Liang Zhu
ABSTRACT
DNS has evolved over the last 20 years, improving in security and privacy and broadening the kinds of applications it supports. However, this evolution has been slowed by the large installed base and the wide range of implementations. The impact of changes is difficult to model due to complex interactions between DNS optimizations, caching, and distributed operation. We suggest that experimentation at scale is needed to evaluate changes and facilitate DNS evolution. This paper presents LDplayer, a configurable, general-purpose DNS experimental framework that enables DNS experiments to scale in several dimensions: many zones, multiple levels of DNS hierarchy, high query rates, and diverse query sources. LDplayer provides high fidelity experiments while meeting these requirements through its distributed DNS query replay system, methods to rebuild the relevant DNS hierarchy from traces, and efficient emulation of this hierarchy on minimal hardware. We show that a single DNS server can correctly emulate multiple independent levels of the DNS hierarchy while providing correct responses as if they were independent. We validate that our system can replay a DNS root traffic with tiny error (± 8 ms quartiles in query timing and ± 0.1% difference in query rate). We show that our system can replay queries at 87k queries/s while using only one CPU, more than twice of a normal DNS Root traffic rate. LDplayer's trace replay has the unique ability to evaluate important design questions with confidence that we capture the interplay of caching, timeouts, and resource constraints. As an example, we demonstrate the memory requirements of a DNS root server with all traffic running over TCP and TLS, and identify performance discontinuities in latency as a function of client RTT.
- {n. d.}. Split-horizon DNS. https://en.wikipedia.org/wiki/Split-horizon_DNS.Google Scholar
- {n. d.}. Telerik Fiddler. http://www.telerik.com/fiddler/.Google Scholar
- B. Ager, H. Dreger, and A. Feldmann. 2006. Predicting the DNSSEC overhead using DNS traces. In Annual Conference on Information Sciences and Systems. 1484--1489.Google Scholar
- R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. 2005. DNS Security Introduction and Requirements. RFC 4033 (Proposed Standard). http://www.ietf.org/rfc/rfc4033.txt Updated by RFCs 6014, 6840.Google Scholar
- Terry Benzel. 2011. The Science of Cyber Security Experimentation: The DETER Project. In Proceedings of the 27th Annual Computer Security Applications Conference (ACSAC '11). ACM, New York, NY, USA, 137--148. Google ScholarDigital Library
- S. Bortzmeyer. 2015. DNS privacy considerations. RFC 7626.Google Scholar
- J. Brustoloni, N. Farnan, R. Villamarin-Salomon, and D. Kyle. 2009. Efficient Detection of Bots in Subscribers' Computers. In 2009 IEEE International Conference on Communications. 1--6. Google ScholarDigital Library
- B. Carpenter. 2000. Internet Transparency. RFC 2775 (Proposed Standard). http://www.ietf.org/rfc/rfc2775.txt Google ScholarDigital Library
- Sebastian Castro, Duane Wessels, Marina Fomenkov, and Kimberly Claffy. 2008. A Day at the Root of the Internet. SIGCOMM Comput. Commun. Rev. 38, 5 (Sept. 2008), 41--46. Google ScholarDigital Library
- chromium. {n. d.}. web-page-replay. https://github.com/chromium/web-page-replay/.Google Scholar
- DNS-OARC. {n. d.}. dnsjit. https://github.com/DNS-OARC/dnsjit.Google Scholar
- DNS-OARC. {n. d.}. drool. https://github.com/DNS-OARC/drool.Google Scholar
- DNS-OARC. 2017. Day In The Life of the Internet (DITL) 2017. https://www.dns-oarc.net/oarc/data/ditl/2017. https://www.dns-oarc.net/oarc/data/ditl/2017Google Scholar
- Herbert Haas. {n. d.}. Mausezahn. http://netsniff-ng.org/.Google Scholar
- John Heidemann. 1997. Performance Interactions Between P-HTTP and TCP Implementations. SIGCOMM Comput. Commun. Rev. 27, 2 (April 1997), 65--73. Google ScholarDigital Library
- Addy Yeow Chin Heng. {n. d.}. Bit-Twist. http://bittwist.sourceforge.net/.Google Scholar
- P. Hoffman and J. Schlyter. 2012. The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA. RFC 6698 (Proposed Standard). http://www.ietf.org/rfc/rfc6698.txt Updated by RFCs 7218, 7671.Google Scholar
- Z. Hu, L. Zhu, J. Heidemann, A. Mankin, D. Wessels, and P. Hoffman. 2016. Specification for DNS over Transport Layer Security (TLS). RFC 7858 (Proposed Standard). http://www.ietf.org/rfc/rfc7858.txtGoogle Scholar
- Ahmed Khurshid, Firat Kiyak, and Matthew Caesar. 2011. Improving Robustness of DNS to Software Vulnerabilities. In Proceedings of the 27th Annual Computer Security Applications Conference (ACSAC '11). ACM, New York, NY, USA, 177--186. Google ScholarDigital Library
- C. Lewis and M. Sergeant. 2012. Overview of Best Email DNS-Based List (DNSBL) Operational Practices. RFC 6471 (Informational). http://www.ietf.org/rfc/rfc6471.txtGoogle Scholar
- Andreas Loef and Yuwei Wang. {n. d.}. libtrace tool: tracereplay. http://www.wand.net.nz/trac/libtrace/wiki/TraceReplay.Google Scholar
- Jeff Nathan. {n. d.}. nemesis. http://nemesis.sourceforge.net/.Google Scholar
- Ravi Netravali, Anirudh Sivaraman, Keith Winstein, Somak Das, Ameesh Goyal, and Hari Balakrishnan. 2014. Mahimahi: A Lightweight Toolkit for Reproducible Web Measurement. SIGCOMM Comput. Commun. Rev. 44, 4 (Aug. 2014), 129--130. Google ScholarDigital Library
- Eric Osterweil, Michael Ryan, Dan Massey, and Lixia Zhang. 2008. Quantifying the Operational Status of the DNSSEC Deployment. In Proceedings of the 8th ACM SIGCOMM Conference on Internet Measurement (IMC '08). ACM, New York, NY, USA, 231--242. Google ScholarDigital Library
- John S. Otto, Mario A. Sánchez, John P. Rula, and Fabián E. Bustamante. 2012. Content Delivery and the Natural Evolution of DNS: Remote Dns Trends, Performance Issues and Alternative Solutions. In Proceedings of the 2012 Internet Measurement Conference (IMC '12). ACM, New York, NY, USA, 523--536. Google ScholarDigital Library
- KyoungSoo Park, Vivek S. Pai, Larry Peterson, and Zhe Wang. 2004. CoDNS: Improving DNS Performance and Reliability via Cooperative Lookups. In Proceedings of the 6th Conference on Symposium on Opearting Systems Design & Implementation - Volume 6 (OSDI'04). USENIX Association, Berkeley, CA, USA, 14--14. http://dl.acm.org/citation.cfm?id=1251254.1251268 Google ScholarDigital Library
- Sinodun. {n. d.}. DNS over TLS patch for nsd-4.1.0. https://portal.sinodun.com/stash/projects/TDNS/repos/dns-over-tls_patches/browse/nsd-4.1.0_dns-over-tls.patch.Google Scholar
- Ao-Jan Su, David R. Choffnes, Aleksandar Kuzmanovic, and Fabián E. Bustamante. 2006. Drafting Behind Akamai (Travelocity-based Detouring). In Proceedings of the 2006 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications (SIGCOMM '06). ACM, New York, NY, USA, 435--446. Google ScholarDigital Library
- Aaron Turner and Fred Klassen. {n. d.}. Tcpreplay. http://tcpreplay.appneta.com/.Google Scholar
- Duane Wessels. 2016. Increasing the Zone Signing Key Size for the Root Zone. In RIPE 72. https://ripe72.ripe.net/presentations/168-verisign-zsk-change.pdfGoogle Scholar
- D. Wessels, M. Fomenkov, N. Brownlee, and k. claffy. 2004. Measurements and Laboratory Simulations of the Upper DNS Hierarchy. In Passive and Active Network Measurement Workshop (PAM). PAM 2004, Antibes Juan-les-Pins, France, 147--157.Google Scholar
- Yingdi Yu, Duane Wessels, Matt Larson, and Lixia Zhang. 2012. Authority Server Selection in DNS Caching Resolvers. SIGCOMM Comput. Commun. Rev. 42, 2 (March 2012), 80--86. Google ScholarDigital Library
- L. Zhu, Z. Hu, J. Heidemann, D. Wessels, A. Mankin, and N. Somaiya. 2015. Connection-Oriented DNS to Improve Privacy and Security. In 2015 IEEE Symposium on Security and Privacy. 171--186. Google ScholarDigital Library
- Liang Zhu, Duane Wessels, Allison Mankin, and John Heidemann. 2015. Measuring DANE TLSA Deployment. In Proceedings of the 7th IEEE International Workshop on Traffic Monitoring and Analaysis. Springer, Barcelona, Spain, 219--232.Google ScholarCross Ref
Index Terms
- LDplayer: DNS Experimentation at Scale
Recommendations
LDplayer: DNS Experimentation at Scale
SIGCOMM Posters and Demos '17: Proceedings of the SIGCOMM Posters and DemosT-DNS: connection-oriented DNS to improve privacy and security (poster abstract)
SIGCOMM '14: Proceedings of the 2014 ACM conference on SIGCOMMDNS is the canonical protocol for connectionless UDP. Yet DNS today is challenged by eavesdropping that compromises privacy, source-address spoofing that results in denial-of-service (DoS) attacks on the server and third parties, injection attacks that ...
T-DNS: connection-oriented DNS to improve privacy and security (poster abstract)
SIGCOMM'14DNS is the canonical protocol for connectionless UDP. Yet DNS today is challenged by eavesdropping that compromises privacy, source-address spoofing that results in denial-of-service (DoS) attacks on the server and third parties, injection attacks that ...
Comments