DNS Demystified DNS 2004/07/23 JANOG14 @ koji@iij.ad.jp haru@iij.ad.jp
DNS ^^; Authoritative JPNIC JPRS DNSQCTF (caching server) authoritative sever Copyright 2004, 2
(authoritative server) ( LAN DNS RFC1918 ) Copyright 2004, 3
BIND8 BIND9 view BIND8 BIND + Copyright 2004, 4
BIND (BIND8) BIND8 BIND9 BIND8.2.x (latest 8.2.7) BIND8 BIND8.3.x (latest 8.3.7) EDNS0 BIND8.4.x (latest 8.4.4) IPv6 transport Copyright 2004, 5
BIND (BIND9) BIND9 ISC Nominum BIND8 BIND9.2.x (latest 9.2.3) BIND9 9.2.4rc6 7/6 9.2.4 BIND9.3.0 7/6 9.3.0rc2 rrset-order check-names BIND8 rndc flushname Copyright 2004, 6
qps query per second query query query qps latency Copyright 2004, 8
qps (qps) DNS server query qps BIND 5 ndc/rndc stats SNMP ndc stats udp DNS udp packet DNS DNS query (1 2?) near realtime SNMP Copyright 2004, 9
udp packet Copyright 2004, 10
udp packet ( query ) Copyright 2004, 11
udp packet ( query ) IP address 5000qps query 12 src IP address blackhole 10000qps ( DoS ) query query SERVFAIL query query query udpinerrors Copyright 2004, 12
query drop / packet drop udpinerrors (socket buffer) udp packet named query drop / packet drop udp packet query drop / packet drop query drop / packet drop 1% drop query Copyright 2004, 13
(qps ) qps query SERVFAIL query query BIND8 BIND9 BIND Nominum CNS djbdns(dnscache) Copyright 2004, 14
2 server query 2 2 round-trip time 0.2 msec server query query Copyright 2004, 15
2 server query cpu Pentium III 850MHz Pentium 4 2.20GHz memory 768Mbyte 1024Mbyte HDD SCSI 18Gbyte SCSI 18Gbyte OS FreeBSD 4.9_RELENG BSD/OS 4.3.1 sysconfig net.inet.udp.recvspace= 319000 kern.ipc.maxsockbuf= 2557000 net.inet.udp.recvspace = 319000 net.socket.sbmax = 2557000 Copyright 2004, 16
BIND8.3.7 BIND8.3 BIND8.4.4 CHANGES IPv6 BIND9.2.3 BIND9.2 Nominum CNS 1.3 DNS 1.4 dnscache 1.5 (djbdns) Copyright 2004, 17
Nominum queryperf ftp://ftp.nominum.com/pub/nominum/queryperf-nominum-2.0.tar.gz -q ( ) server CPU IDLE 500, timeout 5 100 queryperf -s $SERVER -d $LIST -b 2497 -q 500 -t 5 -l 100 http://www.nominum.org/content/documents/cns_wp.pdf Copyright 2004, 18
latency Nominum queryperf latency Nominum 1msec latency 500, timeout 5 100 queryperf -s $SERVER -d $FILE -b 2497 -q 500 -t 5 -l 100 H 1000 Copyright 2004, 19
dnscache cat dnscache/env/cachesize 200000000 cat dnscache/env/datalimit 300000000 cat dnscache/env/ip query Copyright 2004, 20
BIND8.3.7,BIND8.4.4,BIND9.2.3 options { directory "$named_rootdir"; }; zone "." in { type hint; file "root.cache"; }; (BIND9 rnd ) Copyright 2004, 21
CNS listen-on 0.0.0.0; max-cache-size 200M; view "world" IN { preload 1.0.0.127.in-addr.arpa. PTR localhost; preload localhost. A 127.0.0.1; }; Copyright 2004, 22
(qps) query lost rate Copyright 2004, 23
latency 25 (%) dnscache 20 15 10 5 cns bind8.4.4 bind8.3.7 bind9.2.3 dnscache bind8.3.7 bind 8.4.4 bind9.2.3 cns 0 0 0.05 0.1 0.15 0.2 latency(sec) Copyright 2004, 24
BIND9 BIND8 (qps) latency BIND8.3.7 BIND8.4.4 BIND9 query loss Nominum CNS (qps) latency dnscache latency Copyright 2004, 25
dnscache logging log (multilog) CPU log 15% CPU 3 config querylog querylog Copyright 2004, 26
BIND9 BIND8 DoS BIND8 BIND9 Nominum CNS BIND9 + Copyright 2004, 27
BIND9
BIND9 BIND8 BIND9 view BIND9 Copyright 2004, 29
BIND9 BIND9 web (2ch ) 2 BIND9 Copyright 2004, 30
log log syslog EDNS0 tcpdump BIND9 EDNS0 Copyright 2004, 31
EDNS0 DNS udp packet 512bytes 512bytes IPv6 A AAAA DNSSEC MARID EDNS0 RFC2671 OPT RR Copyright 2004, 32
EDNS0 BIND9 EDNS0 query FORMERR NOTIMPL EDNS0 query EDNS0 query EDNS0 EDNS0 EDNS0 1 FORMERR NOTIMPL Copyright 2004, 33
EDNS0 1RTT msec (RTT150msec ) 2 BIND8.3 EDNS0 EDNS0 BIND8.2.7 BIND8.3 EDNS0 ENDS0 deployment ISC Copyright 2004, 34
IPv6 IPv6 query IPv6 enable BIND9 BSD/OS FreeBSD IPv6 configure enable-ipv6=yes IPv6 NS A,AAAA.JP NS AAAA NS AAAA Copyright 2004, 35
IPv6 (AAAA ) query doio_send No Route to Host IPv4 (A ) doio_send 1 --disable--ipv6 configure IPv6 OS IPv6 bind-users 2004-06-23 *.dns.jp AAAA Copyright 2004, 36
BIND8 BIND8.3?
BIND9 BIND8... 5 BIND8 BIND8 named restart BIND9 NS lame delegation Copyright 2004, 38
- BIND8.3.7 zone authoritative name server lame zone TTL lame name server A expire example.com 1000 NS ns0.example.com example.com 1000 NS ns1.hoge.net <- lame ns1.hoge.net 100 A 192.168.1.1 (ns0.example.com A 192.168.0.1) <- expired example.com NS expire example.com Copyright 2004, 39
!? BIND8.3
: NS RTT name server BIND8.3.7./bin/named/ns_forw.c qcomp lame RTT RTT local network or topology, sortlist RTT BIND9.2.3 RTT topology Copyright 2004, 41
BIND RTT BIND8 BIND9 (9.2.2 ) name server new_rtt=old_rtt * 0.7 + rtt * 0.3 name server new_rtt=old_rtt * 0.98 RTT name server RTT name server server Copyright 2004, 42
- dumpdb BIND RTT BIND8 dumpdb NT= RTT dumpdb ; Note: Cr=(auth,answer,addtnl,cache) tag only shown for non-auth RR's ; Note: NT=milliseconds for any A RR which we've used as a nameserver src/bin/named/db_dump.c 346 dp->d_nstime NT src/bin/named/db_defs.h u_int16_t d_nstime; /* NS response time, milliseconds */ Copyright 2004, 43
BIND8 dumpdb $ORIGIN ad.jp. iij 86382 IN NS dns0.iij.ad.jp. ;Cr=auth [210.138.175.5] 86382 IN NS dns1.iij.ad.jp. ;Cr=auth [210.138.175.5] $ORIGIN iij.ad.jp. dns0 86382 IN A 210.138.174.16 ;NT=24 Cr=addtnl [165.76.0.98] www 1782 IN A 202.232.2.10 ;Cr=auth [210.138.175.5] dns1 86382 IN A 210.138.175.5 ;NT=3 Cr=addtnl [165.76.0.98] Copyright 2004, 44
BIND9 dumpdb ; authauthority iij.ad.jp. 86398 NS dns0.iij.ad.jp. 86398 NS dns1.iij.ad.jp. ; glue dns0.iij.ad.jp. 86398 A 210.138.174.16 ; glue dns1.iij.ad.jp. 86398 A 210.138.175.5 ; authanswer www.iij.ad.jp. 1798 A 202.232.2.10 Copyright 2004, 45
BIND9 dumpdb RTT lib/dns/view.c 1167 #ifdef notyet /* clean up adb dump format first */ 1168 dns_adb_dump(view->adb, fp); 1169 #endif dns_adb_dump RTT dump lib/dns/adb.c 2935 /* 2936 * Lock the adb itself, lock all the name buckets, then lock all 2937 * the entry buckets. This should put the adb into a state where 2938 * nothing can change, so we can iterate through everything and 2939 * print at our leisure. 2940 */ Copyright 2004, 46
BIND9 dumpdb 2 ; dns0.iij.ad.jp [v4 TTL 4] [v4 success] [v6 unexpected] ; 210.138.174.16 [srtt 24] ; dns1.iij.ad.jp [v4 TTL 4] [v4 success] [v6 unexpected] ; 210.138.175.5 [srtt 2620] Copyright 2004, 47
BIND8 nlookup() DB findns() or NS ns_forw() name server qnew() find_zone() forward stub zone nslookup() nameserver NS sort qcomp() query Copyright 2004, 48
nslookup() expire ns0.example.com IP nslookup() example.com IP 192.168.1.1 (lame ) example.com 1000 NS ns0.example.com example.com 1000 NS ns1.hoge.net <- lame ns1.hoge.net 100 A 192.168.1.1 (ns0.example.com A 192.168.0.1) <- expired Copyright 2004, 49
BIND8 8.2, 8.3, 8.4 BIND8.2.7 nslookup() lame NS BIND8.3.7 (BIND8.3.4 -> BIND8.3.5 ) nslookup() lame NS qcomp() lame NS nslookup() glue BIND8.4.4 (BIND8.4.3 -> BIND8.4.4 ) nslookup() glue CHANGES 1637. [bug] if the current lookup requires self glue allow nslookup to signal that the caller may call check the parent. src/bin/named/ns_forw.c 738-741 /* * Allow nslookup to tell the caller to go up one level * to look for glue. */ Copyright 2004, 50
BIND8.4.4 IPv6 ISC bind-users ( ) S/N Copyright 2004, 51
BIND9 again
BIND8 8.4.4 BIND9 9.2.3 9.3.0 beta rndc flushname Copyright 2004, 53
udp packet query 1 Copyright 2004, 54
udp packet Copyright 2004, 55
udp packet 1 Copyright 2004, 56
udp packet 1 Copyright 2004, 57
1 man cache cleaning cleaning-interval default 60 cleaning-interval 0 cleaning-interval PentiumIII 850MHz Pentium4 2.4GHz Copyright 2004, 58
BIND9 cache cleaning 1000 Copyright 2004, 59
1000 1000 300 128 lib/dns/cache.c 45 #define DNS_CACHE_CLEANERINCREMENT 1000 /* Number of nodes. */ 483 cleaner->increment = DNS_CACHE_CLEANERINCREMENT; named.conf ISC Copyright 2004, 60
OS udp packet burst packet drop ndc stats BIND 8/9 CHANGES BIND9 Copyright 2004, 61
TODO BIND8.3.7 BIND8.4.4 BIND9 CPU CPU cleaning BIND9 CPU CPU Copyright 2004, 62
Special Thanks To... IIJ Nominum CNS IIJ BIND9 IPv6 BIND9 cleaning-interval query rndc flushname BIND9.2.3 IIJ IIJ JANOG14 PC _o_ Copyright 2004, 63