OARC 2014 Spring Workshop (Warsaw)

10 May 2014, 09:00 → 11 May 2014, 18:00 Europe/Warsaw

Opera (Sofitel Warsaw Victoria)

Keith Mitchell (DNS-OARC), Sebastian Castro (.nz Registry Services)

The OARC Spring Workshop and Member EGM will take place in Warsaw, Poland on May 10th and 11th, the weekend before RIPE68, and is sponsored by:

Platinum Sponsor

Gold Sponsor

Workshop and Social Sponsor:	Social Sponsor:

We would also like to thank the RIPE NCC for their assistance for connectivity for this workshop.

OARC Workshop meetings are open to OARC members, presenters, and to all other parties interested in DNS operations and research. Meeting registration remains open to OARC Members, Speakers and Sponsors, non-members may register and attend on a standby basis subject to available space.

If your organization is interested in sponsorship, please see our Sponsor Benefits or e-mail sponsor@dns-oarc.net for more information.

Remote Participation

The public workshop is being webcast and video archived via Google Hangouts on air:

• Day 1
• Day 2 Morning
• Day 2 Afternoon

Interaction between meeting participants will be via the Jabber room:

     xmpp:dns-operations@conference.dns-oarc.net

Social Event

This is open to registered meeting participants, taking place at Browarmia between 19:00 and 21:00 Saturday evening. Thanks to Microsoft for their generous donation of the quiz prize !

 

Accommodation/Venue

Please see the RIPE68 Hotel Information for details of where to stay and travel arrangements.

Document

• EGM Board Proceedings
• EGM Member Resolutions
• EGM Proxy Form

Slides Static slide for display in meeting room and on webcast prior to meeting and during breaks and lunches.

Videos

• DNS_OARC_Spring_Workshop_-_Saturday_Afternoon-gwp57mcYVQ0.mp4
• DNS_OARC_Spring_Workshop_-_Sunday,_Afternoon-rZGZZugovSI.mp4
• DNS_OARC_Spring_Workshop_-_Sunday_Morning-JIa4BTB8rMM.mp4

Saturday, 10 May

10:00 → 11:30 OARC EGM: Members Only

OARC Member-only session and EGM

Convener: Ondrej Filip (CZ.NIC)

10:20 OARC Chairman Introduction

Speaker: Ondrej Filip (CZ.NIC)

Slides oarc-warsaw-filip.pdf

11:30 → 11:45 Coffee Break

11:45 → 12:30 Members-Only Session

11:45 Large scale regular expression recognition on the DITL data-set by using similarity search

The day in the life (DITL) data-set is collected to study and improve the integrity of the root server system. Among the different properties recorded in the data-set, we focus on second level domain (SLD) strings. In this study, we introduce a method that automatically infers regular expressions from over-represented SLD strings. At first, we identify random strings and remove them from the data pipeline. Then, we find common string seeds that guide the elucidation process. Finally, we perform similarity search on strings that do not exceed a certain level of entropy level to generate a weight matrix that is then converted into regular expressions and their corresponding visualizations. Similarity search is a very expensive operation, but we manage to achieve fast results by using the simMachines R-01 similarity engine. The method may be used to preemptively discover security or performance issues in the infrastructure. During the talk, we will show a sample of collected regular expressions so that the community may identify familiar and unfamiliar SLD patterns.

Speaker: Dr Arnoldo Muller-Molina (simMachines)

Slides patrec.pdf patrec.pptx

12:30 → 13:00 OARC President Report

Speaker: Mr Keith Mitchell (DNS-OARC)

Slides OARC-workshop-report_14.odp OARC-workshop-report_14.pdf

13:00 → 14:30 Lunch Break

14:30 → 15:00 IETF work on DNS privacy

At the IETF 88 meeting in Vancouver, the first one which took into account the Snowden revelations, there was a lot of enthusiasm on action to improve the privacy on the Internet http://www.ietf.org/blog/2013/11/strengthening-the-internet/. This was summarized in a press release http://www.ietf.org/media/2013-11-07-internet-privacy-and-security.html claiming that "all of the working groups that considered the topic have started planning to address the threat using IETF tools that can mitigate aspects of the problem". Now, what is actually done in the DNS field?

Speaker: Mr Stéphane Bortzmeyer (AFNIC)

Slides bortzmeyer-ietf-dns-privacy.pdf

15:00 → 15:30 T-DNS: Connection-Oriented DNS to Improve Privacy and Security

This talk will discuss _connection-oriented DNS_ to improve DNS security and privacy. DNS is the canonical example of a connectionless, single packet, request/response protocol, with UDP as its dominant transport. Yet DNS today is challenged by eavesdropping that compromises privacy, source-address spoofing that results in denial-of-service (DoS) attacks on the server and third parties, injection attacks that exploit fragmentation, and size limitations that constrain policy and operational choices. We propose _t-DNS_ to address these problems: it uses TCP to smoothly support large payloads and mitigate spoofing and amplification for DoS. T-DNS uses transport-layer security (TLS) to provide privacy from users to their DNS resolvers and optionally to authoritative servers.

Speaker: Mr John Heidemann (USC/Information Sciences Institute)

Slides t_dns_johnh_140510_1up.pdf

15:30 → 16:00 Zeroing in on Zero Days

The presentation will cover findings from a Terabyte of anonymized DNS data collected every day from around the world. We’ll present data and analysis techniques and discuss how we’re automating the cycle of identifying and validating behaviors such as the ones described below to zero in quickly on zero days and minimize their damage. - Appearances of new “purpose built” domains registered exclusively for amplification attacks - A new trend of a small set of domains that go from zero (or very small) traffic and then spike to millions or 10s of millions of queries per day over a couple of days, using millions of unique random subdomains. We'll also discuss DNS amplification attack activity at a macro and micro level.

Speaker: Bruce van Nice (Nominum)

Slides VanNice-ZeroDays.pdf VanNice-ZeroDays.pptx

16:00 → 16:20 Coffee Break

16:20 → 16:50 Anycast on a shoe string

Over 6 months I built out a distributed DNS service around the world consisting of 11 nodes, whilst at the same time trying to keep it under the radar of the wife - costing less than $1000/yr. I'll talk about how I built it, what tools I used (RethinkDB, Beanstalkd, CollectD, Python etc), the problems I faced, details I learnt about how other "budget" anycast services are built and the fun I had along the way.

Speaker: Mr Nat Morris (Esgob Ltd)

Slides Esgob_Anycast_on_a_shoe_string_20140510.pdf Esgob_Anycast_on_a_shoe_string_20140510.pptx

16:50 → 17:20 DNS Server and DNSSEC support in Windows Server 2012 R2

DNS Server in Windows has been enhanced significantly through recent releases of Windows Server. One of the main areas of capability augmentation of Windows DNS has been in the area of DNSSEC. This session will mainly focus on acclimatizing the user with DNSSEC capabilities in Windows DNS Server. It will demonstrate how to setup DNSSEC in Windows DNS server, online zone signing support and will provide the audience an insight into the DNSSEC validation process in Windows DNS Server. The session will also talk about Windows DNS server performance and scalability in a DNSSEC and non-DNSSEC deployment. The session will also talk about other capabilities of Windows DNS server in a file based deployment as well as Active directory based deployment. Audience takeaways: - DNSSEC support in Windows DNS server and how to deploy DNSSEC with Windows DNS server - Performance and scale capabilities of Windows DNS server

Speaker: David Cates (Microsoft)

Slides PDF PowerPoint

17:20 → 17:50 Portable DNS Analysis

Analyzing a DNS deployment is a complex challenge. There are several roles of DNS service, of which a single server may play multiple. Additionally, there are various vantage points from which an address might be queried, and each might result in a different response, or none at all. Finally, there are multiple query options and diverse ways handling the responses that result. There are many tools and methodologies for analyzing DNS deployments, but there is no standard, transparent way to describe the analysis or the results. We present a mechanism and framework for "portable DNS analysis" and describe its advantages for improving DNS analysis, including tool interoperability, facilitated remote analysis, and versatility.

Speaker: Dr Casey Deccio (Verisign Labs)

Slides 2014-05-10-portable-oarc.pdf

19:00 → 21:30 Social Event

TBC

Sunday, 11 May

09:00 → 09:30 getdns-api implementation

Verisign and NLnet Labs have recently announced the first beta release (0.1.0) of an open source implementation of the getdns API specification. The project's home page is at http://getdnsapi.net. getdns is a modern asynchronous DNS API. It implements DNS entry points from a design developed and vetted by application developers, in the specification at http://www.vpnc.org/getdns-api/ edited by Paul Hoffman. With the implementation of this API, we intend to offer application developers a modernized and flexible way to access DNS security (DNSSEC) and other powerful new DNS features; a particular hope is to inspire application developers towards innovative security solutions in their applications. In this presentation I will give an application developers view of DNSSEC and describe the independently written getDNS API specification. I will showcase the open source implementation of the specification built by our team of developers from NLNet Labs and Verisign. The presentation will cover * how to perform resolution in all the different forms * the different ways to perform DNSSEC and the different levels of security assurances applications can get * the asynchronous support and how our implementation can integrate in the application developers event base of choice * the extensibility of the library * the limits of our current implementation and * the roadmap for near-future development

Speaker: Mr Willem Toorop (NLnet Labs)

Slides getdns-API-Implementation.pdf

09:30 → 10:00 dnstap: introduction and status update

dnstap is a flexible, structured binary log format for DNS software. This presentation will introduce the core concepts and data model and summarize recent progress in implementing dnstap support in existing DNS software. dnstap's motivating use case is to enable an advanced form of forgery resistant passive DNS replication that can perform bailiwick verification of data received from DNS authority servers without an expensive, stateful post-processing step. This can only be done by exporting internal state from the recursive DNS server as the information that can be obtained from external packet capture is insufficient for this purpose. However, a generic mechanism that supports the passive DNS replication use case ought to be able to support other interesting use cases. For instance, command-line tools like 'dig', 'drill', and 'kdig' produce output in similar but not identical text formats reminiscent of the DNS master file format, while various DNS "looking glass" implementations render DNS data in HTML or JSON. A unified interchange format for representing DNS transactions could substantially improve the interoperability and usability of these tools.

Speaker: Robert Edmonds (Farsight Security, Inc.)

Slides Edmonds-dnstap.pdf

10:00 → 10:30 Big data journey

On this presentation we explore the journey NZRS took to deploy and use a Big Data cluster using Hadoop. From assembling servers, to racking, deploying software, developing UDFs and running jobs on the cluster, we go over the many alternatives of Hadoop for data analysis, and how it can be used for DNS analysis in particular.

Speaker: Mr Sebastian Castro (.nz Registry Services)

Slides NZRS Big Data Journey slides

10:30 → 11:00 No Help Desk for Light Switches

Increasing numbers of Internet-connected fridges and grandparents, together with cloud-based service delivery hysteria, are pushing availability requirements for web-accessible services through the roof. Subscribers are less interested in the reasons for failure, and are largely disinclined to try and call anybody for help (who would they call?) Service unavailability leads to lost subscribers, lost momentum and fear of lost investment and business failure. Being up is important. Small, upstart web properties have options for outsourcing pieces of their infrastructure and operations to get a leg up on network and platform availability. With escalating availability requirements and a desire to be able to serve hot markets opportunistically, we consider how deep we can dig this particular rabbit-hole. We describe some of our thinking about how to scale our current service delivery platform from 20 sites globally to something much, much, much (much) bigger. We consider logistics, security, provisioning, manageability, monitoring and measurement, and begin to paint a picture of DNS service at a scale not previously seen on the Internet.

Speaker: Mr Joseph Abley (Dyn, Inc.)

Slides DNS-OARC-2014_No_Helpdesk_for_Light_Switches.pdf

11:00 → 11:30 Coffee Break

11:30 → 12:00 DNSSEC Deployment in .CN

I will introduce DNSSEC deployment in .CN in my talk, it mainly include the preparations, deployment, monitoring and observations. In the end, I will analyze a small DDoS attack occurred in .CN recently, and point out the challenges which .CN will be faced in the future.

Speaker: Mr Qi Zhao (CNNIC)

Slides DNSSEC_Deployment_in_.CN_OARC_-_ZhaoQi.pdf

12:00 → 12:30 DNSSEC Audit Framework

A DNSSEC audit is the process of structural examination of a DNSSEC infrastructure. DNSSEC adoption is increasing and becomes more and more a system we rely on. As the protocol becomes more critical, the level of assurance of the system and its evaluation also becomes more important. NLnet Labs in collaboration with SWITCH created a framework that assists auditors in performing a DNSSEC audit. The framework provides a scope and a methodology, and at the same time functions as the review checklist for the audit.

Speaker: Matthijs Mekking (NLnet Labs)

Slides oarc-spring-2014-dnssec-audit-framework.pdf

12:30 → 13:40 Lunch Break

13:15 → 13:40 PGP Signing Session

Speaker: Mr Sebastian Castro (.nz Registry Services)

Minutes PGP Keyring - ASCII armoured

notes OARC Warsaw PGP Keyring

Slides OARC_Spring_2014_Warsaw_Workshop_-_PGP_keys.pdf

13:40 → 14:10 OARC Infrastructure Update

Speaker: Mr Keith Mitchell (DNS-OARC)

Slides WFMS-OARC_systems.pdf

14:10 → 14:40 A survey of Namecoin the peer to peer based DNS system

Along side all of the new TLDs which have come into being, there is a dark horse: .bit. .bit isn't one of ICANN's most recently blessed TLDs, such as .guru, .democrat or .sexy, it is the top level domain which is served by the Namecoin infrastructure. The Namecoin platform seeks to provide an alternative (read as non-ICANN regulated TLD) decentralized domain name system built on a modified version of the Bitcoin software. The research summarized in this presentation is a review of the concepts behind Namecoin, its implementation, and the use of the Namecoin platform. The first area of research was recreating the .bit zone and analyzing its contents. Specifically, it was focused on identifying the number of IP addresses associated with .bit domains, the autonomous systems which these IPs represent, and the type of records which appear most prominently. The next step was to acquire Namecoin and use it to create a domain with a collection of resource records. The goal of this exercise was to determine the barriers to entry and explore the user experience of the platform. The results were translated to a consideration for the usability of the .bit name space and its requirement for a copy of the Namecoin blockchain, a recursive DNS server with the .bit zone, or a web browser plugin. Namecoin has hurdles to overcome in the form of accessibility, integration, and hardening of the source. Its future is a race between innovation which can be seen in the development of DNSChain and its role as the new malware safe haven.

Speaker: Mr Christopher Baker (Dyn)

Slides Namecoin.pdf

14:40 → 15:10 Detecting and Clustering Botnet Domains Using DNS Traffic

In this paper we focus on detecting and clustering distinct groupings of domain names that are queried by numerous sets of infected machines. We propose to analyze domain name system (DNS) traffic, such as Non-Existent Domain (NXDomain) queries, at several premier Top Level Domain (TLD) authoritative name servers to identify strongly connected cliques of malware related domains. We illustrate typical malware DNS lookup patterns when observed on a global scale and utilize this insight to engineer a system capable of detecting and accurately clustering malware domains to a particular variant or malware family without the need for obtaining a malware sample. Finally, the experimental results of our system will provide a unique perspective on the current state of globally distributed malware, particularly the ones that use DNS.

Speaker: Matthew Thomas (Verisign)

Slides Kindred_Domains_ThomasMohaisen_DNS-OARC_2014.pdf Kindred_Domains_ThomasMohaisen_DNS-OARC_2014.pptx

15:10 → 15:40 Performance impact of contained and virtualised environments in Authoritative DNS Servers

Operational flexibility and deployment are increasingly managed through VMs or similar environments. In the past it has been reported that certain VM environments have a very negative impact in DNS server performance. Here, we present the results of QPS performance of several current authoritative DNS servers running in traditional and contained or virtualised environments to evaluate their relative merits and tradeoffs in real operational use.

Speakers: Mr Joao Damas (Dyn Inc), Mr Knight Dave (Dyn Inc)

Slides DNS_perf_OARC_Apr_14.pdf

15:40 → 16:00 Coffee Break

16:00 → 16:30 Lightning Talks

Convener: Mr Sebastian Castro (.nz Registry Services)

16:00 Slaving the root - Warren Kumari

Speaker: Mr Warren Kumari (Google)

Slides Slaving_the_root-2.pdf

16:05 Lightning Talk - Paul Vixie

Speaker: Mr Paul Vixie

16:10 Lightning Talk - Matt Pounsett

Speaker: Mr Matt Pounsett

16:15 Lightning Talk - Mehmet Akcin

Speaker: Mr Mehmet Akcin (Microsoft)

16:20 Zonemaster

Speaker: Mr Patrik Wallstrom

Slides Zonemaster_Lightning_Talk_DNS-OARC_Spring_2014.pdf

16:25 Standarized DNS measurement

Speakers: Mr Jim Martin, Mr Lars-Johan Liman

16:30 → 17:00 Analysis of DITL root data and comparison with full-resolver's data.

The past analysis reported numbers of queries sent from each address to root DNS servers. There are 30,000 IP addresses which send over 100,000 queries in 48 hours. 100,000 queries per 48 hours seem to be too much. However, a full-resolver managed appropriately sent 110,000 queries in 48 hours at 2012 DITL timing. It served 180 queries per second from thousands of clients. The author replayed the 48 hours client queries to BIND 9 and Unbound full-resolvers, and compared number of queries to root DNS servers and other authorititative DNS servers.

Speaker: Mr Kazunori Fujiwara (Japan Registry Services Co., Ltd)

Slides fujiwara-DITL3.pdf

17:00 → 17:30 Open Resolvers in COM/NET Resolution

While open resolvers provide various benefits by answering DNS requests from external sources for anything, today they pose a significant threat to the stability and security of the Internet. For example, open resolvers have been recently utilized for launching amplification attacks, calling for initiating a systematic study on their population, use, and distribution, and raising the awareness on their potential roles. For example, the open resolver project (http://openresolverproject.org/) reported 32 million open resolvers, 28 million of which pose a significant threat, as of October 2013. In this presentation, we will report on an independent study of open resolvers and their usage. Beside verifying the numbers provided by the open resolver project, we go further in understanding those resolvers. To highlight their usage, we identify open resolvers in the com/net authoritative DNS resolution, and try to answer the following questions: • What is the intersection between the open resolvers in the wild and sources of DNS requests seen in the com/net resolution? • How persistent are the IP addresses of open resolvers in the com/net resolution over time? • What is the correlation between the volume of DNS requests generated by open resolvers in the com/net resolution and their activity in the open resolvers ecosystem? In this study, we received 32,040,586 responses from 31,424,854 unique IP addresses that used 277,048 forwarders. In comparison with the open resolver project statistics, and for the same time period (Oct 28, 2013 - Nov 3, 2013), our survey matched (number-wise) 98.7% of the responses and 99.03% of the unique IP addresses used by open resolvers. We found that the daily intersection between open resolvers (forwarders) and sources of requests in the com/net resolution for the same day is more than 73% at any point in time over the time of the scan (of 7 days). Furthermore, over the time of the experiment, we found that only 91.9% of the total number of forwarders show up in the com/net resolution, with a non-trivial percent not showing up (8.1%). The daily pairwise intersection of forwarders (across different days) is shown to range from 87% to 95%, suggesting a level of dynamics and churn in the open resolvers population. Second, we found that the number of open resolvers in the com/net resolution is persistent over time, with daily intersection ranging from 73% to 82%, and an average intersection (over 7 days) of about 76%. Third, we give each forwarder two scores: a popularity in the open resolvers ecosystem (unique IP addresses in the open resolver survey above), and a popularity score in the com/net resolution system (the number of queries issued by each forwarder). Interesting, we found that both scores are weakly and positively correlated (0.29). Our presentation will also highlight other characteristics of open resolvers, such as geographical distribution, and persistence characterization over a longer period of time between consecutive scans (∼6 months), along with implications.

Speaker: Duane Wessels (Verisign)

Slides open-resolvers.pdf open-resolvers.pptx