This presentation looks at current work to understand the extent of use of Query Name Minimisation in today's DNS recursive resolver environment. Results from a study perform in mid-2019 are compared with current data to see the current growth rates. The behaviour of the larger Open DNS resolvers and the larger ISP DNS resolvers is also measured.
DNS zone administration is a complex task involving manual work and several entities and can therefore result in misconfigurations. Orphan records are one of these misconfigurations, in which a glue record for a delegation that does not exist anymore is forgotten in the zone file. Orphan records are a security hazard to third-party domains that have these records in their delegation, as an...
Concern has been mounting about Internet centralization over the few last years -- consolidation of traffic/users/infrastructure into the hands of a few market players. We measure DNS and computing centralization by analyzing DNS traffic collected at a DNS root server and two country-code top-level domains (ccTLDs) -- one in Europe and the other in Oceania -- and show evidence of...
Content delivery networks (CDNs) commonly use DNS to map end-users to the best edge servers. A recently proposed EDNS0-Client-Subnet (ECS) extension allows recursive resolvers to include end-user subnet information in DNS queries, so that authoritative DNS servers, especially those belonging to CDNs, could use this information to improve user mapping. In this paper, we study the ECS behavior...
In this talk we introduce measurement tool called "DNS Shotgun". DNS Shotgun is a open-source tool for near-real-world benchmarking DNS resolvers. The tool reads a traffic capture with real client query streams. Then, the behavior of clients can be customized - including the choice of DNS-over-UDP/TCP/TLS/HTTPS2 protocols and connection parameters. Finally, the tool replays the original...
This talk will share the status, experience, and lessons learned on CIRA's adventure of moving our DNS packets processing into AWS (project code PcapChoo). The talk with provide a cloud-based alternative to using the common deployments of Hadoop and an on premise distributed file system. The talk will discuss the new methods used through the Pcap-choo system, with specific focus on the cloud...
AFNIC operates more than 20 TLDs, all of them are signed with RSA/SHA256 2048 bits ZSK/KSK keys.
We have just started to migrate all of them to ECDSACurve P-256 with SHA-256. Beyond rationals to explain that choice and why we decided to do that now, we would like to share our experience with people who are planning to follow a similar path.
We will explain why we had to improve our...
This talk will start with a brief review of the range of available DNS privacy clients. It will then focus on current and future options for desktop clients and provide a tour of a new Graphical Interface for the Stubby client designed with the goal of making DNS privacy useable, flexible and secure for non-technical users.
