OARC 34 (Online)

4 Feb 2021, 15:45 → 5 Feb 2021, 22:00 UTC

Jan Včelák (NS1), Keith Mitchell (DNS-OARC)

OARC 34 will be an online Workshop.

DNS-OARC is a non-profit, membership organization that seeks to improve the security, stability, and understanding of the Internet's DNS infrastructure. Part of these aims are achieved through workshops.

DNS-OARC Workshops are open to OARC members and to all other parties interested in DNS operations and research.

Social Media hashtag: #OARC34

Mattermost Chatroom: Workshops on chat.dns-oarc.net (sign-up here)

---

OARC 34 SPONSORS

---

Online Workshop Sponsor

Sponsorship opportunities for OARC 34 are available. Details at:

https://www.dns-oarc.net/workshop/sponsorship-opportunities

---

 

Thursday, 4 February

15:45 → 16:00 Webinar room opens - while waiting, grab a drink and mingle with your peers at https://chat.dns-oarc.net

16:00 → 16:55 OARC 34 Day 1: Session 1

16:00 Welcome

Speaker: Mr Keith Mitchell (DNS-OARC)

Information.odp

Introduction to DNS-OARC

OARC34 Event Information and Welcome

OARC34-intro.odp

16:15 Measuring DNS Flag Day 2020

This presentation measures the change in the behaviour of DNS recursive resolvers in response to DNS Flag Day 2020. The presentation then looks in more detail at the use of the EDNS(0) Buffer Size parameter and the considerations that guide the selection of a threshold for DNS truncation that will shift a DNS transaction to use TCP.

Speaker: Geoff Huston (APNIC)

2021-02-04-dns-flag.pdf

2021-02-04-dns-flag.pptx

16:40 Does the DGA work?

We were concerned about the amount of noise vs signal seen in the decade-old Conficker sinkhole and doubted whether we were using the correct algorithm for generating sinkhole domains. We use 2020 DITL data to confirm one algorithm was more likely to get hits than another.

Speaker: Eric Ziegast (Farsight Seurity, Inc.)

Does-the-DGA-work.pdf

16:55 → 17:10 15 Minutes Break

17:10 → 18:00 OARC 34 Day 1: Session 2

17:10 Old but Gold: Prospecting TCP to Engineer and Real-time Monitor DNS Anycast

This is a technical report that cover three things:

1. Evaluation of using TCP to measure DNS client latencies to auth servers
2. Use of DNS/TCP RTT to engineer anycast, and fix problems such as Anycast Polarization . We use it to improve latency between Google and SIDN's Anycast AS, reducing Google's latency to SIDN from 110ms to 20ms.
3. We show anteater, a real-time monitoring system that evaluates auth servers and clients, and notifies SIDN OPs of latency problems.

All of this is using only passive DNS data , so no extra active measurements are required. And it measures latency from real clients.

Below we show the paper abstract, and include the original paper.

An earlier version of this paper can be found at: https://ant.isi.edu/bib/Moura20a.html

Speaker: Dr Giovane Moura (SIDN Labs/TU Delft)

Moura-DNSRTT-OARC34.pdf

Technical Report

17:35 Making DNS "just work" at Scale

Large environments and rapid growth create demands on DNS that require a range of approaches to ensure the service is operating reliably. This talk focuses on some of the latest changes in the DNS space at Facebook that are intended to ensure everything "just works".

We take a look at some of the recent efforts by the DNS team at Facebook to keep DNS humming such as:

1. Preventing invalid DNS queries from leaking
2. Improving cache hit ratio
3. Stop the sending of iterative queries to root servers
4. Improving DNS response latency by 65%
5. Reducing the memory usage on DNS servers
6. Reducing the propagation time for DNS changes
7. Scaling out the torrent infrastructure and removing the dependency on trackers
   and a discussion on some of the tradeoffs.

Speaker: Patrick Cullen

dns_jw_oarc.pdf

18:00 → 19:00 1 Hour Break

19:00 → 19:50 OARC 34 Day 1: Session 3

19:00 Charter Communications Public DoH Trial - Lessons Learned

DNS over HTTPS is a new update to the venerable DNS protocol that provides security and privacy enhancements for Internet users by encrypting the communication channel between the DNS client on a device and the network DNS resolver. Charter launched a public DoH Trial in Q4 of 2020. Charter was also added as a participant in Google Chrome’s DoH experiment based on the SPAU (same provider auto-upgrade) model with the Chrome 87 deployment. Any Charter Chrome user with Charter’s Do53 public IPv4 or IPv6 server addresses are automatically upgraded to the DoH trial resolvers. This Trial resulted in valuable results that will be useful for other providers of DNS services interested in deploying DoH at scale. This presentation will cover some of the insights learned as part of the Charter DoH Trial including:
· The quest for Load! - 100k QPS and beyond
· Comparison of traffic utilization between DoH and Do53
· Comparison of server resource utilization between DoH and Do53
· DNS provider configuration Best Practices
· Server optimizations for a DoH platform
· Future areas of interest

Speakers: Mr Jason Weil (Charter Communications), Mr Todd Medbury (Charter Communications)

Spectrum DoH_OARC 34v3.pdf

Spectrum DoH_OARC 34v3.pptx

19:25 First experience with DNS-over-QUIC

We recently developed the first implementation of DNS-over-QUIC: https://adguard.com/en/blog/dns-over-quic.html

In this talk, I'd like to tell you more about it.

1. Why we decided to try DNS-over-QUIC
2. Implementation details, choices we made, tech we used
3. Comparing DoQ to DoH, DoT and DNSCrypt
4. First feedback from our users

Speaker: Andrey Meshkov

doq_first_experience.pdf

doq_first_experience.pptx

19:50 → 20:05 15 Minutes break

20:05 → 21:00 OARC 34 Day 1: Session 4

20:05 The Impact of Post-Quantum Cryptography on DNSSEC

Quantum computing is threatening current cryptography, especially the asymmetric algorithms used in many Internet protocols. More secure algorithms, colloquially referred to as Post-Quantum Cryptography (PQC), are under active development. These new algorithms differ significantly from current ones. They can have larger signatures or keys, and often require more computational power. This means we cannot just replace existing algorithms in DNSSEC by PQC alternatives, but need to evaluate if they meet its requirements.

In this presentation we analyze the impact of PQC on the Domain Name System and its Security Extensions. We give an introduction to PQC and then evaluate current candidate PQC signature algorithms in the third round of the NIST competition on their suitability for use in DNSSEC.

Speakers: Moritz Müller (SIDN), Mr Jins de Jong (TNO)

pqc_dnssec_oarc.pdf

pqc_dnssec_oarc.pptx

20:30 Hashed RPZ

Per 2020-01-01 in Switzerland it is mandatory to block CSAM on a DNS level as per instructions from the Swiss Federal Police (Fedpol) supported by the new Telecommunications Act [1][2][3].

This thus involves a list of domain names that should be blocked that can be retrieved from a Fedpol server given proper credentials.

Unfortunately this list is in clear text, and, thus any engineer/administrator that is able to interact with or administer the server thus would normally get access to the list in clear text. Having these domain names on your computer though could already be illegal, if one then accidentally tests the domain, one might be considered to be attempting to access the material...

To avoid any public persecution we thus decided to hash the list so that we can never actually see or have access to the list and our administrators can do maintenance and other routine server maintenance without having to be scared of accidentally getting access to the list.

To solve this we have created Hashed RPZ, a custom hashed variant of the ubiquitous and great RPZ [4] system by Paul Vixie and Vernon Schryver that is already in use around the world for blocking malware and other malicious content.

We will also introduce a new open source DNS recursor system that implements this new scheme along with other needed features to scale the system for a large Swiss ISP, along with the supporting infrastructure, opening the system up for other ISPs to use and protect their employees.

Hashed RPZ can also be used by RPZ list providers to limit exposure of the list as the contents of the list cannot easily be discovered.

[1] https://www.bakom.admin.ch/bakom/de/home/das-bakom/organisation/rechtliche-grundlagen/bundesgesetze/fmg-revision-2017/revision-fmg-verordnungen.html
[2] https://www.fedlex.admin.ch/eli/cc/2007/166/en
[3] https://www.fedlex.admin.ch/eli/cc/1997/2187_2187_2187/de
[4] https://dnsrpz.info

Speaker: Mr Jeroen Massar

DNSOARC34-HashedRPZ-massar.key

DNSOARC34-HashedRPZ-massar.pdf

DNSOARC34-HashedRPZ-massar.pptx

20:45 NSEC3 to NSEC transition of .NU

In November 2020 we updated the .nu TLD from NSEC3 to NSEC.
This was along anticipated change that we finally managed to get into production.
We will show what we did as preparation, data from the transition and some lessons learned.

Speaker: Ulrich Wisser (IIS)

NSEC3-NSEC-DNSOARC-20210204.pdf

21:00 → 22:00 BYOD OARC Social Event

Friday, 5 February

15:45 → 16:00 Webinar room opens - while waiting, grab a drink and mingle with your peers at https://chat.dns-oarc.net

16:00 → 16:50 OARC 34 Day 2: Session 1

16:00 Service Bindings: SVCB and HTTPS

Service Bindings are a new family of DNS record types that enable improved security, privacy, and performance for Internet services. By providing an extensible bound collection of endpoint metadata, these new RR types allow clients to learn more about a server before they initiate a connection.

This session will review the technical architecture of the SVCB and HTTPS RR types, their current deployment status, and implications for DNS operators.

Speaker: Benjamin Schwartz (Google LLC)

SVCB_HTTPS_ DNS-OARC 2021.pdf

16:25 Adding stuff to DNS is easy - right?

New DNS record types are not added very often, and if they are in many cases they're highly specialized and not widely used. But this year two new record types (SVCB=64 and HTTPS=65) were introduced and are now used on devices which are widely deployed. For example, all Apple devices with recent software issue an HTTPS query for every lookup they do. This not only has a noticeable impact on the volume of queries seen by resolvers, but reveals in the long tail there are still authoritative servers that aren't ready to handle new resource record types. This can increase load further than anticipated on DNS servers.

This presentation will dig into data and show the evolution of HTTPS requests since Apple released support and look at how authorities respond to HTTPS requests for millions of names. It will also identify and evaluate problematic responses.

Speaker: Ralf Weber (Akamai Technologies)

dns-https-rr-final.pdf

dns-https-rr-final.pptx

16:50 → 17:05 15 Minutes Break

17:05 → 18:00 OARC 34 Day 2: Session 2

17:05 XDPeriments: Tinkering with DNS and XDP

The eXpress Data Path (XDP) is a "hook" in the Linux kernel providing programmability at the lowest layer of the Network Stack (at the device driver layer) and can even be hardware offloaded to programmable devices (e.g. SmartNICs). XDP provides an easy way to perform some parts of DNS handling in the kernel but still have traditional userspace software 'after' that. XDP does not have to replace DNS software in userspace, it can augment it.

XDP programs are well suited for dealing with Denial of Service attacks. Furthermore XDP programs can be put to work on an ad-hoc basis on a running system without interruption. We think using XDP to augment an existing DNS service is an exciting new idea, and a great new tool in the DNS operator's toolbox.

In this presentation we will explore how DNS can benefit from XDP with hands-on examples of directly usable running code. We will show how operators can use XDP programs to deal with Denial of Service attacks and/or otherwise tweak their DNS service behaviour.

Speakers: Willem Toorop (NLnet Labs), Dr Luuk Hendriks (NLnet Labs)

XDPeriments: Tinkering with DNS and XDP

XDPeriments: Tinkering with DNS and XDP

17:30 The state of DNS security records

A small survey of the adoption rates of various security related DNS records ( DNSSEC, SPF, DMARC etc. ). Looking at top 100 companies and DNS infrastructure companies.

Speaker: Robert Mortimer (Nominet)

nominet-oarc-DNS survey-rm-20210202.pdf

nominet-oarc-DNS survey-rm-20210202.pptx

17:45 Not So Popular: A Sample of Domain Names for Typical Web Sites

Many measurements on the DNS are based on collections of "most popular" web sites, such as the Alexa list. Using these lists skew the results of analysis because those sites are often well-managed and available from many locations (such as through CDNs). A different tactic would be to look for collections of more typical web sites. For this study, data is collected from Wikipedia around the world to create a large list of domain names used in web URLs on Wikipedia pages. That data is used to analyze how many of those domain names are protected by DNSSEC, as well as how many have IPv6 addresses.

This presentation explains an efficient method to collect the data from Wikipedia world-wide. Although the resulting data is more typical of names from the web than "most popular" lists, it cannot be considered "typical" of the web for many reasons, which are also discussed.

Speaker: Paul Hoffman (ICANN)

not-so-popular.pdf

not-so-popular.pptx

18:00 → 18:30 30 Minutes Break

18:30 → 19:00 OARC 34 Day 2: Session 3: Members Only Session

18:30 OARC Members Only Session: Vulnerability Disclosure (DDoS)

In this talk, we will disclose to OARC-members only a vulnerability that can be exploited to carry large DoS attacks against authoritative servers. It is not a theoretical threat, although it does not seem to have been yet exploited in full scale — not that we are aware.

We have already notified pertinent parties that are vulnerable to this threat — and they are working to fix it.

In the meantime, we want to notify authoritative server operators of how they can protect themselves. We will release accompanying source code to help in this process.

Speaker: Giovane Moura (SIDN Labs/TU Delft)