OARC 2014 Spring Workshop (Warsaw)

Europe/Warsaw
Opera (Sofitel Warsaw Victoria)

Opera

Sofitel Warsaw Victoria

11 Królewska Street 00-065 Warsaw
Keith Mitchell (DNS-OARC), Sebastian Castro (.nz Registry Services)
Description
The OARC Spring Workshop and Member EGM will take place in Warsaw, Poland on May 10th and 11th, the weekend before RIPE68, and is sponsored by:

Platinum Sponsor

Microsoft

Gold Sponsor

Verisign

Workshop and Social Sponsor: Social Sponsor:
Dyn New Zealand Registry Services"

We would also like to thank the RIPE NCC for their assistance for connectivity for this workshop.

OARC Workshop meetings are open to OARC members, presenters, and to all other parties interested in DNS operations and research. Meeting registration remains open to OARC Members, Speakers and Sponsors, non-members may register and attend on a standby basis subject to available space.

If your organization is interested in sponsorship, please see our Sponsor Benefits or e-mail sponsor@dns-oarc.net for more information.

Remote Participation

The public workshop is being webcast and video archived via Google Hangouts on air:

Interaction between meeting participants will be via the Jabber room:

     xmpp:dns-operations@conference.dns-oarc.net

Social Event

This is open to registered meeting participants, taking place at Browarmia between 19:00 and 21:00 Saturday evening. Thanks to Microsoft for their generous donation of the quiz prize !

 

Accommodation/Venue

Please see the RIPE68 Hotel Information for details of where to stay and travel arrangements.

Participants
  • Adam Obszynski
  • Adrian Beaudin
  • Aleksander Trofimowicz
  • Alexander Ilin
  • Anand Buddhdev
  • Antoin Verschuren
  • Arnoldo Muller-Molina
  • Assis Guerreiro
  • Aziz Mohaisen
  • Benno Overeinder
  • Billy Glynn
  • Brad Verd
  • Brett Carr
  • Bruce Van Nice
  • Carsten Schiefner
  • Carsten Strotmann
  • Casey Deccio
  • Cathy Almond
  • Chris Baker
  • Chris Griffiths
  • Christian Petrasch
  • Daniel Stirnimann
  • Dave Knight
  • David Cates
  • Denesh Bhabuta
  • Dmitry Kovalenko
  • Doug Wilson
  • Duane Wessels
  • Eddy Winstead
  • Eduardo Mercader
  • Elise Gerich
  • Frederic Cambus
  • Geoff Huston
  • George Michaelson
  • Henrik Levkowetz
  • Hong Bo
  • Jacques Latour
  • Jake Zack
  • Jarle Fredrik Greipsland
  • Jaromir Talir
  • Jason Hughes
  • Jeff Schmidt
  • Jerry Lundström
  • Jim Martin
  • Jim Reid
  • Joao Damas
  • Joe Abley
  • John Bond
  • John Heidemann
  • Kazunori Fujiwara
  • Keith Mitchell
  • Krzysztof Olesik
  • Krzysztof Piwowar
  • Kumar Ashutosh
  • LanLan Pan
  • Lars-Johan Liman
  • Liam Hynes
  • MACIEJ ANDZINSKI
  • Manuel Mejia
  • Marco D'Itri
  • Marco Davids
  • Marco Díaz
  • Mariusz Kamola
  • Martin Levy
  • Martin Seeger
  • Mats Dufberg
  • Matt Larson
  • Matt Weinberg
  • Matthew Pounsett
  • Matthew Thomas
  • Matthias Seitz
  • Matthijs Mekking
  • Mehmet Akcin
  • Mikael Löfstrand
  • Mitsuru Shimamura
  • Nat Morris
  • Olaf Kolkman
  • Olivier Lemarie
  • Ondrej Filip
  • Ondřej Surý
  • Patrik Wallström
  • Paul Ebersman
  • Paul Mockapetris
  • Paul O'Leary
  • paul vixie
  • Paweł Krześniak
  • Peter Koch
  • Piotr Arabas
  • Piotr Ksiazak
  • Qi Zhao
  • Rafal Galinski
  • Raghavendra Hegde
  • Ralf Weber
  • Randy Bush
  • Ray Bellis
  • Robert Edmonds
  • Robert Nagy
  • Rock Chantigny
  • Samuel Weiler
  • Sandoche Balakrichenan
  • Sandra Murphy
  • Sean Stuart
  • Sebastian Castro
  • Sergey Myasoedov
  • Shane Kerr
  • Siôn Lloyd
  • Stéphane Bortzmeyer
  • Thomas Dupas
  • Thorsten Dietrich
  • Tonny Yu
  • Toshio Tachibana
  • Vicky Risk
  • Victor Kuarsingh
  • Warren Kumari
  • Wayne Yeung
  • Willem Toorop
  • William Sotomayor
    • OARC EGM: Members Only Opera

      Opera

      Sofitel Warsaw Victoria

      11 Królewska Street 00-065 Warsaw

      OARC Member-only session and EGM

      Convener: Ondrej Filip (CZ.NIC)
      • 1
        OARC Chairman Introduction
        Speaker: Ondrej Filip (CZ.NIC)
        Slides
    • 11:30
      Coffee Break Opera

      Opera

      Sofitel Warsaw Victoria

      11 Królewska Street 00-065 Warsaw
    • Members-Only Session Opera

      Opera

      Sofitel Warsaw Victoria

      11 Królewska Street 00-065 Warsaw
      • 2
        Large scale regular expression recognition on the DITL data-set by using similarity search
        The day in the life (DITL) data-set is collected to study and improve the integrity of the root server system. Among the different properties recorded in the data-set, we focus on second level domain (SLD) strings. In this study, we introduce a method that automatically infers regular expressions from over-represented SLD strings. At first, we identify random strings and remove them from the data pipeline. Then, we find common string seeds that guide the elucidation process. Finally, we perform similarity search on strings that do not exceed a certain level of entropy level to generate a weight matrix that is then converted into regular expressions and their corresponding visualizations. Similarity search is a very expensive operation, but we manage to achieve fast results by using the simMachines R-01 similarity engine. The method may be used to preemptively discover security or performance issues in the infrastructure. During the talk, we will show a sample of collected regular expressions so that the community may identify familiar and unfamiliar SLD patterns.
        Speaker: Dr Arnoldo Muller-Molina (simMachines)
        Slides
    • 3
      OARC President Report Opera

      Opera

      Sofitel Warsaw Victoria

      11 Królewska Street 00-065 Warsaw
      Speaker: Mr Keith Mitchell (DNS-OARC)
      Slides
    • 13:00
      Lunch Break Kitchen Gallery

      Kitchen Gallery

      Sofitel Warsaw Victoria

      11 Królewska Street 00-065 Warsaw
    • 4
      IETF work on DNS privacy Opera

      Opera

      Sofitel Warsaw Victoria

      11 Królewska Street 00-065 Warsaw
      At the IETF 88 meeting in Vancouver, the first one which took into account the Snowden revelations, there was a lot of enthusiasm on action to improve the privacy on the Internet http://www.ietf.org/blog/2013/11/strengthening-the-internet/. This was summarized in a press release http://www.ietf.org/media/2013-11-07-internet-privacy-and-security.html claiming that "all of the working groups that considered the topic have started planning to address the threat using IETF tools that can mitigate aspects of the problem". Now, what is actually done in the DNS field?
      Speaker: Mr Stéphane Bortzmeyer (AFNIC)
      Slides
    • 5
      T-DNS: Connection-Oriented DNS to Improve Privacy and Security Opera

      Opera

      Sofitel Warsaw Victoria

      11 Królewska Street 00-065 Warsaw
      This talk will discuss _connection-oriented DNS_ to improve DNS security and privacy. DNS is the canonical example of a connectionless, single packet, request/response protocol, with UDP as its dominant transport. Yet DNS today is challenged by eavesdropping that compromises privacy, source-address spoofing that results in denial-of-service (DoS) attacks on the server and third parties, injection attacks that exploit fragmentation, and size limitations that constrain policy and operational choices. We propose _t-DNS_ to address these problems: it uses TCP to smoothly support large payloads and mitigate spoofing and amplification for DoS. T-DNS uses transport-layer security (TLS) to provide privacy from users to their DNS resolvers and optionally to authoritative servers.
      Speaker: Mr John Heidemann (USC/Information Sciences Institute)
      Slides
    • 6
      Zeroing in on Zero Days Opera

      Opera

      Sofitel Warsaw Victoria

      11 Królewska Street 00-065 Warsaw
      The presentation will cover findings from a Terabyte of anonymized DNS data collected every day from around the world. We’ll present data and analysis techniques and discuss how we’re automating the cycle of identifying and validating behaviors such as the ones described below to zero in quickly on zero days and minimize their damage. - Appearances of new “purpose built” domains registered exclusively for amplification attacks - A new trend of a small set of domains that go from zero (or very small) traffic and then spike to millions or 10s of millions of queries per day over a couple of days, using millions of unique random subdomains. We'll also discuss DNS amplification attack activity at a macro and micro level.
      Speaker: Bruce van Nice (Nominum)
      Slides
    • 16:00
      Coffee Break Opera

      Opera

      Sofitel Warsaw Victoria

      11 Królewska Street 00-065 Warsaw
    • 7
      Anycast on a shoe string Opera

      Opera

      Sofitel Warsaw Victoria

      11 Królewska Street 00-065 Warsaw
      Over 6 months I built out a distributed DNS service around the world consisting of 11 nodes, whilst at the same time trying to keep it under the radar of the wife - costing less than $1000/yr. I'll talk about how I built it, what tools I used (RethinkDB, Beanstalkd, CollectD, Python etc), the problems I faced, details I learnt about how other "budget" anycast services are built and the fun I had along the way.
      Speaker: Mr Nat Morris (Esgob Ltd)
      Slides
    • 8
      DNS Server and DNSSEC support in Windows Server 2012 R2 Opera

      Opera

      Sofitel Warsaw Victoria

      11 Królewska Street 00-065 Warsaw
      DNS Server in Windows has been enhanced significantly through recent releases of Windows Server. One of the main areas of capability augmentation of Windows DNS has been in the area of DNSSEC. This session will mainly focus on acclimatizing the user with DNSSEC capabilities in Windows DNS Server. It will demonstrate how to setup DNSSEC in Windows DNS server, online zone signing support and will provide the audience an insight into the DNSSEC validation process in Windows DNS Server. The session will also talk about Windows DNS server performance and scalability in a DNSSEC and non-DNSSEC deployment. The session will also talk about other capabilities of Windows DNS server in a file based deployment as well as Active directory based deployment. Audience takeaways: - DNSSEC support in Windows DNS server and how to deploy DNSSEC with Windows DNS server - Performance and scale capabilities of Windows DNS server
      Speaker: David Cates (Microsoft)
      Slides
    • 9
      Portable DNS Analysis Opera

      Opera

      Sofitel Warsaw Victoria

      11 Królewska Street 00-065 Warsaw
      Analyzing a DNS deployment is a complex challenge. There are several roles of DNS service, of which a single server may play multiple. Additionally, there are various vantage points from which an address might be queried, and each might result in a different response, or none at all. Finally, there are multiple query options and diverse ways handling the responses that result. There are many tools and methodologies for analyzing DNS deployments, but there is no standard, transparent way to describe the analysis or the results. We present a mechanism and framework for "portable DNS analysis" and describe its advantages for improving DNS analysis, including tool interoperability, facilitated remote analysis, and versatility.
      Speaker: Dr Casey Deccio (Verisign Labs)
      Slides
    • 19:00
      Social Event Cellar (Browarmia Królewska)

      Cellar

      Browarmia Królewska

      TBC

    • 10
      getdns-api implementation Opera

      Opera

      Sofitel Warsaw Victoria

      11 Królewska Street 00-065 Warsaw
      Verisign and NLnet Labs have recently announced the first beta release (0.1.0) of an open source implementation of the getdns API specification. The project's home page is at http://getdnsapi.net. getdns is a modern asynchronous DNS API. It implements DNS entry points from a design developed and vetted by application developers, in the specification at http://www.vpnc.org/getdns-api/ edited by Paul Hoffman. With the implementation of this API, we intend to offer application developers a modernized and flexible way to access DNS security (DNSSEC) and other powerful new DNS features; a particular hope is to inspire application developers towards innovative security solutions in their applications. In this presentation I will give an application developers view of DNSSEC and describe the independently written getDNS API specification. I will showcase the open source implementation of the specification built by our team of developers from NLNet Labs and Verisign. The presentation will cover * how to perform resolution in all the different forms * the different ways to perform DNSSEC and the different levels of security assurances applications can get * the asynchronous support and how our implementation can integrate in the application developers event base of choice * the extensibility of the library * the limits of our current implementation and * the roadmap for near-future development
      Speaker: Mr Willem Toorop (NLnet Labs)
      Slides
    • 11
      dnstap: introduction and status update Opera

      Opera

      Sofitel Warsaw Victoria

      11 Królewska Street 00-065 Warsaw
      dnstap is a flexible, structured binary log format for DNS software. This presentation will introduce the core concepts and data model and summarize recent progress in implementing dnstap support in existing DNS software. dnstap's motivating use case is to enable an advanced form of forgery resistant passive DNS replication that can perform bailiwick verification of data received from DNS authority servers without an expensive, stateful post-processing step. This can only be done by exporting internal state from the recursive DNS server as the information that can be obtained from external packet capture is insufficient for this purpose. However, a generic mechanism that supports the passive DNS replication use case ought to be able to support other interesting use cases. For instance, command-line tools like 'dig', 'drill', and 'kdig' produce output in similar but not identical text formats reminiscent of the DNS master file format, while various DNS "looking glass" implementations render DNS data in HTML or JSON. A unified interchange format for representing DNS transactions could substantially improve the interoperability and usability of these tools.
      Speaker: Robert Edmonds (Farsight Security, Inc.)
      Slides
    • 12
      Big data journey Opera

      Opera

      Sofitel Warsaw Victoria

      11 Królewska Street 00-065 Warsaw
      On this presentation we explore the journey NZRS took to deploy and use a Big Data cluster using Hadoop. From assembling servers, to racking, deploying software, developing UDFs and running jobs on the cluster, we go over the many alternatives of Hadoop for data analysis, and how it can be used for DNS analysis in particular.
      Speaker: Mr Sebastian Castro (.nz Registry Services)
      Slides
    • 13
      No Help Desk for Light Switches Opera

      Opera

      Sofitel Warsaw Victoria

      11 Królewska Street 00-065 Warsaw
      Increasing numbers of Internet-connected fridges and grandparents, together with cloud-based service delivery hysteria, are pushing availability requirements for web-accessible services through the roof. Subscribers are less interested in the reasons for failure, and are largely disinclined to try and call anybody for help (who would they call?) Service unavailability leads to lost subscribers, lost momentum and fear of lost investment and business failure. Being up is important. Small, upstart web properties have options for outsourcing pieces of their infrastructure and operations to get a leg up on network and platform availability. With escalating availability requirements and a desire to be able to serve hot markets opportunistically, we consider how deep we can dig this particular rabbit-hole. We describe some of our thinking about how to scale our current service delivery platform from 20 sites globally to something much, much, much (much) bigger. We consider logistics, security, provisioning, manageability, monitoring and measurement, and begin to paint a picture of DNS service at a scale not previously seen on the Internet.
      Speaker: Mr Joseph Abley (Dyn, Inc.)
      Slides
    • 11:00
      Coffee Break Opera

      Opera

      Sofitel Warsaw Victoria

      11 Królewska Street 00-065 Warsaw
    • 14
      DNSSEC Deployment in .CN Opera

      Opera

      Sofitel Warsaw Victoria

      11 Królewska Street 00-065 Warsaw
      I will introduce DNSSEC deployment in .CN in my talk, it mainly include the preparations, deployment, monitoring and observations. In the end, I will analyze a small DDoS attack occurred in .CN recently, and point out the challenges which .CN will be faced in the future.
      Speaker: Mr Qi Zhao (CNNIC)
      Slides
    • 15
      DNSSEC Audit Framework Opera

      Opera

      Sofitel Warsaw Victoria

      11 Królewska Street 00-065 Warsaw
      A DNSSEC audit is the process of structural examination of a DNSSEC infrastructure. DNSSEC adoption is increasing and becomes more and more a system we rely on. As the protocol becomes more critical, the level of assurance of the system and its evaluation also becomes more important. NLnet Labs in collaboration with SWITCH created a framework that assists auditors in performing a DNSSEC audit. The framework provides a scope and a methodology, and at the same time functions as the review checklist for the audit.
      Speaker: Matthijs Mekking (NLnet Labs)
      Slides
    • 12:30
      Lunch Break Kitchen Gallery

      Kitchen Gallery

      Sofitel Warsaw Victoria

      11 Królewska Street 00-065 Warsaw
    • 16
      PGP Signing Session Opera

      Opera

      Sofitel Warsaw Victoria

      11 Królewska Street 00-065 Warsaw
      Speaker: Mr Sebastian Castro (.nz Registry Services)
      Minutes
      notes
      Slides
    • 17
      OARC Infrastructure Update Opera

      Opera

      Sofitel Warsaw Victoria

      11 Królewska Street 00-065 Warsaw
      Speaker: Mr Keith Mitchell (DNS-OARC)
      Slides
    • 18
      A survey of Namecoin the peer to peer based DNS system Opera

      Opera

      Sofitel Warsaw Victoria

      11 Królewska Street 00-065 Warsaw
      Along side all of the new TLDs which have come into being, there is a dark horse: .bit. .bit isn't one of ICANN's most recently blessed TLDs, such as .guru, .democrat or .sexy, it is the top level domain which is served by the Namecoin infrastructure. The Namecoin platform seeks to provide an alternative (read as non-ICANN regulated TLD) decentralized domain name system built on a modified version of the Bitcoin software. The research summarized in this presentation is a review of the concepts behind Namecoin, its implementation, and the use of the Namecoin platform. The first area of research was recreating the .bit zone and analyzing its contents. Specifically, it was focused on identifying the number of IP addresses associated with .bit domains, the autonomous systems which these IPs represent, and the type of records which appear most prominently. The next step was to acquire Namecoin and use it to create a domain with a collection of resource records. The goal of this exercise was to determine the barriers to entry and explore the user experience of the platform. The results were translated to a consideration for the usability of the .bit name space and its requirement for a copy of the Namecoin blockchain, a recursive DNS server with the .bit zone, or a web browser plugin. Namecoin has hurdles to overcome in the form of accessibility, integration, and hardening of the source. Its future is a race between innovation which can be seen in the development of DNSChain and its role as the new malware safe haven.
      Speaker: Mr Christopher Baker (Dyn)
      Slides
    • 19
      Detecting and Clustering Botnet Domains Using DNS Traffic Opera

      Opera

      Sofitel Warsaw Victoria

      11 Królewska Street 00-065 Warsaw
      In this paper we focus on detecting and clustering distinct groupings of domain names that are queried by numerous sets of infected machines. We propose to analyze domain name system (DNS) traffic, such as Non-Existent Domain (NXDomain) queries, at several premier Top Level Domain (TLD) authoritative name servers to identify strongly connected cliques of malware related domains. We illustrate typical malware DNS lookup patterns when observed on a global scale and utilize this insight to engineer a system capable of detecting and accurately clustering malware domains to a particular variant or malware family without the need for obtaining a malware sample. Finally, the experimental results of our system will provide a unique perspective on the current state of globally distributed malware, particularly the ones that use DNS.
      Speaker: Matthew Thomas (Verisign)
      Slides
    • 20
      Performance impact of contained and virtualised environments in Authoritative DNS Servers Opera

      Opera

      Sofitel Warsaw Victoria

      11 Królewska Street 00-065 Warsaw
      Operational flexibility and deployment are increasingly managed through VMs or similar environments. In the past it has been reported that certain VM environments have a very negative impact in DNS server performance. Here, we present the results of QPS performance of several current authoritative DNS servers running in traditional and contained or virtualised environments to evaluate their relative merits and tradeoffs in real operational use.
      Speakers: Mr Joao Damas (Dyn Inc), Mr Knight Dave (Dyn Inc)
      Slides
    • 15:40
      Coffee Break Opera

      Opera

      Sofitel Warsaw Victoria

      11 Królewska Street 00-065 Warsaw
    • Lightning Talks Opera

      Opera

      Sofitel Warsaw Victoria

      11 Królewska Street 00-065 Warsaw
      Convener: Mr Sebastian Castro (.nz Registry Services)
      • 21
        Slaving the root - Warren Kumari
        Speaker: Mr Warren Kumari (Google)
        Slides
      • 22
        Lightning Talk - Paul Vixie
        Speaker: Mr Paul Vixie
      • 23
        Lightning Talk - Matt Pounsett
        Speaker: Mr Matt Pounsett
      • 24
        Lightning Talk - Mehmet Akcin
        Speaker: Mr Mehmet Akcin (Microsoft)
      • 25
        Zonemaster
        Speaker: Mr Patrik Wallstrom
        Slides
      • 26
        Standarized DNS measurement
        Speakers: Mr Jim Martin, Mr Lars-Johan Liman
    • 27
      Analysis of DITL root data and comparison with full-resolver's data. Opera

      Opera

      Sofitel Warsaw Victoria

      11 Królewska Street 00-065 Warsaw
      The past analysis reported numbers of queries sent from each address to root DNS servers. There are 30,000 IP addresses which send over 100,000 queries in 48 hours. 100,000 queries per 48 hours seem to be too much. However, a full-resolver managed appropriately sent 110,000 queries in 48 hours at 2012 DITL timing. It served 180 queries per second from thousands of clients. The author replayed the 48 hours client queries to BIND 9 and Unbound full-resolvers, and compared number of queries to root DNS servers and other authorititative DNS servers.
      Speaker: Mr Kazunori Fujiwara (Japan Registry Services Co., Ltd)
      Slides
    • 28
      Open Resolvers in COM/NET Resolution Opera

      Opera

      Sofitel Warsaw Victoria

      11 Królewska Street 00-065 Warsaw
      While open resolvers provide various benefits by answering DNS requests from external sources for anything, today they pose a significant threat to the stability and security of the Internet. For example, open resolvers have been recently utilized for launching amplification attacks, calling for initiating a systematic study on their population, use, and distribution, and raising the awareness on their potential roles. For example, the open resolver project (http://openresolverproject.org/) reported 32 million open resolvers, 28 million of which pose a significant threat, as of October 2013. In this presentation, we will report on an independent study of open resolvers and their usage. Beside verifying the numbers provided by the open resolver project, we go further in understanding those resolvers. To highlight their usage, we identify open resolvers in the com/net authoritative DNS resolution, and try to answer the following questions: • What is the intersection between the open resolvers in the wild and sources of DNS requests seen in the com/net resolution? • How persistent are the IP addresses of open resolvers in the com/net resolution over time? • What is the correlation between the volume of DNS requests generated by open resolvers in the com/net resolution and their activity in the open resolvers ecosystem? In this study, we received 32,040,586 responses from 31,424,854 unique IP addresses that used 277,048 forwarders. In comparison with the open resolver project statistics, and for the same time period (Oct 28, 2013 - Nov 3, 2013), our survey matched (number-wise) 98.7% of the responses and 99.03% of the unique IP addresses used by open resolvers. We found that the daily intersection between open resolvers (forwarders) and sources of requests in the com/net resolution for the same day is more than 73% at any point in time over the time of the scan (of 7 days). Furthermore, over the time of the experiment, we found that only 91.9% of the total number of forwarders show up in the com/net resolution, with a non-trivial percent not showing up (8.1%). The daily pairwise intersection of forwarders (across different days) is shown to range from 87% to 95%, suggesting a level of dynamics and churn in the open resolvers population. Second, we found that the number of open resolvers in the com/net resolution is persistent over time, with daily intersection ranging from 73% to 82%, and an average intersection (over 7 days) of about 76%. Third, we give each forwarder two scores: a popularity in the open resolvers ecosystem (unique IP addresses in the open resolver survey above), and a popularity score in the com/net resolution system (the number of queries issued by each forwarder). Interesting, we found that both scores are weakly and positively correlated (0.29). Our presentation will also highlight other characteristics of open resolvers, such as geographical distribution, and persistence characterization over a longer period of time between consecutive scans (∼6 months), along with implications.
      Speaker: Duane Wessels (Verisign)
      Slides