OARC 2015 Spring Workshop (Amsterdam)

9 May 2015, 08:30 → 10 May 2015, 18:00 Europe/Amsterdam

Heian I/II (Okura Hotel)

Keith Mitchell (DNS-OARC), Sebastian Castro (.nz Registry Services)

DNS-OARC's Spring 2015 Workshop took place on the 9th and 10th of May, co-located with the RIPE70 meeting at the Hotel Okura in Amsterdam, sponsored by:

Gold and Social Sponsor                               Gold Sponsor
                            

 

   Silver Sponsor                              Bronze Sponsor                                 Contributory Sponsor
                   

DNS-OARC Workshop meetings are open to OARC members and to all other parties interested in DNS operations and research, with RIPE attendees particularly welcome this time around. Attendance is free for OARC Members, Speakers and Sponsors. There are charges for other attendees and late registrations.

The workshop was webcast via Google Hangouts on https://plus.google.com/+DnsoarcNetPlus/, and video of the presentation sessions is available on YouTube as follows:

• Saturday Morning
• Saturday Afternoon
• Sunday Morning
• Sunday Afternoon

If your organization is interested in sponsoring OARC workshops, please see our Sponsor Benefits or e-mail sponsor@dns-oarc.net for more information.

Please see the RIPE70 Meeting Site for further venue, and travel details.

Draft 2014 Accounts OARC DRAFT Audited 2014 Financial Statements

Hotel Booking Forms Hotel Mercure (Amsterdam City) Booking Form

Saturday, 9 May

08:30 Setup

Room not available

10:00 Welcome Coffee

Members Session

1 Welcoming Remarks

Speakers: Mr Jelte Jansen (SIDN), Mr Keith Mitchell (DNS-OARC), Mr Ondrej Filip (CZ.NIC)

Slides OARC-Spring2015-Amsterdam-SIDN-Intro.pdf

2 10 years of OARC

This is a retrospective talk to cover how DNS-OARC has evolved in the past decade.

Speaker: Mr Keith Mitchell (DNS-OARC)

Slides OARC-10years.pdf

3 OARC President Update

Report from Keith Mitchell, OARC's President, about the state of OARC.

Speaker: Mr Keith Mitchell (DNS-OARC)

Slides OARC-status-15_05.pdf

4 OARC Systems/Projects Update

An overview of OARC systems, services & projects and their status.

Speakers: Ms Dalini Khemlani (DNS-OARC), Mr William Sotomayor (DNS-OARC)

Slides projects systems

5 "Yes means HET" - traffic increase by protocol mismatch

It is common wisdom that DNS server implementations must not respond to responses to prevent a denial of service by spoofed traffic injection. We will share an observation of a system that accidentally turned responses into new requests, generating a "loop" that might go unnoticed.

Speaker: Mr Peter Koch (DENIC eG)

Slides Member-only presentation Koch_DENIC_YesMeansHET_OARC2015.pdf (Protected)

12:15 Lunch

6 A countermeasure of random subdomain attacks (Aggressive negative caching with NSEC)

Random sub-domain attacks (also called as "Water Torture" attacks) send many non-existent queries to full resolvers. Negative cache does not work well because query names vary. However, NSEC resource records contain non-existent name ranges. Aggressive negative caching using NSEC resource records may be a countermeasure of random sub-domain attacks for signed domains. The presentation will explain a proposal of a protocol change, attack tool, a patch to Unbound, and an experiment result. It also decrease non-existent TLD queries to root DNS servers. (about 20 minutes without questions)

Speaker: Mr Kazunori Fujiwara (Japan Registry Services Co., Ltd)

Slides fujiwara-12.pdf

7 Caching of Negative DNS records

Negative caching is a functionality within DNS that is being described in RFC 2308. Negative caching follows the same basic idea and principles as positive caching. That is that a record, or lack thereof, should be allowed to be cached by a recursive resolver and used for consecutive queries for the same QNAME and QCLASS. Since a negative response does not carry any record that can be used to indicate the TTL, the SOA record should be returned for said response. The benefit of negative caching is that a zone operator can limit the number of queries for a nonexistent record. For example if IPv6 is not enabled for a host it make sense to negatively cache the lack of AAAA records. The drawback of negative caching is that records that accidentally are removed from DNS takes longer to get back into a working state. This drawback is worsen by the fact that there is no easy way of doing an Internet wide cache flush. As such the zone operator must carefully dial in the Negative cache settings in their zones to achieve desired tradeoff between a long or short negative caching. Simplified speaking, RFC 2308 clarifies and defines that the Minimum TTL field in the SOA record is the TTL that should be used for negative responses. This field should then be copied to the SOA TTL field by the Authoritative server. However, in reality, it turns out that there are plenty of issues with how the returned SOA record for negative responses is interpreted by various brands of DNS software. A simple test for a non-existing record (asddas7754dadas.google.com) in the Alexa top 1 ranked google.com generates 3 different results depending on what recursive software is being used: Windows DNS: google.com. 300 IN SOA ns1.google.com. dns-admin.google.com. 86056494 7200 1800 1209600 300 ISC Bind: google.com. 60 IN SOA ns1.google.com. dns-admin.google.com. 86056494 7200 1800 1209600 300 Unbound (cold start): google.com. 600 IN SOA ns1.google.com. dns-admin.google.com. 86056494 7200 1800 1209600 300 This paper and presentation will shed some light into how various DNS systems interpret RFC 2308. We will try to answer the question on how long you can expect a negative record to be cached on the internet. The outcome of this talk is that domain owners can make an informative decision on what values to use for negative Caching. Additionally, operators of recursive servers will get some guidance into how to properly configure their negative caching settings on their end.

Speaker: Mr Stephan Lagerholm (Microsoft)

Slides stlagerh@microsoft.com

8 Query name minimization and authoritative server behavior

This talk will provide an overview of DNS query name minimization algorithms (an approach to DNS privacy), and discuss the behavior of some authoritative DNS servers in the presence of a resolver that performs qname minimization. I'll provide a survey of results of the Alexa top 1000 domains, and discuss some observed defective behavior of a few CDNs and DNS hosting providers that will need to be addressed before these new resolution algorithms can be used widely.

Speaker: Mr Shumon Huque (Research Scientist)

Slides Query Name Minimization and Authoritative Server Behavior

15:30 Afternoon Coffee Break

9 Hedgehog and DNS Monitoring

[Hedgehog][http://dns-stats.org/] is a replacement front-end for DSC datasets. In this talk we will present the latest version of Hedgehog and our future plans for its development. Future enhancements may include new graphs, visualization of anycast nodes and the origin of their queries and statistical analysis ideas. There will also be a discussion of requirements for a new DNS data collector, the "on node" data storage and preprocessing, the control of the data collector and a more efficient upload system. We hope this will be an opportunity for the wider community to provide input into the requirements and design.

Speaker: Mr John Dickinson (Sinodun)

Slides Hedgehog_OARC.pdf

10 Dealing with large DNS packet floods

DDoS attacks against DNS providers have been on the increase over the last few years. They have been growing in size and complexity, taking many prominent DNS providers offline. Today these attacks are a major concern to anyone running DNS servers. Operators are in a continual arms race against attackers. CloudFlare, one of the largest authoritative non-TLD providers, has had to learn the hard way how to deal with these attacks. We have learned how to keep our network operational, even with packet floods in excess of 200Gbps. In this talk, we'll explain what DNS packet floods look like and we'll share the details of our mitigation pipeline. In order to deflect the attacks we have developed some unique techniques that are not fully RFC compliant, but in an arms race operational realities win over protocol purity. Keywords: kernel bypass, sflow, flowspec, bpf

Speaker: Mr Marek Majkowski (CloudFlare)

Slides dealing-with-dns-packet-floods.pdf

11 Everyday attacks against Verisign-operated DNS infrastructure

Verisign operates two root servers (A.root-servers.net, J.root-servers.net), the authoritative name servers for .com, .net, .edu and many other ccTLD and gTLDs. Alongside those TLD name services, Verisign offers a managed DNS service and DDoS attack mitigation platform for many big-name companies. Over the years, Verisign's infrastructure has been targeted for various volumetric attacks, and Verisign has adapted to these threats. Verisign employs many proactive and reactive strategies to combat such attacks. This presentation will show the means and methods for detecting and responding to these threats, including several real-world examples of attack traffic against Verisign infrastructure. We also will discuss current technologies and solutions for handling attack traffic, including large-scale infrastructure, custom name server and load balancer software, and dynamic resource allocation. We will also cover future plans including infrastructure upgrades, software enhancements, further anycast deployment, and more.

Speakers: Mr Matt Weinberg (Verisign), Mr Piet Barber (Verisign)

Slides OARC_Everyday_Attacks_final.pdf

12 Drilling down into DNS DDoS Data

Drawing upon high resolution worldwide resolver data this presentation will cover changes in attack vectors, intensity, duration and domains targeted. In mid march yet another twist on the attacks appeared - hybrid queries using randomized labels querying for names that amplify. This has numerous implications and tests of mitigation techniques will also be presented, comparing and contrasting alternatives.

Speaker: Mr Ralf Weber (Nominum Inc)

Slides DNS_OARC_May_2015_050515-RW-BVN-consolidated.pptx

19:00 Social Event

http://www.cccafe.nl/
Please bring your name badges.

Sunday, 10 May

08:30 Welcome Coffee

13 Observations on DNSSEC and ECDSA in the wild

This is a followup to a previous presentation to DNS OARC on the use of ECC as a digital signature algorithm. We report on the findings of a large scale field test of presentation of a DNS name signed using ECDSA, looking at the level of support in resolvers for DNSSEC validation and the behaviour when given a badly signed name.

Speaker: Mr Geoff Huston (APNIC)

Slides 2015-05-10-ecc.pdf

14 Effects of Increasing the Root Zone ZSK Size

The effects of increasing the root zone KSK size are studied by replaying trace data from a.root-servers.net to different name server processes with different ZSK (and KSK) parameters. This work explores how differing key sizes might affect root server operations in terms of (a) percent of UDP responses with TC bit set; (b) the distribution of response sizes over both UDP and TCP; (c) the amount of fragmented UDP responses; and (d) traffic volume (bandwidth). We consider both normal operations and key rollover scenarios.

Speaker: Duane Wessels (Verisign)

Slides root-zone-zsk-size.pdf

15 Signing DNSSEC answers on the fly at the edge: challenges and solutions!

CloudFlare operates a DNS servers in a non traditional way: there are no zone files and answers can be assembled from multiple sources on the fly. This prevented us from using existing DNSSEC tools. In order to provide a reliable and scalable solution that is friendly to the Internet we started questioning every assumption ever made on DNSSEC deployment. The resulting design will hopefully be a roadmap for others to follow when implementing on-line DNS signing systems. The areas where we needed to focus include algorithm selection, negative answers, key distribution for large number of domains and rate limiting of signatures generated. In order to make sure our signatures would be validated we reached out the number of parties to upgrade their systems to support ECDSA algorithm. We have done extensive testing with available online resources and volunteers. Some of our design choices "stretch" protocol compliance and we will highlight those.

Speakers: Mr Filippo Valsorda (CloudFlare Inc.), Mr Ólafur Guðmundsson (CloudFlare Inc.)

Slides DNSSEC_live_signing_at_scale.key DNSSEC_live_signing_at_scale.pdf

10:30 Morning Coffee Break

16 A Day in the Life of a DNS Resolver

Analysis of high resolution DNS data reveals intricate patterns. This presentation offers visualizations of 24 hours of query data for provider resolvers across time, type, TLDs, and names for both legitimate and malicious traffic. Drill downs into threat details – such as bot, DDoS, and malware will be presented. Other query data will also be evaluated and displayed.

Speaker: Mr Bruce Van Nice (Nominum)

Slides A_Day_in_the_Life_of_a_DNS_Resolver_051115.pdf

17 Dissection and observation of traffic at a residential ISP

Dissection and observation of traffic at a residential ISP We analyse the DNS traffic from residential and SOHO customers of a en eye-balls ISP over a 24h period. We will describe the observed query patterns, correlating to different types of usage such as CDNs and popular sites using DNS to manage their traffic engineering and different observed uses of DNS describing what are the actual, in-the-field, observed common practices and how that impacts resolver traffic. We hope this will provide hard data that people can use to validate or dispel urban legends about actual DNS traffic at DNS resolvers, as opposed to authoritative DNS servers.

Speaker: Mr Joao Luis Silva Damas (Bond Internet Systems)

Slides Recursive_DNS_study.pdf

18 Update on experimental BIND features to rate-limit recursive queries

Unusual DNS query patterns have been the focus of many recent talks that have examined the sources, targets and intent of this traffic, as well as the impact seen by authoritative servers and resolvers alike. Over the past year ISC has been trialling experimental recursive client rate limiting techniques in BIND to limit impact of this unwanted traffic on both servers and DNS clients. This talk recaps some of the problems that can be encountered and then reviews of the effectiveness of the experimental techniques, including results from live production environments.

Speaker: Ms Cathy Almond (Internet Systems Consortium)

Slides Update_on_BIND_Recursive_Client_Rate_Limiting.pdf

19 The iDNS attack (resolver loop)

ANSSI identified that several popular DNS resolver implementations could be led into following a large number of delegations. By doing so, these resolvers could inflict a denial of service either of the resolver itself by excessive resource consumption or its hosting network by flooding it with packets. Vulnerable implementations can also be enticed into sending to a victim ten times the number of packets sent by the attacker to the resolver, thus performing a distributed denial of service attack with packet amplification. This presentation covers the exploitation methodology for both kind of attacks, and presents ANSSI's disclosure plan, the mitigation strategies implemented by the various vendors and some workarounds when denial of service is caused by an overwhelmed Linux-based firewall.

Speaker: Mr Florian Maury (ANSSI/FNISA)

Slides slides.pdf

12:30 Lunch

20 PGP Signing session

Speaker: Matthew Pounsett (Rightside)

notes GPG Keyring

21 Zonemaster - do we need another DNS testing tool?

Testing DNS delegations has a long history. Some TLD registries used to do pre-delegation testing before delegating a new or reconfigured domain, some do testing for statistics, but most people do it to find errors in their DNS configuration. Zonemaster is a new tool created by .SE and AFNIC, and builds on our previous experience on working with DNS delegation checking tools such as DNSCheck and Zonecheck. Zonemaster was built on the requirement that it should implement all test cases and functionality from both DNSCheck and Zonecheck combined. All the requirements were collected and then made into specifications for the new tool. The most important specifications are the test cases, what Zonemaster is testing and how. The test specifications are built on our previous experience of maintaining DNSCheck and Zonecheck, the test specifications rely on RFCs, RIPE BCP documents and the IANA registry. The test specifications will further be refined by the new TRTF working group within CENTR, and later on bring their work to the IETF. The result of this work will hopefully be a DNS delegation BCP document. This talk will focus on the collaborative work, presenting the released Zonemaster software and its tools, the specifications and further work.

Speaker: Mr Patrik Wallström (.SE)

Slides Zonemaster_DNS-OARC_2015-05.key.zip Zonemaster_DNS-OARC_2015-05.pdf

22 Plan for Decommissioning the DLV

ISC has been operating the DNSSEC Look-aside validation registry for several years now. DLV allows a DNSSEC domain to validate before its parent is DNSSEC signed. We believe that the time has come to wean people off of this transition mechanism, and back onto using the chain of trust to the root.

Speaker: Mr Jim Martin (ISC)

Slides DNS-OARC_DLV_timeline_20150510.pdf DNS-OARC_DLV_timeline_20150510.pptx

23 ANSSI DNS guidelines

ANSSI published in May 2014 a document written in French, which lists a set of best current practices to improve the resiliency of the DNS. This document target audience is the French administration, the French companies and the general public. The guidelines cover the organizational, juridical and technical aspects that a domain name holder should consider when choosing a domain name and the various DNS service providers that could be part of the domain name operations. This presentation will list ANSSI's recommendations, and will try and prompt the public for inputs in order to determine if the DNS community thinks this document ought to be translated in a more vehicular language.

Speaker: Mr Florian Maury (ANSSI/FNISA)

Slides slides.pdf

24 Popularity ranking for domains based on DNS traffic

This will be a lightning talk to present a technique from text mining applied to DNS traffic. By using the TF-IDF method, it's possible to identify which domain names are more relevant to a set of IP addresses, and comparing a large volume of DNS traffic can provide insights of general domain name behaviour. This is a PoC, and there will be visualizations.

Speaker: Mr Sebastian Castro (.nz Registry Services)

Slides PDF Version Powerpoint

25 Real time analytics applied to DNS traffic traces

DNS stream analysis is an appropriate environment to work with real time analytics due to the extremely large amount of queries that needs to be processed per second. There are some tools used to analyze DNS traffic, such as DSC, DSCng or Bumblebee, but they focus in statistical analysis, mainly providing visualization of data aggregations. We will show our system design for a filtering and grouping tool based on the Apache Storm streaming framework, in order to analyze a live stream of DNS packets received by a cloud of DNS servers, and some basics results from testing our prototype analyzing the traces recorded at DITL. By developing this Storm based tool we also aim to help DNS Admins to monitor some general statistics of their servers as the other tools do, such as the historical percentages of query types, query volume or alternative metrics like current state of load balancing between servers. Another goal we have is to analyze the historical data of the specific DNS traffic to determine what is the normal behavior of the statistics mentioned above.

Speaker: Mr Francisco Cifuentes (NIC Chile Research Labs)

Slides RealtimeanalyticsDNS.pdf

15:20 Afternoon Coffee Break

26 dnsdist - DNS, latency and DoS-aware load balancing

Recently, DNS systems have been under sustained attack via open relays or dedicated sources of malicious traffic. Simultaneously, many operators note poor support for DNS within their existing load balancing solutions. It has been noted that load balancing DNS is not like load balancing HTTP. For example, one highly loaded server delivers better response times than 10 lightly loaded servers. dnsdist offers realtime insight into DNS traffic patterns, and couples this with innovative blocking, modifying and query distribution strategies. Such strategies can either be implemented statically (but configured from Lua) or fully dynamically (entirely hosted by Lua). dnsdist is open source and not PowerDNS specific.

Speaker: Mr bert hubert (PowerDNS)

Slides Presentation with notes dnsdist presentation without notes

27 RSSAC-002: OARC's efforts and Analysis

An overview of RSSAC-002 metrics and OARC's efforts to collect them from various root server operators. Also include a preliminary analysis of the content.

Speaker: Mr William Sotomayor (DNS-OARC)

Slides 201505_RSSAC-002.pdf

28 AS112 Operations and Surveys

This presentation is an overview of current AS112 happenings as well as the latest survey of detected AS112 nodes with a focus on research networks and AS112.

Speaker: Mr William Sotomayor (DNS-OARC)

Slides dalini

29 Increase of Root and JP queries

It's said that the load to DNS is still increasing and queries to root and TLD DNS servers are still increasing. However, there is no materlal which indicates the increase of queries to root and TLD DNS servers. This presentation tries to show the increase of root and JP TLD DNS server queries and appeales evidence gathering about the increase of queries to DNS servers. (about 10 minutes without question)

Speaker: Mr Kazunori Fujiwara (Japan Registry Services Co., Ltd)

Slides fujiwara-21.pdf fujiwara-22.pdf

30 Update on the DNS Root Key Rollover work

Ed Lewis from ICANN will be presenting about the status of the work led by ICANN to execute a Root Zone KSK rollover. There will be space for discussion and feedback.

Speaker: Mr Edward LEWIS (ICANN)

Slides DNSOARCRIPE70slides-submission.pptx DNSOARCRIPE70slides-submission.pptx.pdf