Monitoring ccTLDs

Looking at ccTLD server behaviour
Nevil Brownlee, CAIDA / The University of Auckland
     / RUS, Rechenzentrum Universität Stuttgart
IEPG, Atlanta, November 2002

Overview

Earlier (root/gTLD) Work

ccTLDs: How do ccTLDs differ from root/gTLDs?

How can one measure ccTLDs with NeTraMet?

Collecting/Analysing ccTLD Data

DNS rtt and transactions by country

DNS RTT variation during a week

RTT variation for Multi-ccTLD servers

Summary

Earlier work: root/gTLD Performance

NeTraMet meters at UCSD, SJC and (from 10 Nov 02) Auckland

http://www.caida.org/cgi-bin/dns_perf/main.pl

Data from each meter, updated once each day

Traffic mixes different at SJC and UCSD

ccTLDs: How do ccTLDs iffer from root/gTLDs?

Roots and gTLDs have fixed IP addresses and known physical locations

We use a fixed (hand-coded) ruleset

if DestPeerAddress == A_ROOT { store FlowKind := 1; store FlowClass := 0; } else if DestPeerAddress == B_ROOT { store FlowKind := 2; store FlowClass := 0; } ... else if DestPeerAddress == A_GTLD { store FlowKind := 1; store FlowClass := 1; } ...

ccTLDs have neither. Each ccTLD administrator can choose

How many servers

Where (ISP, physical) they will be

How can one measure ccTLDs with NeTraMet?

Look in the packet headers for cc domain names?

Can't. Not enough bytes

Do zone ransfer from a root server?

Would have to arrange that with server operator

Indirect Method, used for this study:

Get list of country codes from web

Make dig input file to query the country domains

Run dig to get cc domain info from a root server

... @b.root-servers.net BW @b.root-servers.net BV @b.root-servers.net BR @b.root-servers.net IO @b.root-servers.net BN ...

What do we get from dig?

Result for br, Brazil:

; <<>> DiG 8.3 <<>> -t @b.root-servers.net BR ;; AUTHORITY SECTION: BR. 2D IN NS NS.DNS.BR. BR. 2D IN NS NS1.DNS.BR. BR. 2D IN NS NS2.DNS.BR. BR. 2D IN NS NS3.NIC.FR. BR. 2D IN NS NS-EXT.VIX.COM. ;; ADDITIONAL SECTION: NS.DNS.BR. 2D IN A 200.160.0.5 NS1.DNS.BR. 2D IN A 200.255.253.234 NS2.DNS.BR. 2D IN A 200.19.119.99 NS3.NIC.FR. 2D IN A 192.134.0.49 NS-EXT.VIX.COM. 2D IN A 204.152.184.64 ;; WHEN: Sat Aug 24 16:58:31 2002

Useful part is the ADDITIONAL SECTION

List of the country's ccTLD servers and their addresses

Can classify servers into various types:

OWN, i.e. in country's own top-level domain

OTHER, i.e. in some other TLD, mostly run by a Registry or ISP

Wrote perl script to make an SRL ruleset from dig output

else ADDR_TEST 200.255.253.234 # NS1.DNS.BR. { SAVE_CC 30; STORE_N 1; OWN_CCTLD; } else ADDR_TEST 200.19.119.99 # NS2.DNS.BR. { SAVE_CC 30; STORE_N 2; OWN_CCTLD; } ... # cc = 1..237 country, n = 1..N server ix, OWN or OTHER server

Problem: SRL compiler said 'duplicate IP addresses'

Many countries use the same provider for ccTLD service

Added MULTI servers, i.e. 'multi-country' servers

Full ruleset has 106 multi-servers

NS.RIPE.NET serves 75 country-code domains

Collecting/Analysing ccTLD Data

Run dns-cctld-full ruleset at UCSD and SJC for a week, Sat 21 Sep to 28 Sep.
   Look at data ...

Definitions:

rtts = Sum of 5-minute distribution for DNS request/response times

Transactions = Observed attempts at DNS lookup in a 5-minute interval

      =    pkts_to + pkts_from - rtts

RTT = 5-minute median for rtts, averaged over a week

IQR = 5-minute Inter-Quartile Range for RTTs, averaged over a week

Note that servers are identified only by IP address.
They may resolve many domains, not just the ccTLD indicated by dig!

UCSD Request Distribution
Totals: rtt=1362514, transaction=4232696 About 1/4 rtts compared to transactions 186 countries observed (not including multi-country servers) Top 186 countries by nbr of rtts: rtts % ccd% trans % ccd% servers Country 0 545076 (40.0, 60.0) 1287643 (30.4, 69.6) 103 0 ?? Multi 1 143859 (10.6, 49.4) 277329 ( 6.6, 63.0) 8 201 sr Suriname 2 99441 ( 7.3, 42.1) 142209 ( 3.4, 59.7) 6 113 kr Korea, Republic of 3 60680 ( 4.5, 37.7) 61274 ( 1.4, 58.2) 6 108 jp Japan 4 41398 ( 3.0, 34.6) 90885 ( 2.1, 56.1) 4 11 am Armenia 5 38277 ( 2.8, 31.8) 65012 ( 1.5, 54.5) 6 38 ca Canada 6 37404 ( 2.7, 29.1) 40786 ( 1.0, 53.6) 6 45 cx Christmas Island 7 31407 ( 2.3, 26.8) 33727 ( 0.8, 52.8) 2 169 ph Philippines 8 30412 ( 2.2, 24.6) 87340 ( 2.1, 50.7) 3 224 us United States 9 26372 ( 1.9, 22.6) 96576 ( 2.3, 48.4) 6 81 de Germany 10 19771 ( 1.5, 21.2) 67690 ( 1.6, 46.8) 4 106 it Italy 11 18997 ( 1.4, 19.8) 37566 ( 0.9, 45.9) 4 47 co Colombia 12 16070 ( 1.2, 18.6) 38387 ( 0.9, 45.0) 2 30 br Brazil 13 14233 ( 1.0, 17.5) 57520 ( 1.4, 43.7) 4 73 fi Finland 14 13183 ( 1.0, 16.6) 72219 ( 1.7, 42.0) 5 198 es Spain 15 10019 ( 0.7, 15.8) 37195 ( 0.9, 41.1) 6 21 be Belgium 16 9633 ( 0.7, 15.1) 64295 ( 1.5, 39.6) 6 44 cn China 17 9400 ( 0.7, 14.4) 38866 ( 0.9, 38.7) 2 74 fr France 18 8376 ( 0.6, 13.8) 35514 ( 0.8, 37.8) 3 10 ar Argentina 19 8274 ( 0.6, 13.2) 17904 ( 0.4, 37.4) 2 225 um United States minor outlying islands 20 8227 ( 0.6, 12.6) 56900 ( 1.3, 36.0) 3 160 no Norway 21 7961 ( 0.6, 12.0) 253499 ( 6.0, 30.1) 3 17 bh Bahrain 22 7886 ( 0.6, 11.5) 51856 ( 1.2, 28.8) 3 7 ai Anguilla 23 7839 ( 0.6, 10.9) 44575 ( 1.1, 27.8) 4 171 pl Poland 24 7817 ( 0.6, 10.3) 55553 ( 1.3, 26.5) 2 216 tr Turkey 25 7219 ( 0.5, 9.8) 31251 ( 0.7, 25.7) 3 58 dk Denmark Features: 40% rtts, 30% transactions to 103 Multi servers ! Next highest country is only 6.6%, then 3.3% ccd % down to 25% after 25 countries High proportion to small countries like Surinam, Armenia, Christmas Island! Otherwise distribution for transaction counts is a long, slowly-falling tail. Usually many more transactions that rtts

SJC Request Distribution
Totals: rtt=8069458, transaction=40326286 About 1/5 rtts compared to transactions 151 countries observed (not including multi-country servers) Top 151 countries by nbr of rtts: rtts % ccd% trans % ccd% servers Country 0 2816673 (34.9, 65.1) 10661177 (26.4, 73.6) 87 0 ?? Multi (75 countries) 1 2022496 (25.1, 40.0) 5901245 (14.6, 58.9) 6 207 tw Taiwan, Province of China 2 679611 ( 8.4, 31.6) 5576736 (13.8, 45.1) 7 201 sr Suriname 3 635169 ( 7.9, 23.7) 7705102 (19.1, 26.0) 6 113 kr Korea, Republic of 4 472667 ( 5.9, 17.9) 1359639 ( 3.4, 22.6) 6 44 cn China 5 256247 ( 3.2, 14.7) 1265597 ( 3.1, 19.5) 6 108 jp Japan 6 249077 ( 3.1, 11.6) 858853 ( 2.1, 17.4) 3 160 no Norway 7 225187 ( 2.8, 8.8) 925600 ( 2.3, 15.1) 5 219 tv Tuvalu 8 222990 ( 2.8, 6.1) 1173155 ( 2.9, 12.1) 4 11 am Armenia 9 75876 ( 0.9, 5.1) 277863 ( 0.7, 11.5) 4 104 ie Ireland 10 67010 ( 0.8, 4.3) 157084 ( 0.4, 11.1) 2 124 lu Luxembourg 11 56355 ( 0.7, 3.6) 80318 ( 0.2, 10.9) 2 148 nr Nauru 12 52260 ( 0.6, 2.9) 303302 ( 0.8, 10.1) 4 116 la Lao People's Democratic Republic 13 51607 ( 0.6, 2.3) 88855 ( 0.2, 9.9) 3 224 us United States Features: About 10x UCSD transactions, but fewer countries (151, cf 185) 35% rtts, 26% trans to 87 Multi-servers, noticeably less that at UCSD Much steeper tail; ccd below 25% for Multi+top 3 countries Taiwan, Suriname and Korea dominate the load, this link runs between Seattle and San Jose

Multi-server Request Distributions
UCSD Multi servers, 30% of total. First 50% of multiserver transactions: rtt trans % ccd% RTT (ms) IQR (ms) Server Countries 28793 95496 ( 5.3, 94.7) 89.97 3.84 15 AUTH03.NS.UU.NET 3 72192 86014 ( 13.2, 81.5) 89.39 1.04 10 NS.UU.NET 39 72274 74014 ( 13.3, 68.2) 93.43 13.26 35 AUTH00.NS.UU.NET 6 32968 73625 ( 6.0, 62.2) 183.45 2.63 1 NS.RIPE.NET 75 3441 62539 ( 0.6, 61.5) 760.42 674.03 32 NS2.GIP.NET 6 35519 49885 ( 6.5, 55.0) 38.40 20.18 14 NS-EXT.VIX.COM 15 5734 43822 ( 1.1, 54.0) 172.27 0.38 18 BOW.RAIN.FR 8 10047 40172 ( 1.8, 52.1) 192.78 2.83 4 NS.EU.NET 35

Q: Are we too dependent on multi servers?

A: No, at least not as seen from UCSD

SJC Multi servers, 30% of total. First 50% of multiserver transactions: rtt trans % ccd% RTT (ms) IQR (ms) Server Countries 2038774 7002812 ( 72.4, 27.6) 9.58 15.35 14 NS-EXT.VIX.COM 15 277892 658010 ( 9.9, 17.8) 7.35 19.92 6 UUCP-GW-1.PA.DEC.COM 10 291464 630435 ( 10.3, 7.4) 6.45 8.27 31 UUCP-GW-2.PA.DEC.COM 5 32961 466443 ( 1.2, 6.2) 9.00 0.29 101 NS.ICANN.ORG 2 83232 129575 ( 3.0, 3.3) 208.87 2.36 53 NS.APNIC.NET 4

At SJC, 72% of rtts come from multi-server 14

Clearly, particular servers can dominate load at a site

One week's RTT variation: Own servers only

Only plot four servers, leaving out two with high IQR

Server 6 has big steps in RTT

Otherwise median RTT is steady, but IQR is high

No diurnal variations visible for jp servers

One week's RTT variation: Own vs Other servers

kr:   six servers. Wide range of RTT, U.S. server has very low RTT

no:   three servers, two in U.S, third in Norway

One week's RTT variation: Interesting ccTLDs (1)

es:   Five Own servers, big RTT variations

ca:   Six servers

One week's RTT variation: Interesting ccTLDs (2)

pl:   Four servers, mostly small IQR

tr:   2 servers, weekday loading effects

This is the only ccTLD with this behaviour

Other traces are mostly flat, with frquent spikes

One week's RTT variation: ccTLDs with high DNS loads

sr:   Six servers, wide range of RTT and IQR

us:   Three servers, very like .sr

How do Multi RTTs compare with Other RTTs?

Overall performance is satisfactory, but ..

Servers 14 (dark blue) and 4 (cyan) show signs of weekday loading
       We see a high request load for server 14 at SJC [section 9 above]

Servers 2,10 and 13 have sudden steps in RTT

Server 3, Munnari (magenta) has high RTT and medium IQR

Summary

ccTLDs use various strategies in setting up their DNS

30% to 40% of ccTLD DNS transactions use Multi servers

Smaller set of ccTLDs observed at SJC than at UCSD

DNS transaction load at UCSD well-distributed across ccTLDs

Server RTTs often show large steps, and have high IQR

Servers for a single ccTLD often show big differences in performance

Why are there so many more transactions than rtts?

Overall performance of ccTLDs is generally poorer than root/gTLDs

How can we make best use of ccTLD measurements?

Lots more work to be done

Nevil Brownlee (nevil@caida.org) www.caida.org/~nevil
Last updated: 15 November 2002