OARC 35 (Online)

6 May 2021, 00:45 → 7 May 2021, 09:05 UTC

Jan Včelák (NS1), Keith Mitchell (DNS-OARC), Manu Bretelle (Facebook), Pallavi Aras (Salesforce), Willem Toorop (NLnet Labs)

OARC 35 will be an online Workshop.

DNS-OARC is a non-profit, membership organization that seeks to improve the security, stability, and understanding of the Internet's DNS infrastructure. Part of these aims are achieved through workshops.

DNS-OARC Workshops are open to OARC members and to all other parties interested in DNS operations and research.

Social Media hashtag: #OARC35

Mattermost Chatroom: Workshops on chat.dns-oarc.net (sign-up here)

---

WORKSHOP SPONSORS

---

 

Sponsorship opportunities for OARC 35 are available. Details at:

https://www.dns-oarc.net/workshop/sponsorship-opportunities

---

OARC PATRONS 2021

---

 

Your company name here?

Annual Workshop Patrons for 2021 are available. Details at:

https://www.dns-oarc.net/workshop/patronage-opportunities

 

---

 

Thursday, 6 May

00:45 → 01:00 Webinar room opens - while waiting, grab a drink and mingle with your peers at https://chat.dns-oarc.net

01:00 → 01:45 OARC 35 Day 1: Session 1

01:00 Welcome

Introduction to DNS-OARC

Speaker: Mr Keith Mitchell (DNS-OARC)

Information.odp

Introduction to DNS-OARC

OARC35 Event Information and Welcome

OARC35-intro.odp

01:15 On The Crucial Need for DITL Meta-Data

As a researcher, the DITL collection is a fantastic resource. I appreciate all the hard work. That said, as I have used or tried to use the data over the years I have been bit by the lack of meta-data. I would encourage folks to document a few simple things as the data is collected.

Speaker: Mark Allman (ICSI)

meta-data-oarc.key

meta-data-oarc.pdf

01:30 A Better Do-Not-Probe List

Summary

For many years, OARC has been operating a Do Not Probe list, which is an advisory for researchers about network operators who would prefer not to be research subjects. For the last few years, OARC has been looking for someone with the resources to improve the way the list operates to take it over; in the coming months it will be taken over by Nimbus Operations (an OARC Supporter organization).

The presentation has two goals:

1. give researchers a heads up about the list moving
2. request feedback about proposed changes from researchers who use the list, and operators who may want to list their networks

Speaker: Matthew Pounsett (Nimbus)

A Better Do Not Probe list.pdf

01:45 → 02:00 15 Minutes Break

02:00 → 03:05 OARC 35 Day 1: Session 2

02:00 Trufflehunter: Cache Snooping Rare Domains at Large Public DNS Resolvers

DNS cache snooping on small, misconfigured, open DNS resolvers is considered a privacy threat, because users can be easily deanonymized. However, the large number of users of public DNS resolvers, such as Google Public DNS, allows cache snooping to be used as a privacy-preserving measurement tool instead. The growing footprint of such public resolvers presents an opportunity to observe rare domain usage, while preserving the privacy of the users accessing them. However, the complexity of large public resolvers raises challenges as well as opportunities. In this work, we present Trufflehunter, a DNS cache snooping tool for estimating the prevalence of rare and sensitive Internet applications. Trufflehunter models the complex behavior of large multi-layer distributed caching infrastructures. In particular, using controlled experiments, we have inferred the caching strategies of the four most popular public DNS resolvers (Google Public DNS, Cloudflare DNS, OpenDNS and Quad9). Using a controlled testbed, we evaluated how accurately Trufflehunter can estimate domain name usage across the U.S. By applying this technique in the wild, we provided a lower-bound estimate of the popularity of several rare and sensitive applications (most notably smartphone stalkerware) which are otherwise challenging to survey.

Speaker: Audrey Randall (University of California San Diego)

Trufflehunter_OARC_20mins.pptx

02:25 A Peek Into the DNS Cookie Jar: An Analysis of DNS Cookie Use

The Domain Name System (DNS) has been frequently abused for Distributed Denial of Service (DDoS) attacks and cache poisoning because it relies on the User Datagram Protocol (UDP). Since UDP is connection-less, it is trivial for an attacker to spoof the source of a DNS query or response. DNS Cookies, a protocol standardized in 2016, add pseudo-random values to DNS packets to provide identity management and prevent spoofing attacks. In this paper, we present the first study measuring the deployment of DNS Cookies in nearly all aspects of the DNS architecture. We also provide an analysis of the current benefits of DNS Cookies and the next steps for stricter deployment. Our findings show that cookie use is limited to less than 30% of servers and 10% of recursive clients. We also find several configuration issues that could lead to substantial problems if cookies were strictly required. Overall, DNS Cookies provide limited benefit in a majority of situations, and, given current deployment, do not prevent DDoS or cache poisoning attacks.

Speaker: Casey Deccio (Brigham Young University)

2021-05-06-dns-cookies-oarc.pdf

2021-05-06-dns-cookies-oarc.pptx

02:45 Machine Learning Router Hostname Patterns

I have been working on open source software (Hoiho) that automatically learns regular expressions that extract features from router hostnames. The general idea is to use a training set with labels inferred using heuristic algorithms, and then learn regular expressions that extract information congruent with those labels. Currently, the software extracts "router names" (portions of a hostname that are in common across all interfaces on a router and unique to that router) and "autonomous system numbers" (portions of a hostname that identify the ASN that operates the router). I have work ongoing to extract geolocation and AS name annotations, and beyond this there might be ideas in the DNS-OARC community on how to apply the idea to other types of hostnames.

Speaker: Matthew Luckie (University of Waikato)

oarc-rnc.key

oarc-rnc.pdf

02:55 Evaluation of anti-DDoS features in full-service resolvers

We conducted an experiment of anti‐DDoS functionalities implemented in full‐service resolver implementations with Japanese domestic ISPs.
This presentation shows the results and some findings.

Speaker: Yoshitaka Aharen (Japan Registry Services Co., Ltd.)

evaluation of anti-DDoS features 1.pdf

evaluation of anti-DDoS features 1.pptx

03:05 → 04:30 85 Minutes Break

04:30 → 05:20 OARC 35 Day 1: Session 3

04:30 Oblivious DNS over HTTPS (ODoH): A Practical Privacy Enhancement to DNS

The Internet’s Domain Name System (DNS) responds to client hostname queries with corresponding IP addresses and records. Traditional DNS is unencrypted and leaks user information to on-lookers. Recent efforts to secure DNS using DNS over TLS (DoT) and DNS over HTTPS (DoH) have been gaining traction, ostensibly protecting DNS messages from third parties. However, the small number of available public large-scale DoT and DoH resolvers has reinforced DNS privacy concerns, specifically that DNS operators could use query contents and client IP addresses to link activities with identities. Oblivious DNS over HTTPS (ODoH) safeguards against these problems. In this talk we present the implementation, measurement, and deployment of interoperable instantiations of the protocol, construct a corresponding formal model and analysis, and evaluate the protocol’s performance with wide-scale measurements. Results suggest that ODoH is a practical privacy-enhancing replacement for DNS.

Speaker: Sudheesh Singanamalla (Cloudflare Inc / University of Washington)

Oblivious DNS over HTTPS

Oblivious DNS over HTTPS - OARC.pdf

04:50 Keep my privacy: DNS over HTTPS over CGN or public NAT64

DNS over HTTPS (doh) is useful for protecting DNS query information
from wire tapping on the route. However, DoH providers need query
information for name resolution and client IP addresses for
communication. Then, DoH providers know all the users' privacy
information as in the case of traditional DNS. To protect clients'
privacy, this presentation proposes to hide query source IP addresses
from DoH providers by using Carrier Grade NAT (CGN), open NAT64, IPv6
transition technology and open HTTP(S) proxies.

Speaker: Kazunori Fujiwara (Japan Registry Services Co., Ltd)

doh-202105060305.pdf

05:05 Public Disclosure DNS vulnerability

During OARC34, we disclosed privately a vulnerability affecting DNS servers that could be exploited for DDoS.

Now it is time to do a public disclosure AND provide an update on what has happened since them.

We have seen a lot of community engagement through:

• Improving our detection software
• Fixing Bugs

We will also include an updated version of our technical report.

Speaker: Dr Giovane Moura (SIDN Labs/TU Delft)

tsuname-slides-oarc35.pdf

05:20 → 05:40 20 Minutes break

05:40 → 06:35 OARC 35 Day 1: Session 4

05:40 30 years of operating a root name server - challenges now and then

The root name servers, identified by letters A through M, provide the entry points to the Domain Name System (DNS). They perform a critical role in reaching basically any service on the Internet.

Netnod operates i.root-servers.net, one of the Internet’s 13 root name servers, and the first to be located outside of the United States. This summer it celebrates 30 years of service.

How does Netnod accomplish this challenging and responsible task? Swedish top chef Lars-Johan Liman (aka Liman) will show you around in his kitchen and reveal the secret recipe for running the I root server performant and reliably! He might even share a few historic anecdotes.

Speaker: Mr Lars-Johan Liman (Netnod)

OARC35-liman-final.pdf

06:05 Multi-Signer DNSSEC Automation

RFC 8901 describes modes for operating a domain with multiple independent signers. We discuss how the setup and dissolve a multi-signer arrangement. We describe our current status for the draft, implementation and testbed. And we will describe future development and some specific problems with algorithm usage and validation.
As it turns out this is the exact same operation for changing name server operators without going insecure.

Speaker: Ulrich Wisser (IIS)

multisigner-dnssec-automation-dnsoarc35.pdf

multisigner-dnssec-automation-dnsoarc35.pptx

06:20 DNS Migrations - Getting It Done

With organisations using DNS for more complex requirements, improving security and increasing resiliency - typically, their legacy DNS platform may not support new requirements, and they need to make changes. In this presentation, we'll look at the process that has served as the framework for carrying out numerous successful migrations over the years.

Speaker: Kier PW

DNS Migrations OARC35.key

DNS Migrations OARC35.pdf

06:35 → 07:35 BYOD OARC Social Event

Friday, 7 May

00:45 → 01:00 Webinar room opens - while waiting, grab a drink and mingle with your peers at https://chat.dns-oarc.net

01:00 → 01:45 OARC 35 Day 2: Session 1

01:00 Botnet Traffic Observed at Various Levels of the DNS Hierarchy

This presentation explores DNS traffic patterns for a garrulous botnet observed at the root, authoritative TLD name servers, and delegated name servers. We will present measurements of DNS query volume observed at each of these layers while conducting various experiments on the sinkholed domains including variations of TTL, response codes, response sizes, and more. Our results highlight some operational insights into recursive resolver behaviors and the implications of managing / addressing botnet traffic.

Speaker: Duane Wessels (Verisign)

verisign-sinkhole.pdf

01:25 Behind Closed Doors: A Network Tale of Spoofing, Intrusion, and False DNS Security

Networks not employing destination-side source address validation (DSAV) expose themselves to a class of pernicious attacks which could be easily prevented by filtering inbound traffic purporting to originate from within the network. In this work, we survey the pervasiveness of networks vulnerable to infiltration using spoofed addresses internal to the network. We issue recursive Domain Name System (DNS) queries to a large set of known DNS servers worldwide, using various spoofed-source addresses. We classify roughly half of the 62,000 networks (autonomous systems) we tested as vulnerable to infiltration due to lack of DSAV. As an illustration of the dangers these networks expose themselves to, we demonstrate the ability to fingerprint the operating systems of internal DNS servers. Additionally, we identify nearly 4,000 DNS server instances vulnerable to cache poisoning attacks due to insufficient---and often non-existent---source port randomization, a vulnerability widely publicized 12 years ago. Finally, we introduce a Web-based tool for testing one's own network for DSAV.

Speaker: Casey Deccio (Brigham Young University)

2021-05-07-dsav-oarc.pdf

2021-05-07-dsav-oarc.pptx

01:45 → 02:00 15 Minutes Break

02:00 → 03:00 OARC 35 Day 2: Session 2

02:00 Dnstap Updates

The dnstap specification has recently been updated to reflect changes in the recursive DNS landscape, including the use ofnewer DNS transport protocols and response policy filtering. This talk will present background and detail on these changes, as well as general updates on the state of dnstap.

Speaker: Chris Mikkelson (Farsight Security, Inc.)

OARC35-DNSTAP.pdf

02:15 “So you think your Nameservers are Correct?” : Finding Errors Automatically in Nameserver Implementations

Correct DNS nameserver software is highly crucial for the smooth functioning of the Internet, but writing an efficient, high-throughput implementation that is also bug-free is challenging. Today, developers use an ad hoc collection of regression tests they authored to test the implementations for crashes, RFC deviations and also to compare with other implementations. Writing regression tests manually is an onerous task. We will present a systematic and principled approach that automatically generates high-coverage test suites.

We will describe how our tool, Ferret, generates and uses the tests to compare responses from multiple nameserver implementations to find crashes and disagreements. Using these tests, Ferret uncovered 24 unique bugs in 8 eight different implementations, including popular ones like Bind and Knot, with at least one bug in every implementation. For example, we will describe a performance bug relating to the “glue cache” that Ferret uncovered in Bind and a critical error (fixed now) that crashed the CoreDNS server. We will show how developers and operators can leverage our tests and framework to check their implementations’ correctness and any implementation-specific behavior on their zone files.

Speaker: Siva Kesava Reddy Kakarla (University of California, Los Angeles)

Ferret_Siva.pdf

02:40 Planning and Deployment of DNS Zone Transfers-over-TLS

This talk prepares the ground for planning and deploying DNS Zone Transfers-over-TLS (XoT). The specification is submitted to IESG for publication as a Proposed Standard. BIND stack has shipped it in product, and managed DNS vendors are planning product offerings.

Why XoT? DNS zones today often contain data that the zone owner has good reason to want to keep private. For example, the contents of the zone could include sensitive corporate information or names of persons used in names of hosts. There may also be regulatory, policy or other reasons why the zone contents in full must be treated as private.
Currently, DNS zone transfers (both full zone transfer i.e. AXFR [RFC 1035] and incremental zone transfer i.e. IXFR [RFC 1995]) occur in clear text, which gives an eavesdropper the opportunity to collect the contents of a zone by passively surveilling the network connection.

DNS zone transfers-over-TLS (XoT) specifies the use of TLS to prevent zone content collection via passive monitoring. The XoT Internet Draft has passed Working Group Last Call by the DPRIVE (DNS Privacy) Working Group at the Internet Engineering Task Force (IETF). BIND 9.17 includes support for XoT for incoming and outgoing zone transfers, and there are open Pull Requests for NSD that add support. This talk will discuss various aspects of this evolution of zone transfers including:

• Current state of development and adoption of XoT
• New operational models for authentication that could be used with XoT (including the basic recommendations, how to use transfer group policies, and when you might use mTLS)
• The benefits of connection re-use for multiple transfers involving same and different zones,
• Real-world deployment challenges and potential solutions.

Speakers: Shivan Sahib (Brave Software), Allison Mankin (Salesforce)

oarc35-xot-slides.pdf

03:00 → 04:30 90 Minutes Break

04:30 → 05:35 OARC 35 Day 2: Session 3

04:30 Keeping up with the DNS at the IETF

In an effort to bridge the IETF standardisation with the OARC operations and research community, the presentation aims to provide a comprehensive overview of the DNS activities in the IETF.

The presentation will cover the DNS related WGs DNSOP and DPRIVE, and to a lesser extend ADD this time. Focus is on WG activities finished, activities nearing completion (WGCL for review) and drafts that need work and feedback from the community, such as OARC members and participants.

Speaker: Benno Overeinder (NLnet Labs)

OARC 35 - Keeping up with DNS in the IETF.pdf

04:50 TCP Fast Open? Not so fast!

In this talk I'll take a look at the implementation hurdles seen when trying to implement and use TCP Fast Open in PowerDNS Recursor in the role of a TCP client, i.e. when talking to authoritative servers or forwarding queries.

Speaker: Otto Moerbeek (PowerDNS/Open-XChange)

fastopen20210421.pdf

05:15 Fragmentation, truncation, and timeouts: are large DNS messages falling to bits?

(we submitted this presentation during OARC34, so I'll re-post it here)

So this is a paper that got accepted at the peer-reviewed PAM2021 conference, and it covers the issues of truncation,fragmentation, and timeouts from the point of view of a TLD.

Geoff Houston has been long working on this, but our vantage point is different but complementary to his ad network method. I think the main diff is that Geoff does lots of experiments with pushing the limits of data over UDP; we however analyze real-world data form a TLD.
(in short: we have far better news than him :)

We also address the issue of the flag day.

Speaker: Dr Giovane Moura (SIDN Labs/TU Delft)

moura-oarc35-fragmentation.pdf

05:35 → 06:00 25 Minute Break

06:00 → 06:45 OARC 35 Day 2: Session 4 - OARC Updates

Convener: Keith Mitchell (DNS-OARC)

06:00 OARC Software Update

Speaker: Jerry Lundström (DNS-OARC)

OARC35-DNS-OARC-Software.pdf

OARC35-SoftwareReport.pdf

06:15 OARC Systems Update

Speaker: Matthew Pounsett (DNS-OARC)

Engineering-Update-slides.pdf

OARC35-Engineering-Report.pdf

06:30 OARC Status Update

Speaker: Mr Keith Mitchell (DNS-OARC)

May 2021 OARC Members Report

May 2021 OARC Status Update

OARC35-status.odp