Embed Size (px)
Citation preview
Monitoring .uk DNS
19 May 2006
Ian MeikleUKNOF4, Manchester
AgendaMonitoring .uk DNs
1. Nameserver Infrastructure
2. DNS Service Metrics
3. DNS Statistics
Questions.
Nameserver InfrastructureMonitoring .uk DNS
Nominet runs 12 authoritative nameservers for .uk/SLD.uk
• 7 Nominet-managed: ns[1-7].nic.uk
• 4 UltraDNS-managed: ns[a-d].nic.uk• 20 Anycast Instances
• 1 Hidden primary: ns0.nic.uk
3 nameservers reachable over IPv6
Nameserver InfrastructureMonitoring .uk DNS
QuickTime™ and aTIFF (LZW) decompressor
are needed to see this picture.
Nameserver InfrastructureMonitoring .uk DNS
Dynamic DNS characteristics
• Potentially, 500 changes per minute
• Serial number is UNIX time of update, e.g. 1146832341
• Propagation varies between nameservers• BIND, <300s lag• UltraDNS 3000 ~ 5000s lag
• Frequency of updates varies between SLDs, e.g. • co.uk
• 58 changes per hour• plc.uk
• less than one change per day
Nameserver InfrastructureMonitoring .uk DNS
Physical configuration
QuickTime™ and aTIFF (LZW) decompressor
are needed to see this picture.
DNS service MetricsMonitoring .uk DNS
How DNS service is monitored.
What it is measured.
How nameserver availability is determined.
DNS service MetricsMonitoring .uk DNS
PINC - Nominet’s nagios-based monitoring system
Regular polling to ascertain that:
• Nameserver is reachable (ping)
• DNS service is available (udp/tcp)
• Zone file age is within acceptable range
DNS service MetricsMonitoring .uk DNS
Zone file age monitored every five minutes by nagios plug-in:
check_ddns_age!-p ns0.nic.uk ! -z co.uk ! -w 1500 ! -c 1800
Slow changing zones, e.g. sch.uk, have a ‘grace period’ of 30 seconds.
• Required as previous serial number may lag by many hours
UltraDNS have much longer thresholds:• Warn at 8000s• Critical at 15000s
DNS service MetricsMonitoring .uk DNS
DNS service MetricsMonitoring .uk DNS
DNS service MetricsMonitoring .uk DNS
Nameserver availability KPIs
Each month, an individual nameserver must have no more than:• 60 minutes unplanned downtime• 120 minutes total downtime
Nameserver constellation must have zero minutes downtime per month
Creative statistical recording means that an availability indexof < 100% is bad
DNS service MetricsMonitoring .uk DNS
Nameserver availability KPIs
Recording of downtime is presently a manual process
• Planned maintenance is logged in advance
• Outages recorded as they happened
• Once a month, nameserver availability verified using DNSMON
DNS service MetricsMonitoring .uk DNS
DNSMON (http://dnsmon.ripe.net)
RIPE NCC subscription service
• Uses TTM boxes to monitor nameserver response
• Provides visual indicator of nameserver health
• Access to raw data is possible
DNS service MetricsMonitoring .uk DNS
DNS Statistics
Monitoring .uk DNS
New system for gathering statistics.
What queries arrive at the .uk nameservers?
Uses of this statistical data.
DNS Statistics
Monitoring .uk DNS
DSC
DSC - A DNS Statistics Collector(http://dns.measurement-factory.com/tools/dsc/)
Two components to DSC:• Collector, using libpcap to capture DNS traffic, storing it as XML• Presenter, extracts data from XML and displays graphically.
Collectors located at each Nominet-managed nameserver site.
Presenters at Nominet, and at OARC.
DNS Statistics
Monitoring .uk DNS
QuickTime™ and aTIFF (LZW) decompressor
are needed to see this picture.
Modified Configuration
DNS Statistics
Monitoring .uk DNS
OARC: DSC
OARC - Operations, Analysis, and Research Center.(https://oarc.isc.org/faq.html)
Public service run by ISC:
“The OARC provides a neutral forum for bilateral sharing of sensitive information during DNS attacks by organizations that are dependent on the proper operation of the DNS. The OARC also provides a continued stream of analysis on the operation of the global DNS.”
OARC’s DSC presenter gives statistics for:• C, E, and F-Root• RFC1918• ISC• Nominet
DNS Statistics
Monitoring .uk DNS
DSC uses
Abuse detection, particularly data mining.
Detecting anomalous traffic.
DDoS agent identification, to help mitigate against attack.
Questions?Monitoring .uk DNS
