OARtechDNS Recursion

April 9th, 2008

2

What is Recursion

Why and what are we changing

What else

Purpose

3

What is Recursion

• A DNS server is Recursive if it can process request for domains it does not maintain.

• A DNS server is an open recursive server if it allows anyone to query it and gives responses.

• NS1.oar.net and ns2.oar.net are open recursive servers

4

What are the problems with Recusion

• cache poisoning – somehow incorrect information is injected into the cache of the DNS server, which then feeds this information out when queries for those records

• Reflector attacks – Mr Malicious creates a zone (usually of large size)– He then creates a query crafted to look like it is form

the attack target to open recursive servers – the open server will cache the zone information lower

the cost associated on the attack side, allowing repeated crafted queries that can DOS the target

5

What to do to Turn Off Recursion

• Ensure nameservers only answer queries from other nameservers

• Turn off or restrict recursion

6

What we (oscnet) is doing

• Restricting zone transfers

• Creating Caching only servers for OSCnet community use (with anycast addressing)

• Turning off Recursion on ns1 and ns2 to outside OSCnet

• Turning off Recursion on ns1 and ns2 to everyone

7

What Effect This Will Have on the CommunityRestricting Zone Transfers

• Little effect

• May need to change troubleshooting paradigms

8

What Effect This Will Have on the CommunityTurning Off Recursion to Non OSCnet

• No effect within community

• OSCnet nameservers will only answer for their own authoritative domains

• Outside OSCnet space, nameservers will be of little use in resolving

• If you use OSCnet servers for your home cable connection, they will stop working

9

What Effect This Will Have on the CommunityCreating Caching Only Servers

• Larger effect

• Resolvers should be configured to new namerservers (likely ns3.oar.net)

– all clients that use ns1.oar.net should be reconfigured– any nat/dhcp devices that give out namerservers

should be reconfigured

• Caching servers will be configured from the beginning only for the OSCnet community

10

What Effect This Will Have on the CommunityChanging Caching Servers to Anycast Addresses

• Planned in connection with deployment, so no effect

11

What Effect This Will Have on the CommunityTurning Off Recursion Completely

• (Hopefully) No Effect!

• (Hopefully) All OSCnet clients that use OSCnet's namerserver will have been moved to the new anycast caching server by this point

• We are investigating ways to determine who is still using ns1 and ns2 as a resolver so that all clients can be warned prior to making these final changes

12

What Effect This Will Have on the CommunityTimeline

• Undetermined at this point.

• We hope to deploy caching only servers through out the summer

13

What Else?

• We are also bringing up Ipv6

• We already hand AAAAs and are designing our in-addr.arpa space

• Have not yet enabled listening on pure v6 networks

• General cleanup

•You might be hearing from the NOC about log errors