Encrypted DNS response time measurement

[marcwitasee]

Modify the logic of the dns_latency function in netson.py to include an option to run an encrypted DNS response time test for a given set of resolvers and a given set of domains.

To implement this measurement, we will need to update the version (need to determine which version, possibly 9.17) of DiG that is running on our devices that supports DNS encryption.

https://github.com/chicago-cdac/nm-exp-active-netrics/blob/main/src/netrics/netson.py#L692

[marcwitasee]

We might also need to modify the configuration file to include the resolvers and the domains that will be included in the test.

https://github.com/chicago-cdac/nm-exp-active-netrics/blob/main/conf/nm-exp-active-netrics.toml#L66

[feamster]

Austin also indicated to us that the latest versions of dig now support +https. It is newer than the one with the distribution of debian we have on some of our machines so I expect the RPis may need some update.

[marcwitasee]

@feamster @ggmartins @ranyasharma Can update the dns_latency function to run encrypted DNS lookup

Encrypted DNS lookup DiG command dig +https @doh.example.com isc.org A

Need to update toml configuration file to include doh resolvers

We need to understand the types of errors that are thrown when running this specific type of DiG command, and whether the output from the command needs to be parsed differently from the current output parsing logic

• [x] Set up a staging environment on IoT Lab device
  • [x] Fork repository
  • [x] Validate ssh access of developers to IoT lab device
  • [x] Configure git access
• [ ] Development
  • [ ] add new command for encrypted DNS lookup
  • [ ] Map errors
  • [ ] Changes required to parse output and save results
  • [ ] Updates to TOML
• [ ] Deployment
  • [ ] local testing
  • [ ] deploy to tigerteam devices

[marcwitasee]

Here is the release announcement for DiG that supports DNS-over-HTTPS https://www.isc.org/blogs/bind-doh-update-2021/

Documentation: https://bind9.readthedocs.io/en/latest/chapter1.html

[marcwitasee]

@ranyasharma @feamster @marcwitasee @ggmartins Hey there,

you should have access to that device by now. You must be connected to tigerteam first.

ssh feamster@tigerteam.io
ssh ranyasharma@tigerteam.io

(please use the pub key you sent me)

After that, you can jump to a shared account we have at the development device using

ssh ubuntu@192.168.111.1

while setting this up, I realized we could have an isolated environment / separate accounts for each one of us. So, I'm working on this now with Marc. But for some reason we still want to share this account, here are some instructions:

• we need to clone git@github.com:chicago-cdac/nm-exp-active-netrics.git or git@github.com:ranyasharma/nm-exp-active-netrics.git, but for that the pub key of the shared account (ubuntu) needs to be added to your github trusted ssh keys https://github.com/settings/keys
• there should be a copy of your .gitconfig with a name like .gitconfig-ranya. The trick we do lies on the ability to switch between configs depending on the dir we are at original .gitconfig:

[includeIf "gitdir:~/marc/"]
        path = ~/.gitconfig-marc
[includeIf "gitdir:~/gmartins/"]
        path = ~/.gitconfig-martins
[includeIf "gitdir:~/feamster/"]
        path = ~/.gitconfig-feamster
[includeIf "gitdir:~/ranya/"]
        path = ~/.gitconfig-ranya

​Now you can move to the directory eg. cd ~/ranya & git clone git@github.com:chicago-cdac/nm-exp-active-netrics.git

Next, you are ready to start modifying the code, deploying and testing following what's in the make​ help instructions

hope this helps, please give me a few hours to set up a separate account, I think we should have that option.

I'll be available for any questions, thanks,

G

[marcwitasee]

Per Guilherme:

@ranyasharma @feamster

ok, I've set up separate accounts for us on that netrics device. Now, from tigerteam, to access the device, you can:

ssh mr@192.168.111.1
ssh ranyasharma@192.168.111.1
ssh feamster@192.168.111.1

After that, you need to generate a ssh pair (run ssh-keygen) and upload the pub key to your trusted keys to your GitHub account in order to clone netrics. Once you clone the repo the process remain the same, but we need to coordinate among us and see who is going to be let the code testing etc. (right now, I don't have anything in the roadmap other than helping you)

Thanks,

G

[marcwitasee]

@ranyasharma @feamster @ggmartins

Steps to follow after successfully cloning nm-exp-active-netrics repo into your home directory to be able to run ./netrics for one-off testing from the cloned repository

1. Copy go binary into the home directory

   sudo cp ~ubuntu/go1.17/ ~/ -R
   ln -s go1.17/go go

2. Add path to go binary to your $PATH variable. Add the line export PATH=$PATH:~/go/bin/and log out and log back into your user on the netrics device. Run echo $PATH after logging back in to make sure that the go path is added.

   cd
   echo "export PATH=$PATH:~/go/bin/" >> .bashrc

3. Change to the cloned nm-exp-active-netrics directory and run make ndt
4. From the cloned directory, run make oplat
5. From the cloned directory, run sudo make iperf
6. From the cloned directory, run make speedtest
7. From the cloned directory, run sudo make deps
8. From the cloned directory, create a virtual environment by running:

   python3 -m venv venv
   . ./venv/bin/activate
   python3 -m pip install -r ./requirements.txt

9. Deactivate environment with deactivate
10. Copy the local install TOML file to the conf directory in the clone repository

    sudo cp /etc/nm-exp-active-netrics/nm-exp-active-netrics.toml ./conf/

11. Run ./netrics -k to test that the local Netrics binary works

[marcwitasee]

Upgrading DIG

The current version of dig installed on our devices does not support encrypted DNS lookups.

Current version installed: DiG 9.16.1-Ubuntu Needed version: 9.17 or higher

Local install of updated DiG

We have a local version of dig (version 9.18.5) installed in the directory /usr/local/dig/. If you want to run dig with the updated version, be sure to specify the path to the updated binary (/usr/local/dig/bin/dig).

Issues with DiG 9.18.5

Dig appears not to be compatible with certain DOH DNS resolvers such as (doh.opendns.com) and others which @ranyasharma is currently documenting.

We may need to update Dig to a newer version

List of doh resolvers on GitHub: https://github.com/curl/curl/wiki/DNS-over-HTTPS (could be useful for testing)

[marcwitasee]

@ranyasharma

Plan for development:

Git:

Create a new branch for your changes: git checkout -b encrypted-dns

Be sure to ONLY commit the changes that you are making to the netson.py and netrics.py files.

To push your changes to the repository, use the command git push origin encrypted-dns

In netson.py:

Copy the dns_latency function and rename it encrypted_dns_latency.

Write the function logic as needed to run your encrypted DNS measurements.

In netrics.py:

Add a new flag to the arguments

When the flag is included in a call to netrics binary, add logic to call your encrypted_dns_latency function. (Similar to what you were doing when you were originally testing the encrypted DNS measurements in your forked repository).

To test your new function, do the following:

Copy the global TOML file to your development repository. From your repository, run sudo cp /etc/nm-exp-active-netrics/nm-exp-active-netrics.toml conf/

Edit the TOML file in conf/ to change the topic field from "default" to "testing"

Turn off the collect package while you are testing: /etc/init.d/nm-mgmt-collectd-http stop. This is necessary so that you don't send the test results to the backend infrastructure.

Test your function by running (from your repository) ./netrics -[your-new-flag]

When you are done testing your function, restart the collect package: /etc/init.d/nm-mgmt-collectd-http start

[ranyasharma]

Updates since our conversation on 8/31:

• I added the resolvers to the conf file (https://github.com/chicago-cdac/nm-exp-active-netrics/blob/encrypted-dns/conf/nm-exp-active-netrics.toml#L68)
• I created the encrypted_dns_latency function in the netson.py file and added the logic with the nested for loop (one for sites and one for targets) (https://github.com/chicago-cdac/nm-exp-active-netrics/blob/encrypted-dns/src/netrics/netson.py#L764)
• In netrics.py, I added a new flag to the arguments called -e (https://github.com/chicago-cdac/nm-exp-active-netrics/blob/encrypted-dns/src/netrics.py#L200) and I also added the logic to call the encrypted_dns_latency function (https://github.com/chicago-cdac/nm-exp-active-netrics/blob/encrypted-dns/src/netrics.py#L357)

[ranyasharma]

@feamster Can you please review the code for the function that runs the encrypted DNS measurements? It is located in the netson.py file and is called encrypted_dns_latency

[feamster]

Yes, will take a look!

[ranyasharma]

Updates:

• Created make_dig.sh script so that the version of dig that we are currently using is installed on other devices.
• Currently testing the make_dig.sh in a Docker container

[marcwitasee]

@ranyasharma and @ggmartins Was there a recent deployment of this test? Can one of you please provide an update here? Thanks!

[ggmartins]

yes, we deployed it on iotlab's device. There are things to fix before going to a larger deployment

[ggmartins]

status report: beta testing in https://github.com/chicago-cdac/internet-equity-admin/issues/208