OARC 33 (Online)AGM

28 Sept 2020, 12:45 → 29 Sept 2020, 19:00 UTC

Keith Mitchell (DNS-OARC), Shumon Huque (Salesforce)

OARC 33 will be an online Workshop.

DNS-OARC is a non-profit, membership organization that seeks to improve the security, stability, and understanding of the Internet's DNS infrastructure. Part of these aims are achieved through workshops.

DNS-OARC Workshops are open to OARC members and to all other parties interested in DNS operations and research.

Social Media hashtag: #OARC33

Mattermost Chatroom: Workshops on chat.dns-oarc.net (sign-up here)

---

WORKSHOP PATRONS 2020

---

PROMOTER

Annual Workshop Patrons for 2020 are available. Details at:

https://www.dns-oarc.net/workshop/patronage-opportunities

---

OARC 33 SPONSORS

---

Online Workshop Sponsor

Sponsorship opportunities for OARC 33 are available. Details at:

https://www.dns-oarc.net/workshop/sponsorship-opportunities

---

 

AGM2020

• OARC 2019 Financial Statements
• OARC AGM 2019 Minutes
• OARC AGM 2020 Jun-Sep President's Report
• OARC AGM 2020 Proxy Form
• OARC AGM 2020 Software Presentation
• OARC AGM 2020 Software Report
• OARC AGM 2020 Systems Report
• OARC AGM 2020 Treasurer's Report

Monday, 28 September

12:45 → 13:00 Webinar room opens - while waiting, grab a drink and mingle with your peers at https://chat.dns-oarc.net

13:00 → 13:45 OARC 33 Day 1: Session 1

13:00 Introduction

Introduction to OARC33

Speaker: Mr Keith Mitchell (DNS-OARC)

Introduction to DNS-OARC

OARC33 Event Information and Welcome

Video

13:15 Measuring DNS Query Name Minimisation

This presentation looks at current work to understand the extent of use of Query Name Minimisation in today's DNS recursive resolver environment. Results from a study perform in mid-2019 are compared with current data to see the current growth rates. The behaviour of the larger Open DNS resolvers and the larger ISP DNS resolvers is also measured.

Speaker: Joao Luis Silva Damas (Bond Internet Systems)

2020-09-28-oarc33-qname-minimisation.pdf

Video

13:30 The Forgotten Side of DNS: Orphan and Abandoned Records

DNS zone administration is a complex task involving manual work and several entities and can therefore result in misconfigurations. Orphan records are one of these misconfigurations, in which a glue record for a delegation that does not exist anymore is forgotten in the zone file. Orphan records are a security hazard to third-party domains that have these records in their delegation, as an attacker may easily hijack such domains by registering the domain associated with the orphan. The goal of this paper is to quantify this misconfiguration, extending previous work by Kalafut et al., by identifying a new type of glue record misconfiguration – which we refer to as abandoned records – and by performing a broader characterization. Our results highlight how the situation has changed, not always for the better, compared to a decade-old study.

Speaker: Raffaele Sommese

OARC33.pdf

OARC33.pptx

Video

13:45 → 14:00 Break

14:00 → 15:00 OARC 33 Day 1: Session 2

14:00 Clouding up the Internet: how centralized is DNS traffic becoming?

Concern has been mounting about Internet centralization over the few last years -- consolidation of traffic/users/infrastructure into the hands of a few market players. We measure DNS and computing centralization by analyzing DNS traffic collected at a DNS root server and two country-code top-level domains (ccTLDs) -- one in Europe and the other in Oceania -- and show evidence of concentration. More than 30\% of all queries to both ccTLDs are sent from 5 large cloud providers. We compare the clouds' resolver infrastructure and highlight a discrepancy in behavior: some cloud providers heavily employ IPv6, DNSSEC, and DNS over TCP, while others simply use unsecured DNS over UDP over IPv4. We show one positive side to centralization: once a cloud provider deploys a security feature -- such as QNAME minimization -- it quickly benefits a large number of users.

Speaker: Wes Hardaker (USC/ISI)

2020-09-28-oarc-centralization-hardaker.pdf

Video

14:30 A Look at the ECS Behavior of DNS Resolvers

Content delivery networks (CDNs) commonly use DNS to map end-users to the best edge servers. A recently proposed EDNS0-Client-Subnet (ECS) extension allows recursive resolvers to include end-user subnet information in DNS queries, so that authoritative DNS servers, especially those belonging to CDNs, could use this information to improve user mapping. In this paper, we study the ECS behavior of ECS-enabled recursive resolvers from the perspectives of the opposite sides of a DNS interaction, the authoritative DNS servers of a major CDN and a busy DNS resolution service. We find a range of erroneous (i.e., deviating from the protocol specification) and detrimental (even if compliant) behaviors that may unnecessarily erode client privacy, reduce the effectiveness of DNS caching, diminish ECS benefits, and in some cases turn ECS from facilitator into an obstacle to authoritative DNS servers’ ability to optimize user-to-edge-server mappings.

This talk will summarize the key findings of the study, as first published in the Internet Measurement Conference, 2019.

Speaker: Dr Kyle Schomp (Akamai)

oarc33.pdf

Video

15:00 → 16:00 Break

includes:
Development AMA Zoom Meeting with Jerry Lundström
and
Ask about OARC chat on our Mattermost chat server hosted by Sue Graves

15:00 → 16:00 Side Rooms: Side Room

15:10 Ask about OARC - Chat on Mattermost

Speaker: Susan Graves (DNS-OARC)

15:10 Development AMA - Zoom Meeting

Welcome to my Ask Me Anything about OARC software development!
- Please remember to mute yourself if you’re not talking
- And don’t forget to unmute yourself if you want to talk!
- You can also ask questions in Zoom chat, @jelu on our Mattermost, or via email to jerry@dns-oarc.net
- I will follow up any unanswered questions if we run out of time

/Jerry

Speaker: Jerry Lundström (DNS-OARC)

16:00 → 16:45 OARC 33 Day 1: Session 3

16:00 DNS Shotgun: realistic DNS resolver benchmarking (also) for stateful transports

In this talk we introduce measurement tool called "DNS Shotgun". DNS Shotgun is a open-source tool for near-real-world benchmarking DNS resolvers. The tool reads a traffic capture with real client query streams. Then, the behavior of clients can be customized - including the choice of DNS-over-UDP/TCP/TLS/HTTPS2 protocols and connection parameters. Finally, the tool replays the original queries over the selected protocols, while keeping a realistic query timing (and cache hit rate). This approach removes problematic step "guess & describe how I believe my clients behave" from the benchmarking process which is required by traditional approaches to benchmarking, and thus gives results closer to reality.

In the end this method allows much better assessment of costs involved in transitioning DNS traffic to stateful protocols and enable better capacity planning based on measurements.

Together with scripts for data analysis the tool enables us to answer complex questions about changes in client behavior, e.g.: Can my DNS resolver system provide reliable and responsive resolution service if 50 % of my clients switch from plain UDP to DoT and reuse connections for 10 seconds since last query?

Through the talk we also describe necessary tuning parameters and scaling problems we encountered.

Speaker: Petr Špaček (CZ.NIC)

shotgun.pdf

Video

16:30 DNS Processing in the Cloud with pcap-choo

This talk will share the status, experience, and lessons learned on CIRA's adventure of moving our DNS packets processing into AWS (project code PcapChoo). The talk with provide a cloud-based alternative to using the common deployments of Hadoop and an on premise distributed file system. The talk will discuss the new methods used through the Pcap-choo system, with specific focus on the cloud technologies used within the AWS infrastructure. We will detail the conversion process we used to swap out data processing platforms, and outline lessons learned and improvements made through the conversion.

Speaker: Mr Bill Belanger (CIRA)

pcap-choo_dns-oarc.pptx

Video

16:45 → 17:00 Break

17:00 → 17:45 OARC 33 Day 1: Session 4

17:00 Our journey to elliptic stuff

AFNIC operates more than 20 TLDs, all of them are signed with RSA/SHA256 2048 bits ZSK/KSK keys.

We have just started to migrate all of them to ECDSACurve P-256 with SHA-256. Beyond rationals to explain that choice and why we decided to do that now, we would like to share our experience with people who are planning to follow a similar path.

We will explain why we had to improve our infrastructure of AEP Keyper HSMs, why we had to change all our key policies (good bye standbye keys) and migrate from OpenDNSSEC 1.4 to 2.1 version. We also had to change the way we compile/use Bind and of course adapt our "home made" applications. Of course we had some issues, found some limitations in tools but at the end we have imroved many things.

Speaker: Vincent Levigneron (AFNIC)

Our Journey to Elliptic stuff OARC33.pdf

Video

17:30 DNS Privacy… there must be an app for that?

This talk will start with a brief review of the range of available DNS privacy clients. It will then focus on current and future options for desktop clients and provide a tour of a new Graphical Interface for the Stubby client designed with the goal of making DNS privacy useable, flexible and secure for non-technical users.

Speaker: Sara Dickinson (Sinodun IT)

OARC33_DNS_Privacy_app.pdf

Video

17:45 → 19:00 BYOD OARC Social Event

Tuesday, 29 September

12:45 → 13:00 Break

13:00 → 13:45 OARC 33 Day 2: Session 1

13:00 pktvisor3: summarizing traffic with sketch algorithms for observability and DDoS mitigation

In most edge networks, especially those with global presence, observability of traffic flow is critical to successful operations. In addition to providing operational metrics to ensure nominal functionality, the ability to divine key information from the flow of traffic - from transport to application layer - can often prove the difference between quickly detecting and mitigating a DDoS attack or not.

But in at-scale networks, challenges abound: often there is a choice between overwhelming real-time, localized information and delayed, over aggregated, centrally collected information. Efficient analysis and collection of deeply inspected, high throughput traffic is hard. And dynamic configuration management for a fleet of global inspectors is equally challenging.

pktvisor3 is a new open source traffic analysis tool designed to address these challenges. Developed by NS1 for their globally anycasted DNS network, it is designed to be used as both a local, on-node traffic analyzer providing up to the second “top” like functionality (including console UI) as well as to be centrally collected, providing a global, near real time view of critical metrics. It makes use of sketch algorithms to efficiently identify top-k heavy hitters, set cardinality, and quantiles of various L3-L7 metrics. Finally, it aims to offer modularity for application level dissection (starting with but not limited to DNS) and provide a control plane for tuning analysis parameters centrally in real time.

The talk will discuss motivation and previous tool iterations, implementation details, current status, limitations, future goals, and real world use cases at NS1.

Speaker: Shannon Weyrick (NS1)

pktvisor3-OARC-sweyrick.pdf

Video

13:30 Neural Networks and Challenges in Detection of Malicious DNS Traffic and DGA malware

Deep learning brings a lot of new possibilities in the detection of previously unknown attacks. However, it could be tricky because of false positives.

We introduce how to get the benefit for your network from the research we performed with the Czech Technical University in Prague [Catania C., García S., Torres P. (2019)] to develop a new approach to identify devices infected by DGA malware. Concurrently, this speech will explain what impact has DGA malware on networks and how to reduce it.

A Domain Generation Algorithm (DGA) is an algorithm to generate domain names in a deterministic but seemly random way. Malware use DGAs to generate the next domain to access the Command Control (C&C) communication server. Given the simplicity of the generation process and speed at which the domains are generated, a fast and accurate detection method is required. Convolutional neural networks (CNN) are well known for performing real-time detection in fields like image and video recognition. Therefore, they seemed suitable for DGA detection.

The resulting CNN model that we implemented, has very simple architecture that can in initial testing detected more than 97% of total DGA domains with a false positive rate close to 0.7%.

References: Catania C., García S., Torres P. (2019) Deep Convolutional Neural Networks for DGA Detection. In: Pesado P., Aciti C. (eds) Computer Science – CACIC 2018. CACIC 2018. Communications in Computer and Information Science, vol 995. Springer, Cham; available at https://link.springer.com/chapter/10.1007%2F978-3-030-20787-8_23

Speaker: Mr Robert Sefr

oarc33-Sefr-dga.pdf

Video

13:45 → 14:00 Break

14:00 → 15:00 OARC 33 Day 2: Session 2

14:00 DNSCrypt - Securing traffic from the stub to the resolver

DNSSEC focuses on authenticating traffic between the resolver and
the nameserver but doesn't address the security of traffic between
the stub and the resolver. It is generally impractical for a stub
to set the DO bit and re-validate DNSSEC signatures because of the
lack of a chain of trust. Determining and validating the chain of
trust from a stub would invalidate the need for a resolver.

DNSCrypt is a mechanism for securing data between the stub and the
resolver. The stub queries through a local DNSCrypt proxy that is
configured with the public key fingerprint of the resolver, encrypting
and authenticating all traffic to/from the resolver. Assuming a
DNSSEC validating resolver, and assuming the application connection
to the DNSCrypt proxy can be trusted, this secures the entire DNS
data path.

This talk looks into how the DNSCrypt proxy works, what the benefits
are and the cost of deploying it in terms of CPU and data overheads.

Speaker: Brian Somers (OpenDNS/Cisco)

dns-oarc-33-presentation-20200929.pdf

dns-oarc-33-presentation-20200929.pptx

Video

14:30 A new traffic capture and visualisation tool for IMRS

The ICANN managed root server system (IMRS) receives around 15 billion queries per day and a new system for traffic capture and visualisation has recently been developed. The traffic capture utilises the C-DNS (Compacted-DNS) format standardised in RFC8618 and uploads this data to a ClickHouse based data storage system. This system is capable of holding both raw C-DNS data and aggregated data (for efficient storage and visualisation). A Grafana front end is used to provide a flexible and fast visualisation of the data. This talk will provide an overview of the underlying architecture, Clickhouse integration and the Grafana front end.

Speaker: Jim Hague (Sinodun)

OARC33_C-DNS.pdf

Video

15:00 → 16:00 Break

16:00 → 16:50 OARC AGM 2020: Session 1

16:00 OARC 2020 AGM Opening

Speaker: George Michaelson (APNIC P/L)

OARC AGM 2020 Voting and Elections Information

16:10 President's Report

Speaker: Mr Keith Mitchell (DNS-OARC)

OARC33-status.pdf

16:30 OARC 2020 Systems Report

Speaker: Matthew Pounsett (DNS-OARC)

OARC 33 Systems Update.pdf

16:40 OARC 2020 Software Report

Speaker: Jerry Lundström (DNS-OARC)

OARC AGM 2020 Software Report Presenttaion

16:50 → 17:00 Break

17:00 → 18:00 OARC AGM 2020: Session 2

17:00 OARC AGM 2020 Voting Information

Speakers: George Michaelson (APNIC P/L), Mr Keith Mitchell (DNS-OARC)

OARC AGM 2020 Voting and Elections Information

17:10 OARC AGM 2020 Treasurer's Report

Speaker: Jacques Latour (CIRA)

OARC 2020 AGM Treasurers report

OARC Financial Statements 2019

17:20 OARC AGM 2020 Resolutions

Speaker: George Michaelson (APNIC P/L)

OARC AGM 2019 Minutes

17:50 OARC 2020 Elections Information

Speaker: Mr Keith Mitchell (DNS-OARC)

Election Candidates and Platforms

OARC AGM 2020 Voting and Elections Information