Mr Ondrej Filip (CZ.NIC)
Mr Keith Mitchell (DNS-OARC)
Matthew Pounsett (Rightside)
Roy Arends (Nominet)
This demonstration-based talk will cover various results of Nominet's analytics efforts over the last four years. The talk will discuss various incidents, misconfigurations, bugs, attacks and malware behaviour we have uncovered by visualizing and interacting with DNS data. I’ll go through a few stories: 1) The limitations we had using existing tools, and the requirements we had when...
Duane Wessels (Verisign)
The historical archive of DITL data is analyzed for trends in TCP traffic, answering some of the following questions: are TCP sources representative of UDP sources? Does TCP always follow a UDP TC=1 response? Do TCP and UDP sources have similar query type distributions? Are response sizes increasing over time, leading to more TCP? What do TCP connections indicate regarding latency?
Francisco Arias (ICANN)
Starting August 2014, new gTLDs have been required to insert certain records in their DNS zone to manage name collision risks. This presentation provides a description of the mitigation measures and operational experiences regarding the management of risks related to name collisions in the DNS associated with the introduction of new TLDs.
Bradley Huffaker (CAIDA/UCSD)
I would like to present an analysis of a country level breakdown of the DNS traffic captured by the OARC members on the DITL traces between 2009 and 2014.
Mr Kazunori Fujiwara (Japan Registry Services Co., Ltd)
The presentation reports statistics of 2014 DITL root dataset and differences from previous data. And tries to show popularities of each TLD. The data may show the share of usage of TLDs in each country.
Mr Geoff Huston (APNIC)
The presentation provides some measurements on the incremental cost of signing a domain name. It looks at the profile of additional time taken to resolve a signed name by a dnssec-validating resolver and from the perspective of the authoritative name server quantifies the additional query and traffic load when serving a signed zone as distinct from an unsigned zone. The presentation also...
Mr William Sotomayor (DNS-OARC)
Report from William Sotomayor about the work being done by OARC Technical team since last workshop.
Dr Jonathan Tuliani Tuliani (Microsoft)
A challenge in DNSSEC is that the ‘NSEC3’ records used to assert the non-existence of a given domain name can create a significant computational load on the DNS servers. This document describes an application of a cryptographic technique known as a ‘time-lock puzzle’ to the calculation of NSEC3 records. This provides a means of reducing this load whilst simultaneously increasing the security...
Dr Maciej Korczynski (Delft University of Technology)
In this presentation, we describe security metrics for Top-Level Domains (TLDs) and we measure their operational values using DNS query data and other data sources such as botnet and phishing feeds. They can serve as publicly available signals to different classes intermediaries such as registries, registrars, or hosting providers and can offer the option to benchmark themselves against their...
Liang Zhu (USC/Information Sciences Institute)
As adoption of DNS Security Extensions (DNSSEC) grows, DNS-based Authentication of Named Entities (DANE) provides an alternative to traditional CA-based certificate authentication. The DANE TLSA protocol specification was published in 2012. It's generally unknown to the DNS community how widely DANE TLSA has been deployed and how TLSA records are used. In this talk, we present a survey of...
victoria risk (isc)
In early 2014 a BIND user encountered a problem with some SIP phones, that turned out to be due to the fact that, while compressing zone updates, we were not preserving case-sensitivity. We determined that CamelCasing is allowed, and thus case should be preserved by IETF specification. We then consulted with a number of operating system publishers and agreed on a solution. This brief...
Prof. Sharon Goldberg (Boston University)
DNSSEC is designed to prevent network attackers from tampering with domain name system (DNS) messages. The cryptographic machinery used in DNSSEC, however, also creates a new vulnerability--zone enumeration, where an adversary launches a small number of online DNSSEC queries and then uses offline dictionary attacks to learn which domain names are present or absent in a DNS zone. We propose...
Mr Ralf Weber (Nominum)
DNS DDoS attacks continue, fueled by open DNS proxies. Now they're stressing resolvers and authorities worldwide using pseudo random subdomains. In June of 2014 there was a 400% increase in this traffic and popular domains continue to be targeted. Analysis of recent DNS data reveals other interesting details. For instance, Response Rate Limiting in authorities appears to aggravate attacks. ...
Mr Sandoche Balakrichenan (Afnic)
In Internet of Things (IoT), the "Things" could be anything from refrigerators to human to books. These "things" should be identified at least by one unique way of identification, for the capability of addressing and communicating with each other. This is made possible by attaching/embedding different data carrier devices such as barcodes,RFID, Sensors etc with the 'things'. Sensors, for...
Mr Adrian Beaudin (Nominum)
Column store databases are a newer entry to the big data realm. They handle structured data like DNS queries exceptionally well and work best with minimal data normalization. Queries execute significantly faster than RDBMS technology (~ 100 times faster). This talk will outline the technology at a high level and walk through examples of data loading, compression, and reporting using a freely...
Mats Dufberg (.SE (The Internet Infrastructure Foundation))
Zonemaster is an upcoming tool for controlling DNS zones. It is designed to replace the .SE DNSCheck and the .FR ZoneCheck with better performance, modularity and scalability. One of the design goals is to have explicit test cases for the tool. I.e. exactly what are the requirements of the tested zone that tools should test? What outcomes should return pass and what outcomes should return...
Dr Eberhard Wolfgang Lisse (Namibian Network Information Centre)
Mr Sandoche Balakrichenan (Afnic)
Dr Casey Deccio (Verisign Labs)
DNSViz has been developed as a Web-based tool for analysis, visualization, education, and troubleshooting DNS and DNSSEC. The tool has recently been reworked for extensibility and portability, including a downloadable library and tool suite available via an open source license--and a revamped Web site. We discuss the new features available with DNSViz, future plans, and how to get involved.
Mr Francisco Cifuentes (NIC Chile Research Labs)
The DNS Security Extensions (DNSSEC) add a new layer of security based on public-key infrastructure: each DNS record is digitally signed to verify the authenticity of the answer. However, the introduction of DNSSEC has an impact in the operational workflow of DNS systems: (i) signatures have an expiration date, hence the records must be periodically signed and (ii) key management tasks can be...
Dr Aziz Mohaisen (Verisign Labs)
The Tor project provides individuals with a mechanism of communicating anonymously on the Internet. Furthermore, Tor is capable of providing anonymity to servers, which are configured to receive inbound connections only through Tor (more commonly called hidden services). In order to route requests to these hidden services, a namespace is used to identify the resolution requests to such...
Mr Marx Peter (Los Angeles City Council)
Mr Kumar Ashutosh (Microsoft)
Alex Rousskov (The Measurement Factory)
DNS Rex: Do you need an aggressive benchmarking tool? I would like to present DNS Rex, an open source performance benchmark for DNS servers, with a focus on busy DNS caching resolvers. DNS Rex was created to address several known (and rumored) problems with existing DNS testing tools. Our goals included: * reliable generation of high query rates, * reproducibility of test results, *...