Abstract image of a woman sitting on books and studying on a laptop

Measuring ATR: IETF 101

APNIC, profile picture
APNIC

The document discusses the challenges faced by the Internet due to large packet handling and fragmentation, particularly in the context of DNS and UDP responses. It introduces 'Additional Truncated Response' (ATR) as a proposed solution to help improve DNS query reliability when handling large responses. The effectiveness of ATR is evaluated through extensive experiments, revealing significant failure rates in DNS resolution for both IPv4 and IPv6 resolvers, highlighting the need for better handling of large packets.

Internet
1 of 32
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
Measuring ATR Joao Damas Geoff Huston @apnic.net March 2018
September 2017:
The Internet has a problem … • Instead of evolving to be more flexible and more capable, it appears that the Internet’s transport is becoming more ossified and more inflexible in certain aspects • One of the major issues here is the handling of large IP packets and IP level packet fragmentation • We are seeing a number of end-to-end paths on the network that no longer support the carriage of fragmented IP datagrams • We are concerned that this number might be getting larger, not smaller
The Internet has a problem … • What about the DNS? • One application that is making increasing use of large UDP packets is the DNS • This is generally associated with DNSSEC-signed responses (such as “dig +dnssec DNSKEY org”) but large DNS responses can be generated in other ways as well (such as “dig . ANY”) • In the DNS we appear to be relying on the successful transmission of fragmented UDP packets, but at the same time we see an increasing problem with the coherence in network and host handling of fragmented IP packets, particularly in IPv6
Changing the DNS? • But don’t large DNS transactions use TCP anyway? • In the original DNS specification only small (smaller than 512 octets) responses are passed across UDP. • Larger DNS responses are truncated and the truncation is intended to trigger the client to re-query using TCP • EDNS(0) allowed a client to signal a larger truncation size threshold, and assumes that fragmented DNS is mostly reliable • But what if it’s not that reliable?
What is “ATR”? • It stands for “Additional Truncated Response” Internet draft: draft-song-atr-large-resp-00 September 2017 Linjian (Davey) Song, Beijing Internet Institute • It’s a hybrid response to noted problems in IPv4 and IPv6 over handling of large UDP packets and IP fragmentation • ATR adds an additional response packet to ‘trail’ a fragmented UDP response • The additional response is just the original query with the Truncated bit set, and the sender delays this additional response packet by 10ms
The Intention of ATR Today: • If the client cannot receive large truncated responses then it will need to timeout from the original query, • Then re-query using more resolvers, • Timeout on these queries • Then re-query using a 512 octet EDNS(0) UDP buffersize • Then get a truncated response • Then re-query using TCP
The Intention of ATR Today: • If the client cannot receive large truncated responses then it will need to timeout from the original query, • Then re-query using more resolvers, • Timeout on these queries • Then requery using a 512 octet EDNS(0) UDP buffersize • Then get a truncated response • Then requery using TCP within a few ms ATR
The Intention of ATR • When a UDP DNS response is fragmented by the server, then the server will also send a delayed truncated UDP DNS response The delay is proposed to be 10ms • If the DNS client receives and reassembles the fragmented UDP response the ensuing truncated response will be ignored • If the fragmented response is lost due to fragmentation loss, then the client will receive the short truncated response • The truncation setting is intended to trigger the client to re-query using TCP
ATR Operation UDP DNS Query Client Server
ATR Operation UDP DNS Query UDP DNS Response (Fragmented) Client Server
ATR Operation UDP DNS Query UDP DNS Response (Fragmented) UDP DNS Response (Truncated) 10ms Client Server
ATR Operation UDP DNS Query UDP DNS Response (Fragmented) UDP DNS Response (Truncated) 10ms Client Server TCP Query and Response
What could possibly go wrong? • Network level packet re-ordering may cause the shorter truncated response packet to overtake the fragmented response, causing an inflated TCP load, and the potential for TCP loss to be triggered • Not every client DNS system supports using TCP to emit queries
ATR and Resolver Behaviour Can’t Receive Fragmented UDP Can’t Use TCP How big are each of these pools? What proportion of users are impacted? ATR will help ATR won’t be of use, but it shouldn’t matter ATR won’t help
Measuring within the DNS Query 1: a.b.example.com? to ns.example.com Answer 1: NS nsb.z.example.com <discover name servers for z.example.com> Query 2: nsb.z.example.com to z.example.com Answer 2: 192.0.2.1 Query 3: a.b.example.com to 192.0.2.1 Answer 3: 10.0.0.1 Query 3 depends on the resolver successfully receiving answer 2
Experiment Details • Use 6 tests: • 2 tests use ATR responses – one is DNS over IPv4, the other is DNS over IPv6 • 2 tests use only truncated responses – IPv4 and IPv6 • 2 tests use large fragmented UDP responses - IPv4 and IPv6 • Use a technique of delegation without glue records (glueless) to perform the measurement entirely within the DNS • Performed 55M experiments
Looking at Resolvers We are looking at resolvers who were passed “Answer 2” to see if they queried “Query 3” Protocol Resolvers ATR Large UDP TCP IPv4 113,087 71.2% 60.1% 79.4% IPv6 20,878 55.4% 50.0% 55.1%
Looking at Resolvers We are looking at resolvers who were passed “Answer 2” to see if they queried “Query 3” Protocol Resolvers Fail ATR Fail Large UDP Fail TCP IPv4 113,087 28.8% 39.9% 20.6% IPv6 20,878 44.6% 50.0% 44.9% Inversely, lets report on the FAILURE rate of resolvers
Seriously? • More than one third of the ”visible” IPv4 resolvers are incapable of receiving a large fragmented packet • And one half of the ”visible” IPv6 resolvers are incapable of receiving a large fragmented packet
ASNs of IPv4 Resolvers that do not followup when given a large UDP Response – Top 10 ASN Use Exp AS Name CC AS9644 0.78% 447,019 SK Telecom KR AS701 0.70% 400,798 UUNET - MCI Communications Services US AS17853 0.62% 357,335 LGTELECOM KR AS4766 0.59% 340,334 Korea Telecom KR AS4134 0.47% 267,995 CHINANET-BACKBONE CN AS31034 0.47% 267,478 ARUBA-ASN IT AS3786 0.39% 225,296 DACOM Corporation KR AS36692 0.38% 217,306 OPENDNS - OpenDNS US AS3215 0.33% 189,810 Orange FR AS812 0.30% 169,699 ROGERS COMMUNICATIONS CA
ASNs of IPv6 Resolvers that do not followup when given a large UDP Response – Top 10 ASN Use Exp AS Name CC AS15169 40.60% 10,006,596 Google US AS5650 0.90% 221,493 Frontier Communications US AS36692 0.84% 206,143 OpenDNS US AS812 0.78% 193,073 Rogers Communications Canada CA AS20057 0.46% 114,440 AT&T Mobility LLC US AS3352 0.38% 92,925 TELEFONICA_DE_ESPANA ES AS852 0.35% 85,043 TELUS Communications Inc. CA AS55644 0.32% 80,032 Idea Cellular Limited IN AS3320 0.25% 61,938 DTAG Internet service provider operations DE AS4761 0.24% 60,019 INDOSAT-INP-AP INDOSAT Internet Network Provider ID
ASNs of IPv4 Resolvers that do not followup in TCP when given a truncated UDP Response – Top 10 ASN Use Exp AS Name CC AS9299 0.55% 252,653 Philippine Long Distance Telephone PH AS24560 0.34% 155,908 Bharti Airtel IN AS3352 0.29% 132,924 TELEFONICA_DE_ESPANA ES AS9498 0.19% 84,754 BHARTI Airtel IN AS9121 0.14% 61,879 TTNET TR AS23944 0.13% 58,102 SKYBroadband PH AS9644 0.11% 51,750 SK Telecom KR AS24499 0.11% 51,108 Telenor Pakistan PK AS3215 0.10% 43,614 Orange FR AS23700 0.09% 39,697 Fastnet ID
ASNs of IPv6 Resolvers that do not followup in TCP when given a truncated UDP Response – Top 10 ASN Use Exp AS Name CC AS15169 4.15% 961,287 Google US AS21928 1.72% 399,129 T-Mobile USA US AS7922 1.57% 364,596 Comcast Cable US AS3352 0.54% 126,146 TELEFONICA_DE_ESPANA ES AS22773 0.38% 87,723 Cox Communications Inc. US AS55644 0.35% 80,844 Idea Cellular Limited IN AS20115 0.31% 71,831 Charter Communications US AS20057 0.30% 70,518 AT&T Mobility US AS6713 0.20% 46,196 IAM-AS MA AS8151 0.20% 45,754 Uninet S.A. de C.V. MX
What’s the impact? • Failure in the DNS is often masked by having multiple resolvers in the clients local configuration • And the distribution of users to visible recursive resolvers is heavily skewed (10,000 resolvers by IP address handle the DNSqueries of more than 90% of end users) • So to assess the impact lets look at the results by counting user level success / failure to resolve these glueless names
Looking at Users • Rather than looking at individual resolvers being able to pose Question 3, lets count: • A “success” if any resolver can query Question 3 on behalf of the user • A “failure” is recorded when no resolver generates a query to Question 3
Looking at Users - Failure Rates IPv4 UDP Frag: 12.5% TCP: 4.0% ATR 3.9% IPv6 UDP Frag: 20.8% TCP: 8.4% ATR 6.5% These loss rates are expressed as an estimated percentage of users,
ATR and Resolver Behaviour – IPv4 Can’t Receive Fragmented UDP Can’t Use TCP ATR will help ATR won’t be of use, but it shouldn’t matter ATR won’t help 12.5% 4.0% 8.6% 3.9% 0.1%
ATR and Resolver Behaviour – IPv4 IPv6 Can’t Receive Fragmented UDP Can’t Use TCP ATR will help ATR won’t be of use, but it shouldn’t matter ATR won’t help 12.5% 4.0% 20.8% 14.3% 6.5% 1.9% 8.4% 8.6% 3.9% 0.1%
Net Change in User Failure Rates IPv4 Fragged UDP Loss: 12.5% ATR Loss Rate: 3.9% IPv6 Fragged UDP Loss: 20.5% ATR Loss Rate: 6.5%
ATR Assessment • Is this level of benefit worth the additional server and traffic load when sending large responses? • Is this load smaller than resolver hunting in response to packet drop? • It the faster fallback to TCP for large responses a significant benefit? • Is 10ms ATR delay too short? Would a longer gap reduce response reordering? Do we care? • Do we have any better ideas about how to cope with large responses in the DNS?
Thanks!

More Related Content

PDF
DNS-OARC 34: Measuring DNS Flag Day 2020
APNIC
 
PDF
RIPE 76: Measuring ATR
APNIC
 
PDF
RIPE 76: TCP and BBR
APNIC
 
PDF
Optimizing Uptime in SOA
Matthew Barlocker
 
PDF
OARC 26: Who's asking
APNIC
 
PPTX
What You Need to Know About Email Authentication
Kurt Andersen
 
PPTX
Mncs 16-08-3주-변승규-opportunistic flooding in low-duty-cycle wireless sensor ne...
Seung-gyu Byeon
 
PDF
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
APNIC
 
DNS-OARC 34: Measuring DNS Flag Day 2020
APNIC
 
RIPE 76: Measuring ATR
APNIC
 
RIPE 76: TCP and BBR
APNIC
 
Optimizing Uptime in SOA
Matthew Barlocker
 
OARC 26: Who's asking
APNIC
 
What You Need to Know About Email Authentication
Kurt Andersen
 
Mncs 16-08-3주-변승규-opportunistic flooding in low-duty-cycle wireless sensor ne...
Seung-gyu Byeon
 
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
APNIC
 

Similar to Measuring ATR: IETF 101 (20)

PDF
OARC 26: Scoring the Root Server System
APNIC
 
PDF
Presentation on 'The Path to Resolverless DNS' by Geoff Huston
APNIC
 
PDF
ICANN DNS Symposium 2021: Measuring Recursive Resolver Centrality
APNIC
 
PDF
RIPE 82: Measuring Recursive Resolver Centrality
APNIC
 
PDF
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
APNIC
 
PDF
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
APNIC
 
PDF
DNS-OARC 38: The resolvers we use
APNIC
 
PDF
The Resolvers We Use
APNIC
 
PDF
IETF 100: Surviving IPv6 fragmentation
APNIC
 
PPTX
IPv6 and the DNS, RIPE 73
APNIC
 
PDF
Authoritative Nameserver Selection and Recursive Resolvers
APNIC
 
PDF
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
APNIC
 
PDF
DNS resolver 1.1.1.1 from Cloudflare
APNIC
 
PDF
Update on IPv6 activity in CERNET2
APNIC
 
PDF
DNS Resolvers and Nameservers (in New Zealand)
APNIC
 
PDF
Authoritative Nameserver Selection and Recursive Resolvers
APNIC
 
DOCX
Literature Servey of DNS
International Islamic University
 
PDF
Resolver concentration presentation for OARC 40 by Joao Damas and Geoff Huston
APNIC
 
PDF
Build Dynamic DNS server from scratch in C (Part1)
Yen-Kuan Wu
 
PDF
Measuring the centralization of DNS resolution' presentation by Geoff Huston...
APNIC
 
OARC 26: Scoring the Root Server System
APNIC
 
Presentation on 'The Path to Resolverless DNS' by Geoff Huston
APNIC
 
ICANN DNS Symposium 2021: Measuring Recursive Resolver Centrality
APNIC
 
RIPE 82: Measuring Recursive Resolver Centrality
APNIC
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
APNIC
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
APNIC
 
DNS-OARC 38: The resolvers we use
APNIC
 
The Resolvers We Use
APNIC
 
IETF 100: Surviving IPv6 fragmentation
APNIC
 
IPv6 and the DNS, RIPE 73
APNIC
 
Authoritative Nameserver Selection and Recursive Resolvers
APNIC
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
APNIC
 
DNS resolver 1.1.1.1 from Cloudflare
APNIC
 
Update on IPv6 activity in CERNET2
APNIC
 
DNS Resolvers and Nameservers (in New Zealand)
APNIC
 
Authoritative Nameserver Selection and Recursive Resolvers
APNIC
 
Literature Servey of DNS
International Islamic University
 
Resolver concentration presentation for OARC 40 by Joao Damas and Geoff Huston
APNIC
 
Build Dynamic DNS server from scratch in C (Part1)
Yen-Kuan Wu
 
Measuring the centralization of DNS resolution' presentation by Geoff Huston...
APNIC
 
Ad

More from APNIC (20)

PPTX
APNIC Report, presented at APAN 60 by Thy Boskovic
APNIC
 
PDF
APNIC Update, presented at PHNOG 2025 by Shane Hermoso
APNIC
 
PDF
RPKI Status Update, presented by Makito Lay at IDNOG 10
APNIC
 
PDF
The Internet -By the Numbers, Sri Lanka Edition
APNIC
 
PDF
Triggering QUIC, presented by Geoff Huston at IETF 123
APNIC
 
PDF
DNSSEC Made Easy, presented at PHNOG 2025
APNIC
 
PDF
BGP Security Best Practices that Matter, presented at PHNOG 2025
APNIC
 
PDF
APNIC's Role in the Pacific Islands, presented at Pacific IGF 2205
APNIC
 
PDF
IPv6 Deployment and Best Practices, presented by Makito Lay
APNIC
 
PDF
Cleaning up your RPKI invalids, presented at PacNOG 35
APNIC
 
PDF
The Internet - By the numbers, presented at npNOG 11
APNIC
 
PDF
Transmission Control Protocol (TCP) and Starlink
APNIC
 
PDF
DDoS in India, presented at INNOG 8 by Dave Phelan
APNIC
 
PDF
Global Networking Trends, presented at the India ISP Conclave 2025
APNIC
 
PDF
Make DDoS expensive for the threat actors
APNIC
 
PDF
Fast Reroute in SR-MPLS, presented at bdNOG 19
APNIC
 
PDF
DDos Mitigation Strategie, presented at bdNOG 19
APNIC
 
PDF
ICP -2 Review – What It Is, and How to Participate and Provide Your Feedback
APNIC
 
PDF
APNIC Update - Global Synergy among the RIRs: Connecting the Regions
APNIC
 
PDF
Measuring Starlink Protocol Performance, presented at LACNIC 43
APNIC
 
APNIC Report, presented at APAN 60 by Thy Boskovic
APNIC
 
APNIC Update, presented at PHNOG 2025 by Shane Hermoso
APNIC
 
RPKI Status Update, presented by Makito Lay at IDNOG 10
APNIC
 
The Internet -By the Numbers, Sri Lanka Edition
APNIC
 
Triggering QUIC, presented by Geoff Huston at IETF 123
APNIC
 
DNSSEC Made Easy, presented at PHNOG 2025
APNIC
 
BGP Security Best Practices that Matter, presented at PHNOG 2025
APNIC
 
APNIC's Role in the Pacific Islands, presented at Pacific IGF 2205
APNIC
 
IPv6 Deployment and Best Practices, presented by Makito Lay
APNIC
 
Cleaning up your RPKI invalids, presented at PacNOG 35
APNIC
 
The Internet - By the numbers, presented at npNOG 11
APNIC
 
Transmission Control Protocol (TCP) and Starlink
APNIC
 
DDoS in India, presented at INNOG 8 by Dave Phelan
APNIC
 
Global Networking Trends, presented at the India ISP Conclave 2025
APNIC
 
Make DDoS expensive for the threat actors
APNIC
 
Fast Reroute in SR-MPLS, presented at bdNOG 19
APNIC
 
DDos Mitigation Strategie, presented at bdNOG 19
APNIC
 
ICP -2 Review – What It Is, and How to Participate and Provide Your Feedback
APNIC
 
APNIC Update - Global Synergy among the RIRs: Connecting the Regions
APNIC
 
Measuring Starlink Protocol Performance, presented at LACNIC 43
APNIC
 
Ad

Recently uploaded (20)

PDF
SlidesGDGoCxRAIS about Google Dialogflow and NotebookLM.pdf
minhtrietgect
 
PPTX
Introduction to cybersecurity and digital nettiquette
shanefrancisjavier21
 
PDF
Session 1 (Week 1)fghjmgfdsfgthyjkhfdsadfghjkhgfdsa
ssuser25df8b
 
PPT
415456121-Jiwratrwecdtwfdsfwgdwedvwe dbwsdjsadca-EVN.ppt
woldemariamworku2
 
PPTX
AI_Cyberattack_Solutions AI AI AI AI .pptx
zayadeen2003
 
PDF
Buy Cash App Verified Accounts Instantly – Secure Crypto Deal.pdf
pvaonit
 
PDF
Alethe Consulting Corporate Profile and Solution Aproach
debashisrakshit2025
 
PPTX
Mathew Digital SEO Checklist Guidlines 2025
Mathew Digital
 
PPTX
newyork.pptxirantrafgshenepalchinachinane
PrashantKoirala12
 
PPTX
TITLE DEFENSE entitle the impact of social media on education
AgustoJerizMarfil
 
PDF
Course Overview and Agenda cloud security
ElsayedKowaydeh
 
PPT
FIRE PREVENTION AND CONTROL PLAN- LUS.FM.MQ.OM.UTM.PLN.00014.ppt
MelwinPaul6
 
PPTX
1402_iCSC_-_RESTful_Web_APIs_--_Josef_Hammer.pptx
mwnorman1
 
PDF
The Evolution of Traditional to New Media .pdf
NIKKODENSMIRO
 
PPTX
Cyber Hygine IN organizations in MSME or
paramkiet
 
PDF
si manuel quezon at mga nagawa sa bansang pilipinas
LizaDeVeraFloresLaya
 
PPTX
Database Information System - Management Information System
faizhossain3
 
PDF
simpleintnettestmetiaerl for the simple testint
sherlockholmes10009
 
PDF
Exploring VPS Hosting Trends for SMBs in 2025
Liquid Web
 
PDF
mera desh ae watn.(a source of motivation and patriotism to the youth of the ...
DtMalhonSharma
 
SlidesGDGoCxRAIS about Google Dialogflow and NotebookLM.pdf
minhtrietgect
 
Introduction to cybersecurity and digital nettiquette
shanefrancisjavier21
 
Session 1 (Week 1)fghjmgfdsfgthyjkhfdsadfghjkhgfdsa
ssuser25df8b
 
415456121-Jiwratrwecdtwfdsfwgdwedvwe dbwsdjsadca-EVN.ppt
woldemariamworku2
 
AI_Cyberattack_Solutions AI AI AI AI .pptx
zayadeen2003
 
Buy Cash App Verified Accounts Instantly – Secure Crypto Deal.pdf
pvaonit
 
Alethe Consulting Corporate Profile and Solution Aproach
debashisrakshit2025
 
Mathew Digital SEO Checklist Guidlines 2025
Mathew Digital
 
newyork.pptxirantrafgshenepalchinachinane
PrashantKoirala12
 
TITLE DEFENSE entitle the impact of social media on education
AgustoJerizMarfil
 
Course Overview and Agenda cloud security
ElsayedKowaydeh
 
FIRE PREVENTION AND CONTROL PLAN- LUS.FM.MQ.OM.UTM.PLN.00014.ppt
MelwinPaul6
 
1402_iCSC_-_RESTful_Web_APIs_--_Josef_Hammer.pptx
mwnorman1
 
The Evolution of Traditional to New Media .pdf
NIKKODENSMIRO
 
Cyber Hygine IN organizations in MSME or
paramkiet
 
si manuel quezon at mga nagawa sa bansang pilipinas
LizaDeVeraFloresLaya
 
Database Information System - Management Information System
faizhossain3
 
simpleintnettestmetiaerl for the simple testint
sherlockholmes10009
 
Exploring VPS Hosting Trends for SMBs in 2025
Liquid Web
 
mera desh ae watn.(a source of motivation and patriotism to the youth of the ...
DtMalhonSharma
 

Measuring ATR: IETF 101

  • 1. Measuring ATR Joao Damas Geoff Huston @apnic.net March 2018
  • 3. The Internet has a problem … • Instead of evolving to be more flexible and more capable, it appears that the Internet’s transport is becoming more ossified and more inflexible in certain aspects • One of the major issues here is the handling of large IP packets and IP level packet fragmentation • We are seeing a number of end-to-end paths on the network that no longer support the carriage of fragmented IP datagrams • We are concerned that this number might be getting larger, not smaller
  • 4. The Internet has a problem … • What about the DNS? • One application that is making increasing use of large UDP packets is the DNS • This is generally associated with DNSSEC-signed responses (such as “dig +dnssec DNSKEY org”) but large DNS responses can be generated in other ways as well (such as “dig . ANY”) • In the DNS we appear to be relying on the successful transmission of fragmented UDP packets, but at the same time we see an increasing problem with the coherence in network and host handling of fragmented IP packets, particularly in IPv6
  • 5. Changing the DNS? • But don’t large DNS transactions use TCP anyway? • In the original DNS specification only small (smaller than 512 octets) responses are passed across UDP. • Larger DNS responses are truncated and the truncation is intended to trigger the client to re-query using TCP • EDNS(0) allowed a client to signal a larger truncation size threshold, and assumes that fragmented DNS is mostly reliable • But what if it’s not that reliable?
  • 6. What is “ATR”? • It stands for “Additional Truncated Response” Internet draft: draft-song-atr-large-resp-00 September 2017 Linjian (Davey) Song, Beijing Internet Institute • It’s a hybrid response to noted problems in IPv4 and IPv6 over handling of large UDP packets and IP fragmentation • ATR adds an additional response packet to ‘trail’ a fragmented UDP response • The additional response is just the original query with the Truncated bit set, and the sender delays this additional response packet by 10ms
  • 7. The Intention of ATR Today: • If the client cannot receive large truncated responses then it will need to timeout from the original query, • Then re-query using more resolvers, • Timeout on these queries • Then re-query using a 512 octet EDNS(0) UDP buffersize • Then get a truncated response • Then re-query using TCP
  • 8. The Intention of ATR Today: • If the client cannot receive large truncated responses then it will need to timeout from the original query, • Then re-query using more resolvers, • Timeout on these queries • Then requery using a 512 octet EDNS(0) UDP buffersize • Then get a truncated response • Then requery using TCP within a few ms ATR
  • 9. The Intention of ATR • When a UDP DNS response is fragmented by the server, then the server will also send a delayed truncated UDP DNS response The delay is proposed to be 10ms • If the DNS client receives and reassembles the fragmented UDP response the ensuing truncated response will be ignored • If the fragmented response is lost due to fragmentation loss, then the client will receive the short truncated response • The truncation setting is intended to trigger the client to re-query using TCP
  • 10. ATR Operation UDP DNS Query Client Server
  • 11. ATR Operation UDP DNS Query UDP DNS Response (Fragmented) Client Server
  • 12. ATR Operation UDP DNS Query UDP DNS Response (Fragmented) UDP DNS Response (Truncated) 10ms Client Server
  • 13. ATR Operation UDP DNS Query UDP DNS Response (Fragmented) UDP DNS Response (Truncated) 10ms Client Server TCP Query and Response
  • 14. What could possibly go wrong? • Network level packet re-ordering may cause the shorter truncated response packet to overtake the fragmented response, causing an inflated TCP load, and the potential for TCP loss to be triggered • Not every client DNS system supports using TCP to emit queries
  • 15. ATR and Resolver Behaviour Can’t Receive Fragmented UDP Can’t Use TCP How big are each of these pools? What proportion of users are impacted? ATR will help ATR won’t be of use, but it shouldn’t matter ATR won’t help
  • 16. Measuring within the DNS Query 1: a.b.example.com? to ns.example.com Answer 1: NS nsb.z.example.com <discover name servers for z.example.com> Query 2: nsb.z.example.com to z.example.com Answer 2: 192.0.2.1 Query 3: a.b.example.com to 192.0.2.1 Answer 3: 10.0.0.1 Query 3 depends on the resolver successfully receiving answer 2
  • 17. Experiment Details • Use 6 tests: • 2 tests use ATR responses – one is DNS over IPv4, the other is DNS over IPv6 • 2 tests use only truncated responses – IPv4 and IPv6 • 2 tests use large fragmented UDP responses - IPv4 and IPv6 • Use a technique of delegation without glue records (glueless) to perform the measurement entirely within the DNS • Performed 55M experiments
  • 18. Looking at Resolvers We are looking at resolvers who were passed “Answer 2” to see if they queried “Query 3” Protocol Resolvers ATR Large UDP TCP IPv4 113,087 71.2% 60.1% 79.4% IPv6 20,878 55.4% 50.0% 55.1%
  • 19. Looking at Resolvers We are looking at resolvers who were passed “Answer 2” to see if they queried “Query 3” Protocol Resolvers Fail ATR Fail Large UDP Fail TCP IPv4 113,087 28.8% 39.9% 20.6% IPv6 20,878 44.6% 50.0% 44.9% Inversely, lets report on the FAILURE rate of resolvers
  • 20. Seriously? • More than one third of the ”visible” IPv4 resolvers are incapable of receiving a large fragmented packet • And one half of the ”visible” IPv6 resolvers are incapable of receiving a large fragmented packet
  • 21. ASNs of IPv4 Resolvers that do not followup when given a large UDP Response – Top 10 ASN Use Exp AS Name CC AS9644 0.78% 447,019 SK Telecom KR AS701 0.70% 400,798 UUNET - MCI Communications Services US AS17853 0.62% 357,335 LGTELECOM KR AS4766 0.59% 340,334 Korea Telecom KR AS4134 0.47% 267,995 CHINANET-BACKBONE CN AS31034 0.47% 267,478 ARUBA-ASN IT AS3786 0.39% 225,296 DACOM Corporation KR AS36692 0.38% 217,306 OPENDNS - OpenDNS US AS3215 0.33% 189,810 Orange FR AS812 0.30% 169,699 ROGERS COMMUNICATIONS CA
  • 22. ASNs of IPv6 Resolvers that do not followup when given a large UDP Response – Top 10 ASN Use Exp AS Name CC AS15169 40.60% 10,006,596 Google US AS5650 0.90% 221,493 Frontier Communications US AS36692 0.84% 206,143 OpenDNS US AS812 0.78% 193,073 Rogers Communications Canada CA AS20057 0.46% 114,440 AT&T Mobility LLC US AS3352 0.38% 92,925 TELEFONICA_DE_ESPANA ES AS852 0.35% 85,043 TELUS Communications Inc. CA AS55644 0.32% 80,032 Idea Cellular Limited IN AS3320 0.25% 61,938 DTAG Internet service provider operations DE AS4761 0.24% 60,019 INDOSAT-INP-AP INDOSAT Internet Network Provider ID
  • 23. ASNs of IPv4 Resolvers that do not followup in TCP when given a truncated UDP Response – Top 10 ASN Use Exp AS Name CC AS9299 0.55% 252,653 Philippine Long Distance Telephone PH AS24560 0.34% 155,908 Bharti Airtel IN AS3352 0.29% 132,924 TELEFONICA_DE_ESPANA ES AS9498 0.19% 84,754 BHARTI Airtel IN AS9121 0.14% 61,879 TTNET TR AS23944 0.13% 58,102 SKYBroadband PH AS9644 0.11% 51,750 SK Telecom KR AS24499 0.11% 51,108 Telenor Pakistan PK AS3215 0.10% 43,614 Orange FR AS23700 0.09% 39,697 Fastnet ID
  • 24. ASNs of IPv6 Resolvers that do not followup in TCP when given a truncated UDP Response – Top 10 ASN Use Exp AS Name CC AS15169 4.15% 961,287 Google US AS21928 1.72% 399,129 T-Mobile USA US AS7922 1.57% 364,596 Comcast Cable US AS3352 0.54% 126,146 TELEFONICA_DE_ESPANA ES AS22773 0.38% 87,723 Cox Communications Inc. US AS55644 0.35% 80,844 Idea Cellular Limited IN AS20115 0.31% 71,831 Charter Communications US AS20057 0.30% 70,518 AT&T Mobility US AS6713 0.20% 46,196 IAM-AS MA AS8151 0.20% 45,754 Uninet S.A. de C.V. MX
  • 25. What’s the impact? • Failure in the DNS is often masked by having multiple resolvers in the clients local configuration • And the distribution of users to visible recursive resolvers is heavily skewed (10,000 resolvers by IP address handle the DNSqueries of more than 90% of end users) • So to assess the impact lets look at the results by counting user level success / failure to resolve these glueless names
  • 26. Looking at Users • Rather than looking at individual resolvers being able to pose Question 3, lets count: • A “success” if any resolver can query Question 3 on behalf of the user • A “failure” is recorded when no resolver generates a query to Question 3
  • 27. Looking at Users - Failure Rates IPv4 UDP Frag: 12.5% TCP: 4.0% ATR 3.9% IPv6 UDP Frag: 20.8% TCP: 8.4% ATR 6.5% These loss rates are expressed as an estimated percentage of users,
  • 28. ATR and Resolver Behaviour – IPv4 Can’t Receive Fragmented UDP Can’t Use TCP ATR will help ATR won’t be of use, but it shouldn’t matter ATR won’t help 12.5% 4.0% 8.6% 3.9% 0.1%
  • 29. ATR and Resolver Behaviour – IPv4 IPv6 Can’t Receive Fragmented UDP Can’t Use TCP ATR will help ATR won’t be of use, but it shouldn’t matter ATR won’t help 12.5% 4.0% 20.8% 14.3% 6.5% 1.9% 8.4% 8.6% 3.9% 0.1%
  • 30. Net Change in User Failure Rates IPv4 Fragged UDP Loss: 12.5% ATR Loss Rate: 3.9% IPv6 Fragged UDP Loss: 20.5% ATR Loss Rate: 6.5%
  • 31. ATR Assessment • Is this level of benefit worth the additional server and traffic load when sending large responses? • Is this load smaller than resolver hunting in response to packet drop? • It the faster fallback to TCP for large responses a significant benefit? • Is 10ms ATR delay too short? Would a longer gap reduce response reordering? Do we care? • Do we have any better ideas about how to cope with large responses in the DNS?