Microsoft Confidential - PDF Document

Presentation Transcript

  1. Microsoft Confidential

  2. SL Microsoft Confidential

  3. “An Open Resolver view of the New York Times Very Bad Day” SL Microsoft Confidential

  4. Microsoft Confidential

  5. Most recent DNS data Reduced query load SL Microsoft Confidential

  6. SL Microsoft Confidential

  7. SL Microsoft Confidential

  8. RFC 2308: “Values of one to three hours have been found to work well and would make a sensible default.” Brand Windows Bind Unbound Power DNS recursor Default max Negative TTL 15 minutes 3 hours 1 day 1 hour Microsoft Windows DNS: dig asdsadas.google.com +noadd +nocomments +noquestion google.com. 300 IN SOA ns1.google.com. dns-admin.google.com. 86056494 7200 1800 1209600 300 Bind: dig asdsadas.google.com +noadd +nocomments +noquestion google.com. 60 IN SOA ns1.google.com. dns-admin.google.com. 86056494 7200 1800 1209600 300 Unbound: dig asdsadas.google.com +noadd +nocomments +noquestion google.com. 600 IN SOA ns1.google.com. dns-admin.google.com. 86056494 7200 1800 1209600 300 SL Microsoft Confidential

  9. Microsoft Confidential

  10. JR Microsoft Confidential

  11. Domain NameServer SOA TTL SOA MinTTL Negative TTL Compliance Status vanderbilt.edu ip-srv1.vanderbilt.edu 86400 3600 3600 Compliant melissaaustralia.com.au ns2.bdm.microsoftonline.com 3600 3600 1 NotCompliantLow clevermarket.gr ns2.lighthouse.gr 86400 7200 86400 NotCompliantHigh nashville.gov ns1.nashville.gov 3600 3600 3600 Matching JR Microsoft Confidential

  12. Negative TTL length (s) % of responsive top domains TTL <= 900s 27% 900 < TTL <= 3600 28% 3600 < TTL <= 86400 44% TTL > 1 day 1% For 45% of the top domains, one accidental record deletion will have some impact on the Internet for more than an hour, sometimes more than a day. JR Microsoft Confidential

  13. Authoritative Check Results High Negative TTL Low Negative TTL SUM not RFC compliant Confirmed RFC compliant Matching 4.6% 0.1% 4.70% 37.80% 57.50% 57.5 4.6 4.7 0.1 37.8 High Negative TTL Low Negative TTL SUM not RFC compliant Confirmed RFC compliant Matching 0.7% 0% 0.7% 49.6% 49.7% Compliant Matching NonCompliantHigh NonCompliantLow JR Microsoft Confidential

  14. JR Microsoft Confidential

  15. • Response rate investigation on an active authoritative zone. • Compare results of different Negative TTL settings on a zone where all records have a 3600s TTL to find extra error volume if any. Negative TTL Total Number of queries over 2 hours Number of queries resulting in an error response over 2 hours % of queries resulting in an error response 900s 3600s 28800s 102,631 66,038 64% 69,915 29,056 42% 49,978 7,148 14% JR Microsoft Confidential

  16. Disable negative caching on Increase in Queries Validating Resolver Non-Validating 20% 8.5% • Clear benefits for enabling negative caching from a load perspective on a recursive resolver. JR Microsoft Confidential

  17. JR Microsoft Confidential

  18. Negative TTL Time to 90% ORNS recovery % taking full TTL to recover Time elapsed from record restoration to full ORNS recovery 900s (15 minutes) 15 minutes 0.4 % 20 – 35 minutes 3600s (1 hour) 50 minutes 0.9% 65 - 80 minutes 28800s (8 hours) 2 hours 45 minutes 0.3% 9 hours 30 minutes 86400s (1 day) 2 hours 45 minutes 0.1% 1 day 30 minutes JR Microsoft Confidential

  19. Phase Time after simulated outage % of resolvers that recovered Comment 1 15 min 50% Resolvers cache records for a maximum of around 15 minutes. 2 3 hours 98% We suspect that resolvers that recover after 3 hours are default configured Bind servers. Bind has a default setting for max-ncache-ttl of 3 hours. 3 1 day 100% The remaining 2% of resolvers recovered after 1 day. JR Microsoft Confidential

  20. JR Microsoft Confidential

  21. Microsoft Confidential