The IETF DNS WG never sleeps - New fun with DNS @ M3AAWG 58 Dublin 4th June 2023

1 Setup and VMs

  • We have prepared virtual machines for you to work with us on the hands-on lab parts of this training
  • Username: user
  • Password: m3aawg-2023
  • Hostname: see the paper slip we're handing out. Use a browser on you laptop/tablet to login into the server, then select the "Terminal" in the lower left corner to access the Linux command line shell.

2 DNS Error Reporting - Session 1

  • Try to query the domains fail01.dnssec.works to fail04.dnssec.works. They all have different DNSSEC related issues and return a SERVFAIL error response. This will use the networks DNS resolver (Digital Ocean in this case). 
    dig fail01.dnssec.works
  • Redo the queries against the Cloudflare DNS public resolver at 1.0.0.1 (which can be abbreviated as 1.1) 
    dig fail01.dnssec.works @1.1
  • What are the differences in the responses (between the local DNS resolver responses and the Cloudflare-Resolver responses)?

3 The HTTPS Record - Session 2

  • Request a https record from google.com, cloudflare.com, sys4.de: 
    dig https <domain.tld>
  • What do you think does the https record provide?

4 Changes in the NSEC3 record - Session 3

  • Send DNS queries to different public DNS resolver (Cloudflare 1.1.1.1, Google 8.8.8.8, Quad9 9.9.9.9) for the non existing (NXDOMAIN) domain name doesnotexist.nsec3high.dnssec.works 
    dig doesnotexist.nsec3high.dnssec.works txt +dnssec +multi @1.1.1.1
dig doesnotexist.nsec3high.dnssec.works txt +dnssec +multi @8.8.8.8
dig doesnotexist.nsec3high.dnssec.works txt +dnssec +multi @9.9.9.9
  • What are the differences in the responses? Observe the DNSSEC validation AD flag in the responses.

5 Large UDP responses and fragmentation - Session 4

  • Become the root superuser with sudo -s
  • Execute tmux on the virtual machine
  • Start tcpdump capturing all UDP traffic on the machine (which includes DNS based UDP queries and responses) 
    tcpdump -vvnn udp
  • Open another pane in tmux with CTRL+B-C (Press keys CTRL and b at the same time, release both keys and press the c key)
  • In the other shell, request the TXT record for the domain oracle.com via UDP 
    dig -4 @ns1.p04.dynect.net. oracle.com txt +notcp
  • Do you see UDP fragmentation in the tcpdump output (look for flags [+] and offset with values > 0)?
  • What is the signaled EDNS maximum UDP packet size of the responding authoritative server?
  • Besides Dyn, oracle.com also uses Akamai for DNS hosting. What is the difference in the response from one of the Akamai authoritative DNS server compared with the server from Dyn? 
    dig -4 @a11-66.akam.net. oracle.com txt +notcp