Can you share some real-world queries with ISC?

Wed Mar 31 17:30:45 UTC 2021

Hello again BIND-users,

Sorry for asking for help twice in one day.

We are setting up a new resolver performance test bed, one that we hope will be a better simulation of real-world deployment.  Once we have this working, we should be able to profile BIND performance using DoH and DoT as well as Do53. We are using the DNS Shotgun tool for this purpose. (https://dns-shotgun.readthedocs.io/en/stable/ <https://dns-shotgun.readthedocs.io/en/stable/>)

Anyway, we need to feed this test bed with some PCAPS. We have only a few samples right now, and if we could get a few more, our test bed would be more representative of the actual Internet.

We don’t want to publish how to upload files to us, because that will immediately be filled with spam, so if you are willing to submit some of your resolver packet captures, please email me and I will give you instructions on where to put your file so that we can retrieve it.  I have included some instructions on capturing the packets below so you can see what is involved.

Thank you for considering this.

Vicky
---------

If you are able to share some pcaps, here are some generic instructions. 

dnscap \
-z 192.0.2.1 \
-z 2001:db8::1 \
-i any \
-p \
-s i \
-w /output/pcap \
-C 1073741824 \
-k 'xz -9' \
-B '2021-01-08 11:40:00' \
-E '2021-01-08 21:40:00' \
-S \
-6 \
-P /usr/lib/dnscap/anonaes128.so \
-4 \
-K /dev/urandom \
-I /dev/urandom

Explanation:
dnscap - https://www.dns-oarc.net/tools/dnscap <https://www.dns-oarc.net/tools/dnscap>

-z # IP address of the DNS resolver uses to receive client queries, duplicate -z if it has more IP addresses - this is crucial to filter queries from BIND itself to the Internet

-i any # network interface name receiving client queries ("any" should be fine so they do not need to bother with explicit names)

-p # ask for interface not be put into promiscuous mode, it's not needed as we capture only the traffic directed to this server

-s i # capture only queries but not answers (thus
making the output file smaller) - has to be combined with -z above

-w # output file name base

-C # maximum individual file size in bytes, 1 GB recommended

-k 'xz -9' # compression command, feel free to change

-B -E # starts/stops capture times, please do not forget to modify

-S # print statistics, optional

-6 # enable IPv6 support, omit for dnscap version 2.0.0 and newer

-P -4 ... # anonymizing IPv6 and also IPv4 addresses using random AES key, i.e. key is forgotten when process exits

A good sample size is 10 hours but shorter samples can be also useful, we can eventually combine samples from multiple submitters.

Bonus points if we can get the command running in parallel on multiple servers, e.g. on 10 servers for 1 hour, or 5 servers for 2 hours, etc.

If running on multiple servers please replace
-K /dev/urandom -I /dev/urandom
with
-k putrandomkeyhere -i putrandomkeyhere
and use the same 16-character string on all servers.

-k -i specify explicit anonymization keys so the same clients are anonymized in the same way across all servers. They should not tell us what values they were using during capture otherwise we could partially deanonymize the data.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20210331/52d9a007/attachment-0001.htm>