Monitoring .uk DNS
Download
Report
Transcript Monitoring .uk DNS
Monitoring .uk DNS
Ian Meikle
UKNOF4, Manchester
19 May 2006
Monitoring .uk DNs
Agenda
1. Nameserver Infrastructure
2. DNS Service Metrics
3. DNS Statistics
Questions.
Monitoring .uk DNS
Nameserver Infrastructure
Nominet runs 12 authoritative nameservers for .uk/SLD.uk
• 7 Nominet-managed: ns[1-7].nic.uk
• 4 UltraDNS-managed: ns[a-d].nic.uk
• 20 Anycast Instances
• 1 Hidden primary: ns0.nic.uk
3 nameservers reachable over IPv6
Monitoring .uk DNS
Nameserver Infrastructure
QuickTime™ and a
TIFF (LZW) decompressor
are needed to see this picture.
Monitoring .uk DNS
Nameserver Infrastructure
Dynamic DNS characteristics
• Potentially, 500 changes per minute
• Serial number is UNIX time of update, e.g. 1146832341
• Propagation varies between nameservers
• BIND, <300s lag
• UltraDNS 3000 ~ 5000s lag
• Frequency of updates varies between SLDs, e.g.
• co.uk
• 58 changes per hour
• plc.uk
• less than one change per day
Monitoring .uk DNS
Nameserver Infrastructure
Physical configuration
QuickTime™ and a
TIFF (LZW) decompressor
are needed to see this picture.
Monitoring .uk DNS
DNS service Metrics
How DNS service is monitored.
What it is measured.
How nameserver availability is determined.
Monitoring .uk DNS
DNS service Metrics
PINC - Nominet’s nagios-based monitoring system
Regular polling to ascertain that:
• Nameserver is reachable (ping)
• DNS service is available (udp/tcp)
• Zone file age is within acceptable range
Monitoring .uk DNS
DNS service Metrics
Zone file age monitored every five minutes by nagios plug-in:
check_ddns_age!-p ns0.nic.uk ! -z co.uk ! -w 1500 ! -c 1800
Slow changing zones, e.g. sch.uk, have a ‘grace period’ of 30 seconds.
• Required as previous serial number may lag by many hours
UltraDNS have much longer thresholds:
• Warn at 8000s
• Critical at 15000s
Monitoring .uk DNS
DNS service Metrics
Monitoring .uk DNS
DNS service Metrics
Monitoring .uk DNS
DNS service Metrics
Nameserver availability KPIs
Each month, an individual nameserver must have no more than:
• 60 minutes unplanned downtime
• 120 minutes total downtime
Nameserver constellation must have zero minutes downtime per month
Creative statistical recording means that an availability index
of < 100% is bad
Monitoring .uk DNS
DNS service Metrics
Nameserver availability KPIs
Recording of downtime is presently a manual process
• Planned maintenance is logged in advance
• Outages recorded as they happened
• Once a month, nameserver availability verified using DNSMON
Monitoring .uk DNS
DNS service Metrics
DNSMON
(http://dnsmon.ripe.net)
RIPE NCC subscription service
• Uses TTM boxes to monitor nameserver response
• Provides visual indicator of nameserver health
• Access to raw data is possible
Monitoring .uk DNS
DNS service Metrics
Monitoring .uk DNS
DNS Statistics
New system for gathering statistics.
What queries arrive at the .uk nameservers?
Uses of this statistical data.
Monitoring .uk DNS
DNS Statistics
DSC
DSC - A DNS Statistics Collector
(http://dns.measurement-factory.com/tools/dsc/)
Two components to DSC:
• Collector, using libpcap to capture DNS traffic, storing it as XML
• Presenter, extracts data from XML and displays graphically.
Collectors located at each Nominet-managed nameserver site.
Presenters at Nominet, and at OARC.
Monitoring .uk DNS
DNS Statistics
Modified Configuration
QuickTime™ and a
TIFF (LZW) decompressor
are needed to see this picture.
Monitoring .uk DNS
DNS Statistics
OARC: DSC
OARC - Operations, Analysis, and Research Center.
(https://oarc.isc.org/faq.html)
Public service run by ISC:
“The OARC provides a neutral forum for bilateral sharing of sensitive information during
DNS attacks by organizations that are dependent on the proper operation of the DNS. The
OARC also provides a continued stream of analysis on the operation of the global DNS.”
OARC’s DSC presenter gives statistics for:
• C, E, and F-Root
• RFC1918
• ISC
• Nominet
Monitoring .uk DNS
DNS Statistics
DSC uses
Abuse detection, particularly data mining.
Detecting anomalous traffic.
DDoS agent identification, to help mitigate against attack.
Monitoring .uk DNS
Questions?