OARC 33 (Online)AGM

Keith Mitchell (DNS-OARC), Shumon Huque (Salesforce)

OARC 33 will be an online Workshop.

DNS-OARC is a non-profit, membership organization that seeks to improve the security, stability, and understanding of the Internet's DNS infrastructure. Part of these aims are achieved through workshops.

DNS-OARC Workshops are open to OARC members and to all other parties interested in DNS operations and research.

Social Media hashtag: #OARC33

Mattermost Chatroom: Workshops on chat.dns-oarc.net (sign-up here)




Annual Workshop Patrons for 2020 are available. Details at:



Online Workshop Sponsor


Sponsorship opportunities for OARC 33 are available. Details at:



  • Ali Hussein
  • Allison Mankin
  • Anand Buddhdev
  • Andreas Pantelopoulos
  • Anthony Lieuallen
  • Anton Holleman
  • Arsen Stasic
  • Ash Wilson
  • Atanas Argirov
  • Baula Xu
  • Becca McCary
  • Benno Overeinder
  • Bill Belanger
  • Brantly Millegan
  • Brett Carr
  • Brian Dickson
  • Brian King
  • Brian Somers
  • Bryan Hughes
  • Bryan Olynyk
  • Chris Cherry
  • Christian Petrasch
  • Cricket Liu
  • Dan Kriz
  • Daniel Mahoney
  • Daniel Stirnimann
  • Dave Knight
  • David Blacka
  • David Lawrence
  • Denesh Bhabuta
  • Dipa Thakkar
  • Dmitry Kohmanyuk
  • Duane Wessels
  • Eduardo Mercader
  • Edward LEWIS
  • Elmar K. Bins
  • Emil Filipov
  • Eric Kimathi Mwobobia
  • Eric Ziegast
  • Gavin McCullagh
  • Geert Verheyen
  • Geoff Huston
  • George Michaelson
  • Giovane Moura
  • Guillaume-Jean Herbiet
  • Guillermo Cicileo
  • Gustavo Lozano Ibarra
  • Han Zhang
  • Henri Laakso
  • Hiro Hotta
  • Jacques Latour
  • Jake Zack
  • James Richards
  • James Shank
  • Jan Včelák
  • Jarle Fredrik Greipsland
  • Jaromír Talíř
  • Jeff Osborn
  • Jerry Lundström
  • Jim Hague
  • Joao Luis Silva Damas
  • Joe Abley
  • Joey Salazar
  • John Todd
  • Jonas Andersson
  • Jorge Cano
  • Karl Reuss
  • Kazunori Fujiwara
  • Keith Mitchell
  • Ken Hansen
  • Ken Renard
  • Klaus Darilion
  • Kyle Schomp
  • Larry Campbell
  • Leslie Osei
  • Lu Zhao
  • Maarten Bosteels
  • Maarten Wullink
  • Marc Groeneweg
  • Marco Diaz
  • Mark Peterson
  • Mat Ford
  • Matthew Gray
  • Matthew Pounsett
  • Matthias Pfeifer
  • Mauricio Vergara Ereche
  • Merike Kaeo
  • Michael Braunöder
  • Michael De Frees
  • Michael Jewell
  • Milos Milosavljevic
  • Moritz Müller
  • Neda Kianpour
  • Nicolai Leymann
  • Nicolas Antoniello
  • Omokorede Fatile
  • Ondrej Sury
  • Otto Moerbeek
  • Pallavi Aras
  • Paul Adair
  • Paul Ebersman
  • Paul Hoffman
  • Paul Muchene
  • Peter DeVries
  • Peter Janssen
  • Peter van Dijk
  • Petr Špaček
  • Phil Regnauld
  • Piet Barber
  • Pieter Lexis
  • Prashanth Suvarna
  • Priya Mohan
  • Puneet Sood
  • Raffaele Sommese
  • Ralf Weber
  • Ralph Dolmans
  • Ray Bellis
  • Richard Olsen
  • Robert Edmonds
  • Robert Story
  • Robert Šefr
  • Roger Murray
  • Roland Dobbins
  • Sam Cheadle
  • Samuel Weiler
  • Sara Dickinson
  • Shane Kerr
  • Shannon Weyrick
  • Shivan Sahib
  • Shumon Huque
  • Siôn Lloyd
  • Stefan Ubbink
  • Steve DeJong
  • Susan Graves
  • Suzanne Woolf
  • Swapneel Patnekar
  • Terry Bernstein
  • Tim Wicinski
  • Tomáš Křížek
  • Tongfeng Zhang
  • Tyler Stanton
  • Ulrich Wisser
  • Vicky Risk
  • Vincent Levigneron
  • Vittorio Bertola
  • Vladimír Čunát
  • Warren Kumari
  • Wayne MacLaurin
  • Wes Hardaker
  • Willem Toorop
  • Yang Li
  • Ye Chen
  • Zarko Kecic
  • Monday, September 28
    • 12:45 PM
      Webinar room opens - while waiting, grab a drink and mingle with your peers at https://chat.dns-oarc.net
    • OARC 33 Day 1: Session 1
      • 1

        Introduction to OARC33

        Speaker: Mr Keith Mitchell (DNS-OARC)
      • 2
        Measuring DNS Query Name Minimisation

        This presentation looks at current work to understand the extent of use of Query Name Minimisation in today's DNS recursive resolver environment. Results from a study perform in mid-2019 are compared with current data to see the current growth rates. The behaviour of the larger Open DNS resolvers and the larger ISP DNS resolvers is also measured.

        Speaker: Joao Luis Silva Damas (Bond Internet Systems)
      • 3
        The Forgotten Side of DNS: Orphan and Abandoned Records

        DNS zone administration is a complex task involving manual work and several entities and can therefore result in misconfigurations. Orphan records are one of these misconfigurations, in which a glue record for a delegation that does not exist anymore is forgotten in the zone file. Orphan records are a security hazard to third-party domains that have these records in their delegation, as an attacker may easily hijack such domains by registering the domain associated with the orphan. The goal of this paper is to quantify this misconfiguration, extending previous work by Kalafut et al., by identifying a new type of glue record misconfiguration – which we refer to as abandoned records – and by performing a broader characterization. Our results highlight how the situation has changed, not always for the better, compared to a decade-old study.

        Speaker: Raffaele Sommese
    • 1:45 PM
    • OARC 33 Day 1: Session 2
      • 4
        Clouding up the Internet: how centralized is DNS traffic becoming?

        Concern has been mounting about Internet centralization over the few last years -- consolidation of traffic/users/infrastructure into the hands of a few market players. We measure DNS and computing centralization by analyzing DNS traffic collected at a DNS root server and two country-code top-level domains (ccTLDs) -- one in Europe and the other in Oceania -- and show evidence of concentration. More than 30\% of all queries to both ccTLDs are sent from 5 large cloud providers. We compare the clouds' resolver infrastructure and highlight a discrepancy in behavior: some cloud providers heavily employ IPv6, DNSSEC, and DNS over TCP, while others simply use unsecured DNS over UDP over IPv4. We show one positive side to centralization: once a cloud provider deploys a security feature -- such as QNAME minimization -- it quickly benefits a large number of users.

        Speaker: Wes Hardaker (USC/ISI)
      • 5
        A Look at the ECS Behavior of DNS Resolvers

        Content delivery networks (CDNs) commonly use DNS to map end-users to the best edge servers. A recently proposed EDNS0-Client-Subnet (ECS) extension allows recursive resolvers to include end-user subnet information in DNS queries, so that authoritative DNS servers, especially those belonging to CDNs, could use this information to improve user mapping. In this paper, we study the ECS behavior of ECS-enabled recursive resolvers from the perspectives of the opposite sides of a DNS interaction, the authoritative DNS servers of a major CDN and a busy DNS resolution service. We find a range of erroneous (i.e., deviating from the protocol specification) and detrimental (even if compliant) behaviors that may unnecessarily erode client privacy, reduce the effectiveness of DNS caching, diminish ECS benefits, and in some cases turn ECS from facilitator into an obstacle to authoritative DNS servers’ ability to optimize user-to-edge-server mappings.

        This talk will summarize the key findings of the study, as first published in the Internet Measurement Conference, 2019.

        Speaker: Dr Kyle Schomp (Akamai)
    • 3:00 PM

      Development AMA Zoom Meeting with Jerry Lundström
      Ask about OARC chat on our Mattermost chat server hosted by Sue Graves

    • Side Rooms: Side Room
      • 6
        Ask about OARC - Chat on Mattermost
        Speaker: Susan Graves (DNS-OARC)
      • 7
        Development AMA - Zoom Meeting

        Welcome to my Ask Me Anything about OARC software development!
        - Please remember to mute yourself if you’re not talking
        - And don’t forget to unmute yourself if you want to talk!
        - You can also ask questions in Zoom chat, @jelu on our Mattermost, or via email to jerry@dns-oarc.net
        - I will follow up any unanswered questions if we run out of time


        Speaker: Jerry Lundström (DNS-OARC)
    • OARC 33 Day 1: Session 3
      • 8
        DNS Shotgun: realistic DNS resolver benchmarking (also) for stateful transports

        In this talk we introduce measurement tool called "DNS Shotgun". DNS Shotgun is a open-source tool for near-real-world benchmarking DNS resolvers. The tool reads a traffic capture with real client query streams. Then, the behavior of clients can be customized - including the choice of DNS-over-UDP/TCP/TLS/HTTPS2 protocols and connection parameters. Finally, the tool replays the original queries over the selected protocols, while keeping a realistic query timing (and cache hit rate). This approach removes problematic step "guess & describe how I believe my clients behave" from the benchmarking process which is required by traditional approaches to benchmarking, and thus gives results closer to reality.

        In the end this method allows much better assessment of costs involved in transitioning DNS traffic to stateful protocols and enable better capacity planning based on measurements.

        Together with scripts for data analysis the tool enables us to answer complex questions about changes in client behavior, e.g.: Can my DNS resolver system provide reliable and responsive resolution service if 50 % of my clients switch from plain UDP to DoT and reuse connections for 10 seconds since last query?

        Through the talk we also describe necessary tuning parameters and scaling problems we encountered.

        Speaker: Petr Špaček (CZ.NIC)
      • 9
        DNS Processing in the Cloud with pcap-choo

        This talk will share the status, experience, and lessons learned on CIRA's adventure of moving our DNS packets processing into AWS (project code PcapChoo). The talk with provide a cloud-based alternative to using the common deployments of Hadoop and an on premise distributed file system. The talk will discuss the new methods used through the Pcap-choo system, with specific focus on the cloud technologies used within the AWS infrastructure. We will detail the conversion process we used to swap out data processing platforms, and outline lessons learned and improvements made through the conversion.

        Speaker: Mr Bill Belanger (CIRA)
    • 4:45 PM
    • OARC 33 Day 1: Session 4
      • 10
        Our journey to elliptic stuff

        AFNIC operates more than 20 TLDs, all of them are signed with RSA/SHA256 2048 bits ZSK/KSK keys.

        We have just started to migrate all of them to ECDSACurve P-256 with SHA-256. Beyond rationals to explain that choice and why we decided to do that now, we would like to share our experience with people who are planning to follow a similar path.

        We will explain why we had to improve our infrastructure of AEP Keyper HSMs, why we had to change all our key policies (good bye standbye keys) and migrate from OpenDNSSEC 1.4 to 2.1 version. We also had to change the way we compile/use Bind and of course adapt our "home made" applications. Of course we had some issues, found some limitations in tools but at the end we have imroved many things.

        Speaker: Vincent Levigneron (AFNIC)
      • 11
        DNS Privacy… there must be an app for that?

        This talk will start with a brief review of the range of available DNS privacy clients. It will then focus on current and future options for desktop clients and provide a tour of a new Graphical Interface for the Stubby client designed with the goal of making DNS privacy useable, flexible and secure for non-technical users.

        Speaker: Sara Dickinson (Sinodun IT)
    • 5:45 PM
      BYOD OARC Social Event
  • Tuesday, September 29
    • 12:45 PM
    • OARC 33 Day 2: Session 1
      • 12
        pktvisor3: summarizing traffic with sketch algorithms for observability and DDoS mitigation

        In most edge networks, especially those with global presence, observability of traffic flow is critical to successful operations. In addition to providing operational metrics to ensure nominal functionality, the ability to divine key information from the flow of traffic - from transport to application layer - can often prove the difference between quickly detecting and mitigating a DDoS attack or not.

        But in at-scale networks, challenges abound: often there is a choice between overwhelming real-time, localized information and delayed, over aggregated, centrally collected information. Efficient analysis and collection of deeply inspected, high throughput traffic is hard. And dynamic configuration management for a fleet of global inspectors is equally challenging.

        pktvisor3 is a new open source traffic analysis tool designed to address these challenges. Developed by NS1 for their globally anycasted DNS network, it is designed to be used as both a local, on-node traffic analyzer providing up to the second “top” like functionality (including console UI) as well as to be centrally collected, providing a global, near real time view of critical metrics. It makes use of sketch algorithms to efficiently identify top-k heavy hitters, set cardinality, and quantiles of various L3-L7 metrics. Finally, it aims to offer modularity for application level dissection (starting with but not limited to DNS) and provide a control plane for tuning analysis parameters centrally in real time.

        The talk will discuss motivation and previous tool iterations, implementation details, current status, limitations, future goals, and real world use cases at NS1.

        Speaker: Shannon Weyrick (NS1)
      • 13
        Neural Networks and Challenges in Detection of Malicious DNS Traffic and DGA malware

        Deep learning brings a lot of new possibilities in the detection of previously unknown attacks. However, it could be tricky because of false positives.

        We introduce how to get the benefit for your network from the research we performed with the Czech Technical University in Prague [Catania C., García S., Torres P. (2019)] to develop a new approach to identify devices infected by DGA malware. Concurrently, this speech will explain what impact has DGA malware on networks and how to reduce it.

        A Domain Generation Algorithm (DGA) is an algorithm to generate domain names in a deterministic but seemly random way. Malware use DGAs to generate the next domain to access the Command Control (C&C) communication server. Given the simplicity of the generation process and speed at which the domains are generated, a fast and accurate detection method is required. Convolutional neural networks (CNN) are well known for performing real-time detection in fields like image and video recognition. Therefore, they seemed suitable for DGA detection.

        The resulting CNN model that we implemented, has very simple architecture that can in initial testing detected more than 97% of total DGA domains with a false positive rate close to 0.7%.

        References: Catania C., García S., Torres P. (2019) Deep Convolutional Neural Networks for DGA Detection. In: Pesado P., Aciti C. (eds) Computer Science – CACIC 2018. CACIC 2018. Communications in Computer and Information Science, vol 995. Springer, Cham; available at https://link.springer.com/chapter/10.1007%2F978-3-030-20787-8_23

        Speaker: Mr Robert Sefr
    • 1:45 PM
    • OARC 33 Day 2: Session 2
      • 14
        DNSCrypt - Securing traffic from the stub to the resolver

        DNSSEC focuses on authenticating traffic between the resolver and
        the nameserver but doesn't address the security of traffic between
        the stub and the resolver. It is generally impractical for a stub
        to set the DO bit and re-validate DNSSEC signatures because of the
        lack of a chain of trust. Determining and validating the chain of
        trust from a stub would invalidate the need for a resolver.

        DNSCrypt is a mechanism for securing data between the stub and the
        resolver. The stub queries through a local DNSCrypt proxy that is
        configured with the public key fingerprint of the resolver, encrypting
        and authenticating all traffic to/from the resolver. Assuming a
        DNSSEC validating resolver, and assuming the application connection
        to the DNSCrypt proxy can be trusted, this secures the entire DNS
        data path.

        This talk looks into how the DNSCrypt proxy works, what the benefits
        are and the cost of deploying it in terms of CPU and data overheads.

        Speaker: Brian Somers (OpenDNS/Cisco)
      • 15
        A new traffic capture and visualisation tool for IMRS

        The ICANN managed root server system (IMRS) receives around 15 billion queries per day and a new system for traffic capture and visualisation has recently been developed. The traffic capture utilises the C-DNS (Compacted-DNS) format standardised in RFC8618 and uploads this data to a ClickHouse based data storage system. This system is capable of holding both raw C-DNS data and aggregated data (for efficient storage and visualisation). A Grafana front end is used to provide a flexible and fast visualisation of the data. This talk will provide an overview of the underlying architecture, Clickhouse integration and the Grafana front end.

        Speaker: Jim Hague (Sinodun)
    • 3:00 PM
    • OARC AGM 2020: Session 1
    • 4:50 PM
    • OARC AGM 2020: Session 2