Investigating Anomalous DNS Queries: A Case Study from DNS-OARC 25, Dallas

The exploration uncovers a surge in AAAA queries, leading to a 20% spike in billing. Through meticulous analysis, patterns emerged showing excessive AAAA queries for specific nameservers lacking AAAA glue. Remedies included reaching out to providers and deploying temporary fixes. The resolution involved adding AAAA glue to the nameservers, showcasing the path to rectifying the issue and the efforts to enhance IPv6 connectivity.

• DNS queries
• Anomalies
• DNS-OARC
• AAAA
• Remediation

kingcha Follow

Uploaded on Oct 10, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

Presentation Transcript

1. The hunger for AAAA Sebastian Castro NZRS DNS-OARC 25, Dallas, October 2016

2. It all started with Offshore provider s bill was 20% higher that the previous month When you get billed by the query, it hurts. Started checking for anomalies in the traffic Using their snapshots and our own data Common pattern Large amount of AAAA queries for ns3.dns.net.nz and ns4.dns.net.nz DNS-OARC 25 Oct 2016 2

3. .nz delegation 7 nameservers 4 managed by NZRS and with instances in New Zealand 2 managed by one provider 1 managed by another provider Only ns3 and ns4 didn t have AAAA glue in the root zone DNS-OARC 25 Oct 2016 3

4. How bad it was? DNS-OARC 25 Oct 2016 4

5. From one specific ASN DNS-OARC 25 Oct 2016 5

6. Combined DNS-OARC 25 Oct 2016 6

7. How to fix it Option 1 Please <provider>, can you check why you suddenly started sending us million of queries and fix it? Option 2 Add AAAA glue for the two nameservers Not an easy fix, getting proper IPv6 connectivity in New Zealand is not that easy DNS-OARC 25 Oct 2016 7

8. Deployment of fixes Option 1 Dear NZRS, we will take a look and see what we can do -- <provider> Option 2 Use the v6 address of an existing nameserver as glue for ns3 and ns4 temporarily Speed up undergoing work to have real IPv6 connectivity Kudos to Daniel Griggs and Dane Foster for making it possible DNS-OARC 25 Oct 2016 8

9. Combined solution July 7th: <provider> fix starts to get deployed July 29th: ns3 glue added to the root July 1st: ns4 glue added to the root DNS-OARC 25 Oct 2016 9

10. Others affected? Based on a copy of the root zone There are 532 authoritative nameservers for TLDs without AAAA glue Covering 330 different TLDs It should be possible to verify if they are seeing large amount of traffic from eager sources DNS-OARC 25 Oct 2016 10

11. Open Questions What the heck happened in Feb 2015? Happy eyeballs? OS update preferring AAAA over A And not handling the empty response properly? Negative TTL for .nz is 3600 seconds DNS-OARC 25 Oct 2016 11

12. Lessons learned Don t shoot yourself in the foot Pay attention to anomalies Keeping traffic counts helps a lot in forensics Our Big Data platform made possible to go back in time DNS-OARC 25 Oct 2016 12

13. sebastian@nzrs.net.nz Contact: www.nzrs.net.nz 13