This presentation measures the change in the behaviour of DNS recursive resolvers in response to DNS Flag Day 2020. The presentation then looks in more detail at the use of the EDNS(0) Buffer Size parameter and the considerations that guide the selection of a threshold for DNS truncation that will shift a DNS transaction to use TCP.
We were concerned about the amount of noise vs signal seen in the decade-old Conficker sinkhole and doubted whether we were using the correct algorithm for generating sinkhole domains. We use 2020 DITL data to confirm one algorithm was more likely to get hits than another.
This is a technical report that cover three things:
- Evaluation of using TCP to measure DNS client latencies to auth servers
- Use of DNS/TCP RTT to engineer anycast, and fix problems such as Anycast Polarization . We use it to improve latency between Google and SIDN's Anycast AS, reducing Google's latency to SIDN from 110ms to 20ms.
- We show anteater, a real-time monitoring...
Large environments and rapid growth create demands on DNS that require a range of approaches to ensure the service is operating reliably. This talk focuses on some of the latest changes in the DNS space at Facebook that are intended to ensure everything "just works".
We take a look at some of the recent efforts by the DNS team at Facebook to keep DNS humming such as:
DNS over HTTPS is a new update to the venerable DNS protocol that provides security and privacy enhancements for Internet users by encrypting the communication channel between the DNS client on a device and the network DNS resolver. Charter launched a public DoH Trial in Q4 of 2020. Charter was also added as a participant in Google Chrome’s DoH experiment based on the SPAU (same provider...
We recently developed the first implementation of DNS-over-QUIC: https://adguard.com/en/blog/dns-over-quic.html
In this talk, I'd like to tell you more about it.
- Why we decided to try DNS-over-QUIC
- Implementation details, choices we made, tech we used
- Comparing DoQ to DoH, DoT and DNSCrypt
- First feedback from our users
Quantum computing is threatening current cryptography, especially the asymmetric algorithms used in many Internet protocols. More secure algorithms, colloquially referred to as Post-Quantum Cryptography (PQC), are under active development. These new algorithms differ significantly from current ones. They can have larger signatures or keys, and often require more computational power. This means...
Per 2020-01-01 in Switzerland it is mandatory to block CSAM on a DNS level as per instructions from the Swiss Federal Police (Fedpol) supported by the new Telecommunications Act .
This thus involves a list of domain names that should be blocked that can be retrieved from a Fedpol server given proper credentials.
Unfortunately this list is in clear text, and, thus any...
In November 2020 we updated the .nu TLD from NSEC3 to NSEC.
This was along anticipated change that we finally managed to get into production.
We will show what we did as preparation, data from the transition and some lessons learned.