How to Prevent IPv6 from Running Over Your DNS … · How to Prevent IPv6 from Running Over Your...

14
How to Prevent IPv6 from Running Over Your DNS Robert M. Fleischman [email protected] (518) 357-8823 x2577 The Intelligent Broadband DNS Company

Transcript of How to Prevent IPv6 from Running Over Your DNS … · How to Prevent IPv6 from Running Over Your...

Page 1: How to Prevent IPv6 from Running Over Your DNS … · How to Prevent IPv6 from Running Over Your DNS Robert M. Fleischman rmf@xerocole.com (518) 357-8823 x2577 The Intelligent Broadband

How to Prevent IPv6 fromRunning Over Your DNS

Robert M. [email protected]

(518) 357-8823 x2577

The Intelligent Broadband DNS Company

Page 2: How to Prevent IPv6 from Running Over Your DNS … · How to Prevent IPv6 from Running Over Your DNS Robert M. Fleischman rmf@xerocole.com (518) 357-8823 x2577 The Intelligent Broadband

I am the Guy that Knows That

Page 3: How to Prevent IPv6 from Running Over Your DNS … · How to Prevent IPv6 from Running Over Your DNS Robert M. Fleischman rmf@xerocole.com (518) 357-8823 x2577 The Intelligent Broadband

NOT Talking About

● What is IPv6? What is DNS?● IPv4 Address Depletion● IPv6 is a "good thing"

Page 4: How to Prevent IPv6 from Running Over Your DNS … · How to Prevent IPv6 from Running Over Your DNS Robert M. Fleischman rmf@xerocole.com (518) 357-8823 x2577 The Intelligent Broadband

What is IPv6 DNS?

● Transport. Clients and Servers over IPv6

● AAAA records

● PTR records ("ip6.arpa.")

ClientsRecursiveServers

AuthoritativeServers

Page 5: How to Prevent IPv6 from Running Over Your DNS … · How to Prevent IPv6 from Running Over Your DNS Robert M. Fleischman rmf@xerocole.com (518) 357-8823 x2577 The Intelligent Broadband

Transport

● Transport is independent.● Clients and Servers 1. Txns for v4 data over IPv4 transport2. Txns for v6 data over IPv6 transport3. Txns for v4 data over IPv6 transport4. Txns for v6 data over IPv4 transport 

Page 6: How to Prevent IPv6 from Running Over Your DNS … · How to Prevent IPv6 from Running Over Your DNS Robert M. Fleischman rmf@xerocole.com (518) 357-8823 x2577 The Intelligent Broadband

AAAA Records

DNS Record Type is "AAAA" (28) brig AAAA 2001:dead:beef:0:21e:68ff:fe49:c783caravel AAAA 2001:dead:beef::72ff:fe5d:c42f ipv6.google.com. -> 2001:4860:800e::67www.v6.facebook.com. -> 2620:0:1cfe:face:b00c:3 

Page 7: How to Prevent IPv6 from Running Over Your DNS … · How to Prevent IPv6 from Running Over Your DNS Robert M. Fleischman rmf@xerocole.com (518) 357-8823 x2577 The Intelligent Broadband

PTR Records

Instead of "in-addr.arpa", we have "ip6.arpa" f.2.4.c.d.5.e.f.f.f.2.7.0.0.0.0.0.0.0.0.f.e.e.b.d.a.e.d.1.0.0.2.ip6.arpa. PTR caravel.xerocole.net. 

It looks ugly, but, precise delegation is now possible. 

Page 8: How to Prevent IPv6 from Running Over Your DNS … · How to Prevent IPv6 from Running Over Your DNS Robert M. Fleischman rmf@xerocole.com (518) 357-8823 x2577 The Intelligent Broadband

Things to Worry About

● Antispam DNSBL's use DNS (Spamhaus, etc)

● Simply more Traffic

● Reverse DNS

Page 9: How to Prevent IPv6 from Running Over Your DNS … · How to Prevent IPv6 from Running Over Your DNS Robert M. Fleischman rmf@xerocole.com (518) 357-8823 x2577 The Intelligent Broadband

AntiSpam DNSBL's

Incoming IP is checked against a remote DNS zone via a DNS query:

"1.0.0.127.dnsbl.com. A"

Page 10: How to Prevent IPv6 from Running Over Your DNS … · How to Prevent IPv6 from Running Over Your DNS Robert M. Fleischman rmf@xerocole.com (518) 357-8823 x2577 The Intelligent Broadband

Ouch

● IPv6 Spammer attacks your mail server● A /64 allows "billion/sec" for 1000 yrs● Cache Destruction ● No v6?● Separate DNS server (or customizable policy)?● Whitelist?

Page 11: How to Prevent IPv6 from Running Over Your DNS … · How to Prevent IPv6 from Running Over Your DNS Robert M. Fleischman rmf@xerocole.com (518) 357-8823 x2577 The Intelligent Broadband

Lots More Traffic from IPv6

● Apps don't say "A" or "AAAA"

● AAAA first

● Windows 7+Vista Devolution (.com, .net)

● Microsoft Search, Google Prefetch

One URL can be 12-40 DNS queries

Page 12: How to Prevent IPv6 from Running Over Your DNS … · How to Prevent IPv6 from Running Over Your DNS Robert M. Fleischman rmf@xerocole.com (518) 357-8823 x2577 The Intelligent Broadband

Reverse DNS

Why? ● Building Trust● Validating other data● Security, Geo● RFC1912 : "PTR records must point back

to a valid address record"

Page 13: How to Prevent IPv6 from Running Over Your DNS … · How to Prevent IPv6 from Running Over Your DNS Robert M. Fleischman rmf@xerocole.com (518) 357-8823 x2577 The Intelligent Broadband

Reverse DNS with IPv6

● Address Space per customer (/64 to /80)● SLAAC, and DHCPv6 make it impossible to

know "ahead of time" ● DYNAMIC is needed!● Delegation to CPE● Populate from DHCP server● On-the-Fly generation

Page 14: How to Prevent IPv6 from Running Over Your DNS … · How to Prevent IPv6 from Running Over Your DNS Robert M. Fleischman rmf@xerocole.com (518) 357-8823 x2577 The Intelligent Broadband

Thank You

Let me know if I can help. 

Rob [email protected]


[Itpub.net]DNS and BIND on IPv6

[Itpub.net]DNS and BIND on IPv6

IPv6 and the DNS, RIPE 73

IPv6 and the DNS, RIPE 73

IPV6 TECHNOLOGY AND DNS SETUP - Auburn University

IPV6 TECHNOLOGY AND DNS SETUP - Auburn University

IPv6 & DNS: DNSv6 · 2017. 5. 18. · RFC 3901: “DNS IPv6 Transport Operational Guidelines ” To guarantee DNS service continuity across a mixture of IPv4/v6 networks: •Every

IPv6 & DNS: DNSv6 · 2017. 5. 18. · RFC 3901: “DNS IPv6 Transport Operational Guidelines ” To guarantee DNS service continuity across a mixture of IPv4/v6 networks: •Every

World IPv6 Day MeasuredJun 08, 2011  · DNS During the Week 9 • Blue: no IPv6 Address Published • Green: IPv6 Address Published (AAAA RR) Presenter Name, Date DNS During the Week

World IPv6 Day MeasuredJun 08, 2011  · DNS During the Week 9 • Blue: no IPv6 Address Published • Green: IPv6 Address Published (AAAA RR) Presenter Name, Date DNS During the Week

IPv6 Basics - SHARE...TCP/UDP aware of IPv6 Sockets/Winsock library updates for IPv6 Domain Name Server updates for IPv6 Domain Name Server (DNS) Many products already support 128

IPv6 Basics - SHARE...TCP/UDP aware of IPv6 Sockets/Winsock library updates for IPv6 Domain Name Server updates for IPv6 Domain Name Server (DNS) Many products already support 128

Enterprise IPv6 Deployment Summary - Shannon McFarland.pdf · Enterprise IPv6 Deployment Summary Shannon McFarland CCIE# 5245 ... Upgrade DNS server to support IPv6 Establish network

Enterprise IPv6 Deployment Summary - Shannon McFarland.pdf · Enterprise IPv6 Deployment Summary Shannon McFarland CCIE# 5245 ... Upgrade DNS server to support IPv6 Establish network

Copyright © 2001 Nominum, Inc. IPv6 DNS Ashley Kitto Nominum, Inc. .

Copyright © 2001 Nominum, Inc. IPv6 DNS Ashley Kitto Nominum, Inc. .

IPv6 Enablement for Enterprises · 2012-12-14 · Migration Complexities Identify Dependencies on IPv4 • DNS – Inserting AAAA records in DNS for resources without IPv6 connectivity

IPv6 Enablement for Enterprises · 2012-12-14 · Migration Complexities Identify Dependencies on IPv4 • DNS – Inserting AAAA records in DNS for resources without IPv6 connectivity

DNS and IPv6 - 6DEPLOY6deploy.eu/workshops/brazil_20080526/DNS_and_IPv6.pdf · Configure a BIND9 based DNS server Run the server in a chroot() jail Support IPv6 transport Manage

DNS and IPv6 - 6DEPLOY6deploy.eu/workshops/brazil_20080526/DNS_and_IPv6.pdf · Configure a BIND9 based DNS server Run the server in a chroot() jail Support IPv6 transport Manage

IPv6, Large UDP Packets and the DNS - potaroo.netIPv6, Large UDP Packets and the DNS The IPv6 protocol introduced very few changes to its IPv4 predecessor. The major change was of

IPv6, Large UDP Packets and the DNS - potaroo.netIPv6, Large UDP Packets and the DNS The IPv6 protocol introduced very few changes to its IPv4 predecessor. The major change was of

IPv6!AAAA!DNS!Whitelisting! - bitag.org

IPv6!AAAA!DNS!Whitelisting! - bitag.org

Analysing!Dual!Stack!Behaviour! and!IPv6!Quality!ftp.ines.ro/doc/isp-workshops/IPv6 Presentations... · 2012. 4. 26. · IPv6 SYN+ACK DNS IPv6 IPv6 IPv6 Windows(XP 8.0.1 8.0.115.0.874.121

Analysing!Dual!Stack!Behaviour! and!IPv6!Quality!ftp.ines.ro/doc/isp-workshops/IPv6 Presentations... · 2012. 4. 26. · IPv6 SYN+ACK DNS IPv6 IPv6 IPv6 Windows(XP 8.0.1 8.0.115.0.874.121

IPv6 Tutorial · 2/1/2001  · • Node has both IPv4 and IPv6 stacks and addresses • IPv6-aware application asks for both IPv4 and IPv6 addresses of destination • DNS resolver

IPv6 Tutorial · 2/1/2001  · • Node has both IPv4 and IPv6 stacks and addresses • IPv6-aware application asks for both IPv4 and IPv6 addresses of destination • DNS resolver

IPv6 Services: AAAA DNS Lookups over an IPv4 Transport · IPv6 Services: AAAA DNS Lookups over an IPv4 Transport IPv6basicconnectivitycanbeenhancedbyconfiguringsupportforAAAArecordtypesintheDNS

IPv6 Services: AAAA DNS Lookups over an IPv4 Transport · IPv6 Services: AAAA DNS Lookups over an IPv4 Transport IPv6basicconnectivitycanbeenhancedbyconfiguringsupportforAAAArecordtypesintheDNS

DNS and IPv6 · Topics Importance of DNS in IPv6 Server configuration Client Configuration Resource Records

DNS and IPv6 · Topics Importance of DNS in IPv6 Server configuration Client Configuration Resource Records

DNS Abuse Handling - APNIC Conferences · DNS Abuse Handling Champika Wijayatunga ... Tools for Identifying Badness and ... ask for IPv6 addresses

DNS Abuse Handling - APNIC Conferences · DNS Abuse Handling Champika Wijayatunga ... Tools for Identifying Badness and ... ask for IPv6 addresses

DNS, DHCP & IPAM with IPv6

DNS, DHCP & IPAM with IPv6

IPv6 support in the DNS - IPv6 Dissemination and · PDF fileIPv6 support in the DNS 2nd South East Europe 6DISS Workshop Plovdiv, Bulgaria 27-29 June 2007 Athanassios Liakopoulos (aliako@grnet.gr)

IPv6 support in the DNS - IPv6 Dissemination and · PDF fileIPv6 support in the DNS 2nd South East Europe 6DISS Workshop Plovdiv, Bulgaria 27-29 June 2007 Athanassios Liakopoulos ([email protected])

Anycast by DNS over pure IPv6 network

Anycast by DNS over pure IPv6 network