oartech dns recursion
DESCRIPTION
OARtech DNS Recursion. April 9th, 2008. Purpose. What is Recursion. Why and what are we changing. What else. What is Recursion. A DNS server is Recursive if it can process request for domains it does not maintain. - PowerPoint PPT PresentationTRANSCRIPT
OARtechDNS Recursion
April 9th, 2008
2
What is Recursion
Why and what are we changing
What else
Purpose
3
What is Recursion
• A DNS server is Recursive if it can process request for domains it does not maintain.
• A DNS server is an open recursive server if it allows anyone to query it and gives responses.
• NS1.oar.net and ns2.oar.net are open recursive servers
4
What are the problems with Recusion
• cache poisoning – somehow incorrect information is injected into the cache of the DNS server, which then feeds this information out when queries for those records
• Reflector attacks – Mr Malicious creates a zone (usually of large size)– He then creates a query crafted to look like it is form
the attack target to open recursive servers – the open server will cache the zone information lower
the cost associated on the attack side, allowing repeated crafted queries that can DOS the target
5
What to do to Turn Off Recursion
• Ensure nameservers only answer queries from other nameservers
• Turn off or restrict recursion
6
What we (oscnet) is doing
• Restricting zone transfers
• Creating Caching only servers for OSCnet community use (with anycast addressing)
• Turning off Recursion on ns1 and ns2 to outside OSCnet
• Turning off Recursion on ns1 and ns2 to everyone
7
What Effect This Will Have on the CommunityRestricting Zone Transfers
• Little effect
• May need to change troubleshooting paradigms
8
What Effect This Will Have on the CommunityTurning Off Recursion to Non OSCnet
• No effect within community
• OSCnet nameservers will only answer for their own authoritative domains
• Outside OSCnet space, nameservers will be of little use in resolving
• If you use OSCnet servers for your home cable connection, they will stop working
9
What Effect This Will Have on the CommunityCreating Caching Only Servers
• Larger effect
• Resolvers should be configured to new namerservers (likely ns3.oar.net)
– all clients that use ns1.oar.net should be reconfigured– any nat/dhcp devices that give out namerservers
should be reconfigured
• Caching servers will be configured from the beginning only for the OSCnet community
10
What Effect This Will Have on the CommunityChanging Caching Servers to Anycast Addresses
• Planned in connection with deployment, so no effect
11
What Effect This Will Have on the CommunityTurning Off Recursion Completely
• (Hopefully) No Effect!
• (Hopefully) All OSCnet clients that use OSCnet's namerserver will have been moved to the new anycast caching server by this point
• We are investigating ways to determine who is still using ns1 and ns2 as a resolver so that all clients can be warned prior to making these final changes
12
What Effect This Will Have on the CommunityTimeline
• Undetermined at this point.
• We hope to deploy caching only servers through out the summer
13
What Else?
• We are also bringing up Ipv6
• We already hand AAAAs and are designing our in-addr.arpa space
• Have not yet enabled listening on pure v6 networks
• General cleanup
•You might be hearing from the NOC about log errors