Keith Mitchell (DNS-OARC), Shumon Huque (Salesforce)

OARC 33 will be an online Workshop.

DNS-OARC is a non-profit, membership organization that seeks to improve the security, stability, and understanding of the Internet's DNS infrastructure. Part of these aims are achieved through workshops.

DNS-OARC Workshops are open to OARC members and to all other parties interested in DNS operations and research.

Social Media hashtag: #OARC33

Mattermost Chatroom: Workshops on chat.dns-oarc.net (sign-up here)




Annual Workshop Patrons for 2020 are available. Details at:




Your company name here?

Sponsorship opportunities for OARC 33 are available. Details at:



  • Ali Hussein
  • Anton Holleman
  • Baula Xu
  • Becca McCary
  • Brantly Millegan
  • Brett Carr
  • Christian Petrasch
  • David Lawrence
  • Denesh Bhabuta
  • Dmitry Kohmanyuk
  • Eduardo Mercader
  • Edward LEWIS
  • Elmar K. Bins
  • Eric Kimathi Mwobobia
  • Geoff Huston
  • Giovane Moura
  • Guillermo Cicileo
  • Han Zhang
  • Henri Laakso
  • Jacques Latour
  • James Richards
  • Jan Včelák
  • Jaromír Talíř
  • Jeff Osborn
  • Jerry Lundström
  • Joe Abley
  • Joey Salazar
  • John Todd
  • Jonas Andersson
  • Jorge Cano
  • Karl Reuss
  • Keith Mitchell
  • Ken Hansen
  • Ken Renard
  • Marc Groeneweg
  • Matthew Pounsett
  • Matthias Pfeifer
  • Mauricio Vergara Ereche
  • Merike Kaeo
  • Michael Jewell
  • Moritz Müller
  • Nicolai Leymann
  • Ondrej Sury
  • Otto Moerbeek
  • Pallavi Aras
  • Paul Adair
  • Paul Ebersman
  • Paul Hoffman
  • Peter Janssen
  • Peter van Dijk
  • Petr Špaček
  • Piet Barber
  • Priya Mohan
  • Ralph Dolmans
  • Ray Bellis
  • Robert Story
  • Roger Murray
  • Roland Dobbins
  • Sam Cheadle
  • Sara Dickinson
  • Shane Kerr
  • Shannon Weyrick
  • Shivan Sahib
  • Shumon Huque
  • Stefan Ubbink
  • Susan Graves
  • Suzanne Woolf
  • Swapneel Patnekar
  • Tomáš Křížek
  • Ulrich Wisser
  • Vladimír Čunát
  • Warren Kumari
  • Wes Hardaker
  • Monday, 28 September
    • 12:30 19:30
      Side Rooms: Side Room
    • 12:30 13:00
      Webinar room opens - while waiting, grab a drink and mingle with your peers at https://chat.dns-oarc.net 30m
    • 13:00 13:45
      OARC 33 Day 1: Session 1
      • 13:00
        Introduction 15m

        Introduction to OARC33

        Speaker: Mr. Keith Mitchell (DNS-OARC)
      • 13:15
        Measuring DNS Query Name Minimisation 15m

        This presentation looks at current work to understand the extent of use of Query Name Minimisation in today's DNS recursive resolver environment. Results from a study perform in mid-2019 are compared with current data to see the current growth rates. The behaviour of the larger Open DNS resolvers and the larger ISP DNS resolvers is also measured.

        Speaker: Geoff Huston (APNIC)
      • 13:30
        The Forgotten Side of DNS: Orphan and Abandoned Records 15m

        DNS zone administration is a complex task involving manual work and several entities and can therefore result in misconfigurations. Orphan records are one of these misconfigurations, in which a glue record for a delegation that does not exist anymore is forgotten in the zone file. Orphan records are a security hazard to third-party domains that have these records in their delegation, as an attacker may easily hijack such domains by registering the domain associated with the orphan. The goal of this paper is to quantify this misconfiguration, extending previous work by Kalafut et al., by identifying a new type of glue record misconfiguration – which we refer to as abandoned records – and by performing a broader characterization. Our results highlight how the situation has changed, not always for the better, compared to a decade-old study.

        Speaker: Raffaele Sommese
    • 13:45 14:00
      Break 15m
    • 14:00 15:00
      OARC 33 Day 1: Session 2
      • 14:00
        Clouding up the Internet: how centralized is DNS traffic becoming? 30m

        Concern has been mounting about Internet centralization over the few last years -- consolidation of traffic/users/infrastructure into the hands of a few market players. We measure DNS and computing centralization by analyzing DNS traffic collected at a DNS root server and two country-code top-level domains (ccTLDs) -- one in Europe and the other in Oceania -- and show evidence of concentration. More than 30\% of all queries to both ccTLDs are sent from 5 large cloud providers. We compare the clouds' resolver infrastructure and highlight a discrepancy in behavior: some cloud providers heavily employ IPv6, DNSSEC, and DNS over TCP, while others simply use unsecured DNS over UDP over IPv4. We show one positive side to centralization: once a cloud provider deploys a security feature -- such as QNAME minimization -- it quickly benefits a large number of users.

        Speaker: Wes Hardaker (USC/ISI)
      • 14:30
        A Look at the ECS Behavior of DNS Resolvers 30m

        Content delivery networks (CDNs) commonly use DNS to map end-users to the best edge servers. A recently proposed EDNS0-Client-Subnet (ECS) extension allows recursive resolvers to include end-user subnet information in DNS queries, so that authoritative DNS servers, especially those belonging to CDNs, could use this information to improve user mapping. In this paper, we study the ECS behavior of ECS-enabled recursive resolvers from the perspectives of the opposite sides of a DNS interaction, the authoritative DNS servers of a major CDN and a busy DNS resolution service. We find a range of erroneous (i.e., deviating from the protocol specification) and detrimental (even if compliant) behaviors that may unnecessarily erode client privacy, reduce the effectiveness of DNS caching, diminish ECS benefits, and in some cases turn ECS from facilitator into an obstacle to authoritative DNS servers’ ability to optimize user-to-edge-server mappings.

        This talk will summarize the key findings of the study, as first published in the Internet Measurement Conference, 2019.

        Speaker: Dr. Kyle Schomp (Akamai)
    • 15:00 16:00
      Break 1h
    • 16:00 16:45
      OARC 33 Day 1: Session 3
      • 16:00
        DNS Shotgun: realistic DNS resolver benchmarking (also) for stateful transports 30m

        In this talk we introduce measurement tool called "DNS Shotgun". DNS Shotgun is a open-source tool for near-real-world benchmarking DNS resolvers. The tool reads a traffic capture with real client query streams. Then, the behavior of clients can be customized - including the choice of DNS-over-UDP/TCP/TLS/HTTPS2 protocols and connection parameters. Finally, the tool replays the original queries over the selected protocols, while keeping a realistic query timing (and cache hit rate). This approach removes problematic step "guess & describe how I believe my clients behave" from the benchmarking process which is required by traditional approaches to benchmarking, and thus gives results closer to reality.

        In the end this method allows much better assessment of costs involved in transitioning DNS traffic to stateful protocols and enable better capacity planning based on measurements.

        Together with scripts for data analysis the tool enables us to answer complex questions about changes in client behavior, e.g.: Can my DNS resolver system provide reliable and responsive resolution service if 50 % of my clients switch from plain UDP to DoT and reuse connections for 10 seconds since last query?

        Through the talk we also describe necessary tuning parameters and scaling problems we encountered.

        Speaker: Petr Špaček (CZ.NIC)
      • 16:30
        From PcapChoo to TCPButter 15m

        This talk will share the status, experience, and lessons learned on CIRA's adventure of moving our DNS packets processing into AWS (project code PcapChoo). Furthermore, this talk will go on to explain how a new packet capture replacement system, called “tcpbutter”, an evolution of tcpdump with a set of flexible output routines that can do request/response matching, and direct writing of Parquet files in an Entrada compatible schema at Edge. This will support significantly higher data speeds, resiliency, future XDP offload, resulting in lower latencies and better resource utilization.

        Speakers: Mrs. Tongfeng Zhang (CIRA), Mr. Bill Belanger (CIRA)
    • 16:45 17:00
      Break 15m
    • 17:00 17:45
      OARC 33 Day 1: Session 4
      • 17:00
        Our journey to elliptic stuff 30m

        AFNIC operates more than 20 TLDs, all of them are signed with RSA/SHA256 2048 bits ZSK/KSK keys.

        We have just started to migrate all of them to ECDSACurve P-256 with SHA-256. Beyond rationals to explain that choice and why we decided to do that now, we would like to share our experience with people who are planning to follow a similar path.

        We will explain why we had to improve our infrastructure of AEP Keyper HSMs, why we had to change all our key policies (good bye standbye keys) and migrate from OpenDNSSEC 1.4 to 2.1 version. We also had to change the way we compile/use Bind and of course adapt our "home made" applications. Of course we had some issues, found some limitations in tools but at the end we have imroved many things.

        Speaker: Vincent Levigneron (AFNIC)
      • 17:30
        DNS Privacy… there must be an app for that? 15m

        This talk will start with a brief review of the range of available DNS privacy clients. It will then focus on current and future options for desktop clients and provide a tour of a new Graphical Interface for the Stubby client designed with the goal of making DNS privacy useable, flexible and secure for non-technical users.

        Speaker: Sara Dickinson (Sinodun IT)
    • 17:45 19:30
      BYOD OARC Social Event 1h 45m
  • Tuesday, 29 September
    • 12:30 13:00
      Break 30m
    • 12:30 15:30
      Side Rooms: Side Room
    • 13:00 13:45
      OARC 33 Day 2: Session 1
      • 13:00
        pktvisor3: summarizing traffic with sketch algorithms for observability and DDoS mitigation 30m

        In most edge networks, especially those with global presence, observability of traffic flow is critical to successful operations. In addition to providing operational metrics to ensure nominal functionality, the ability to divine key information from the flow of traffic - from transport to application layer - can often prove the difference between quickly detecting and mitigating a DDoS attack or not.

        But in at-scale networks, challenges abound: often there is a choice between overwhelming real-time, localized information and delayed, over aggregated, centrally collected information. Efficient analysis and collection of deeply inspected, high throughput traffic is hard. And dynamic configuration management for a fleet of global inspectors is equally challenging.

        pktvisor3 is a new open source traffic analysis tool designed to address these challenges. Developed by NS1 for their globally anycasted DNS network, it is designed to be used as both a local, on-node traffic analyzer providing up to the second “top” like functionality (including console UI) as well as to be centrally collected, providing a global, near real time view of critical metrics. It makes use of sketch algorithms to efficiently identify top-k heavy hitters, set cardinality, and quantiles of various L3-L7 metrics. Finally, it aims to offer modularity for application level dissection (starting with but not limited to DNS) and provide a control plane for tuning analysis parameters centrally in real time.

        The talk will discuss motivation and previous tool iterations, implementation details, current status, limitations, future goals, and real world use cases at NS1.

        Speaker: Shannon Weyrick (NS1)
      • 13:30
        Neural Networks and Challenges in Detection of Malicious DNS Traffic and DGA malware 15m

        Deep learning brings a lot of new possibilities in the detection of previously unknown attacks. However, it could be tricky because of false positives.

        We introduce how to get the benefit for your network from the research we performed with the Czech Technical University in Prague [Catania C., García S., Torres P. (2019)] to develop a new approach to identify devices infected by DGA malware. Concurrently, this speech will explain what impact has DGA malware on networks and how to reduce it.

        A Domain Generation Algorithm (DGA) is an algorithm to generate domain names in a deterministic but seemly random way. Malware use DGAs to generate the next domain to access the Command Control (C&C) communication server. Given the simplicity of the generation process and speed at which the domains are generated, a fast and accurate detection method is required. Convolutional neural networks (CNN) are well known for performing real-time detection in fields like image and video recognition. Therefore, they seemed suitable for DGA detection.

        The resulting CNN model that we implemented, has very simple architecture that can in initial testing detected more than 97% of total DGA domains with a false positive rate close to 0.7%.

        *References: Catania C., García S., Torres P. (2019) Deep Convolutional Neural Networks for DGA Detection. In: Pesado P., Aciti C. (eds) Computer Science – CACIC 2018. CACIC 2018. Communications in Computer and Information Science, vol 995. Springer, Cham; available at https://link.springer.com/chapter/10.1007%2F978-3-030-20787-8_23*

        Speaker: Mr. Robert Sefr
    • 13:45 14:00
      Break 15m
    • 14:00 15:00
      OARC 33 Day 2: Session 2
      • 14:00
        DNSCrypt - Securing traffic from the stub to the resolver 30m

        DNSSEC focuses on authenticating traffic between the resolver and
        the nameserver but doesn't address the security of traffic between
        the stub and the resolver. It is generally impractical for a stub
        to set the DO bit and re-validate DNSSEC signatures because of the
        lack of a chain of trust. Determining and validating the chain of
        trust from a stub would invalidate the need for a resolver.

        DNSCrypt is a mechanism for securing data between the stub and the
        resolver. The stub queries through a local DNSCrypt proxy that is
        configured with the public key fingerprint of the resolver, encrypting
        and authenticating all traffic to/from the resolver. Assuming a
        DNSSEC validating resolver, and assuming the application connection
        to the DNSCrypt proxy can be trusted, this secures the entire DNS
        data path.

        This talk looks into how the DNSCrypt proxy works, what the benefits
        are and the cost of deploying it in terms of CPU and data overheads.

        Speaker: Brian Somers (OpenDNS/Cisco)
      • 14:30
        A new traffic capture and visualisation tool for IMRS 30m

        The ICANN managed root server system (IMRS) receives around 15 billion queries per day and a new system for traffic capture and visualisation has recently been developed. The traffic capture utilises the C-DNS (Compacted-DNS) format standardised in RFC8618 and uploads this data to a ClickHouse based data storage system. This system is capable of holding both raw C-DNS data and aggregated data (for efficient storage and visualisation). A Grafana front end is used to provide a flexible and fast visualisation of the data. This talk will provide an overview of the underlying architecture, Clickhouse integration and the Grafana front end.

        Speaker: Jim Hague (Sinodun)
    • 15:00 16:00
      Break 1h
    • 16:00 16:45
      OARC AGM 2020: Session 1
    • 16:45 17:00
      Break 15m
    • 17:00 18:00
      OARC AGM 2020: Session 2
Your browser is out of date!

Update your browser to view this website correctly. Update my browser now