

3 Measured Misconfigurations

• Lame Deligation– 70% of lame deligation zones reduced avail NSs

for a Zone in half• Diminished Server Redundancy• Cyclic Zone Dependency• First two were previously known of, the third

was discovered by this paper.– No previous quantitative study to gauge

performance impact or extent on internet

Lame Delegation• Cause: operator of zone C makes changes to authoritative

servers, but fails to coordinate with operator for parent zone P to update P accordingly

• Remember: zone P must store the list of NS RRs pertaining to it’s child zone C.

Lame Delegation (cont)

• Decreases zone availability– Both previous examples only had 1 server to give

response even though RRs showed a seemingly redundant set of servers

• Increases query response time– Example 1: a useless referral is sent– Example 2: need to timeout before trying another

• Best case: lame server gives non-auth. answer if name has been cached

Lame Delegation

• Types of L.D.– Type I: non-responding server– Type II: DNS error indication– Type III: non-authoritative answer

Lame Delegation Results

• results

Diminished Server Redundancy

• If all replicated servers are connected to same local network, redundancy is lost when network fails.

• If al servers are assigned addresses from same prefix, they will all be unavailable when prefix is unreachable due to routing problems.

• If all servers are in same location, natural disasters can cause failure.

Diminished Server Redundancy Example

Diminished Server Redundancy Results

Diminished Server Redundancy Impact

Cyclic Zone Dependency

• Happens when two or more zones’ DNS services depend on each other in a circular way

• Can happen due to configuration errors in either or both of the zones, but more usually all involved zones don’t have noticeable config. errors when viewed separately.

Cyclic Zone Dependency Examples

• Examples

Cyclic Zone Dependency Results

Detecting Misconfigs

• Lame Delegation: detect by simple protocol between parent and child zones to periodically check the consistency of NS records

• Cyclic Zone Dependency: detect via automatic checking by trying to resolve a name through each of the authoritative servers in the zone.

• Diminished Server Redundancy: different case• Also wrote another paper on a tool to proactively

detect DNS configuration errors.

Secret Sauce

• First paper to quantitatively measure Lame Delegation and Diminished Server Redundancy

• First paper to discover Cyclic Zone Dependency

• ??? Anything else?

Conclusion

• We should realize how important a role human errors play in the systems that we build.– DNS– BGP

• Future protocol designs should take into account the impact of misconfigurations.

THANKS FOR YOUR TIME!