OARtech DNS Recursion

1
OARtechDNS Recursion

• April 9th, 2008

2
Purpose
What is Recursion
Why and what are we changing
What else
3
What is Recursion

• A DNS server is Recursive if it can process
  request for domains it does not maintain.
• A DNS server is an open recursive server if it
  allows anyone to query it and gives responses.
• NS1.oar.net and ns2.oar.net are open recursive
  servers

4
What are the problems with Recusion

• cache poisoning somehow incorrect information
  is injected into the cache of the DNS server,
  which then feeds this information out when
  queries for those records
• Reflector attacks
• Mr Malicious creates a zone (usually of large
  size)?
• He then creates a query crafted to look like it
  is form the attack target to open recursive
  servers
• the open server will cache the zone information
  lower the cost associated on the attack side,
  allowing repeated crafted queries that can DOS
  the target

5
What to do to Turn Off Recursion

• Ensure nameservers only answer queries from other
  nameservers
• Turn off or restrict recursion

6
What we (oscnet) is doing

• Restricting zone transfers
• Creating Caching only servers for OSCnet
  community use (with anycast addressing)?
• Turning off Recursion on ns1 and ns2 to outside
  OSCnet
• Turning off Recursion on ns1 and ns2 to everyone

7
What Effect This Will Have on the
CommunityRestricting Zone Transfers

• Little effect
• May need to change troubleshooting paradigms

8
What Effect This Will Have on the
CommunityTurning Off Recursion to Non OSCnet

• No effect within community
• OSCnet nameservers will only answer for their own
  authoritative domains
• Outside OSCnet space, nameservers will be of
  little use in resolving
• If you use OSCnet servers for your home cable
  connection, they will stop working

9
What Effect This Will Have on the
CommunityCreating Caching Only Servers

• Larger effect
• Resolvers should be configured to new
  namerservers (likely ns3.oar.net)?
• all clients that use ns1.oar.net should be
  reconfigured
• any nat/dhcp devices that give out namerservers
  should be reconfigured
• Caching servers will be configured from the
  beginning only for the OSCnet community

10
What Effect This Will Have on the
CommunityChanging Caching Servers to Anycast
Addresses

• Planned in connection with deployment, so no
  effect

11
What Effect This Will Have on the
CommunityTurning Off Recursion Completely

• (Hopefully) No Effect!
• (Hopefully) All OSCnet clients that use OSCnet's
  namerserver will have been moved to the new
  anycast caching server by this point
• We are investigating ways to determine who is
  still using ns1 and ns2 as a resolver so that all
  clients can be warned prior to making these final
  changes

12
What Effect This Will Have on the
CommunityTimeline

• Undetermined at this point.
• We hope to deploy caching only servers through
  out the summer

13
What Else?

• We are also bringing up Ipv6
• We already hand AAAAs and are designing our
  in-addr.arpa space
• Have not yet enabled listening on pure v6
  networks
• General cleanup
• You might be hearing from the NOC about log errors