OARC 35 (Online)

Jan Včelák (NS1), Keith Mitchell (DNS-OARC), Manu Bretelle (Facebook), Pallavi Aras (Salesforce), Willem Toorop (NLnet Labs)

OARC 35 will be an online Workshop.

DNS-OARC is a non-profit, membership organization that seeks to improve the security, stability, and understanding of the Internet's DNS infrastructure. Part of these aims are achieved through workshops.

DNS-OARC Workshops are open to OARC members and to all other parties interested in DNS operations and research.

Social Media hashtag: #OARC35

Mattermost Chatroom: Workshops on chat.dns-oarc.net (sign-up here)



Farsight Security Inc.


Sponsorship opportunities for OARC 35 are available. Details at:




Your company name here?

Annual Workshop Patrons for 2021 are available. Details at:




  • Adam Phelps
  • Akira Kato
  • Ali Hussain
  • Alireza Saleh
  • Allan Watanabe
  • Allison Mankin
  • Andreas Taudte
  • Andrew Campling
  • Arnaud Jolivet
  • Arth Paulite
  • Atanas Argirov
  • Audrey Randall
  • Benno Overeinder
  • Bill Snow
  • Brantly Millegan
  • Brett Carr
  • Brian Dickson
  • Brian King
  • Brian Somers
  • Casey Deccio
  • Chris Mikkelson
  • Chuck Stearns
  • Claudia Erices
  • Darrell Newcomb
  • Dave Feldman
  • Dave Knight
  • Davey Song
  • David Lawrence
  • David Lucey
  • Denesh Bhabuta
  • Duane Wessels
  • Eddy Winstead
  • Eduardo Mercader
  • Eric Orth
  • Eric Ziegast
  • Erik Kline
  • Everett Fulton
  • Felipe Barbosa
  • Francisco Arias
  • Gavin Mccullagh
  • Geoffrey Huston
  • Giovane Moura
  • Guobao Sun
  • Gustavo Lozano Ibarra
  • Han Zhang
  • Hiro Hotta
  • Hugo Salgado
  • Huyen Truong
  • Ivan Laktyunkin
  • Jacob Zack
  • Jacques Latour
  • Jan Horak
  • Jan Včelák
  • Jarle Fredrik Greipsland
  • Jaromír Talíř
  • Jeff Westhead
  • Jeffrey Damick
  • Jerry Lundström
  • Jinyuan Feng
  • Joe Abley
  • Joey Salazar
  • John Todd
  • Jon Nappi
  • Josh Simpson
  • Joshua Kuo
  • Karl Reuss
  • Kazunori Fujiwara
  • Kc Claffy
  • Keith Mitchell
  • Ken Renard
  • Kier Pw
  • Lars-Johan Liman
  • Lavanya Palani
  • Lu Zhao
  • Manu Bretelle
  • Marco DíAz
  • Mark Allman
  • Mark Andrews
  • Matthew Ford
  • Matthew Luckie
  • Matthew Pounsett
  • Matthew Thomas
  • Mauricio Vergara Ereche
  • Michael Jewell
  • Nicklas Pousette
  • Nicolai Leymann
  • Niek Willems
  • Ondřej Surý
  • Otto Moerbeek
  • Pallavi Aras-Mathai
  • Paola Duran
  • Paul Ebersman
  • Paul Hoffman
  • Peter Koch
  • Peter Van Dijk
  • Prashanth Suvarna
  • Puneet Sood
  • Ralf Weber
  • Robert Edmonds
  • Robert Story
  • Roger Murray
  • Roland Dobbins
  • Ross Gibson
  • Sebastian Castro
  • Shinta Sato
  • Shivan Sahib
  • Shumon Huque
  • Sidan Qi
  • Sile Yang
  • Siva Kesava Reddy Kakarla
  • Sreekanth Madhavan
  • Stefan Ubbink
  • Steve Dejong
  • Sudheesh Singanamalla
  • Sue Graves
  • Surabhi Sudha
  • Suzanne Woolf
  • Thibaud Duble
  • Tianhao Chi
  • Tom Tran
  • Ulrich Wisser
  • Vicky Risk
  • Vincent Levigneron
  • Vittorio Bertola
  • Warren Kumari
  • Wes Hardaker
  • Willem Toorop
  • Yann Kerherve
  • Yoshitaka Aharen
    • 12:45 AM
      Webinar room opens - while waiting, grab a drink and mingle with your peers at https://chat.dns-oarc.net
    • OARC 35 Day 1: Session 1
      • 1

        Introduction to DNS-OARC

        Speaker: Mr Keith Mitchell (DNS-OARC)
      • 2
        On The Crucial Need for DITL Meta-Data

        As a researcher, the DITL collection is a fantastic resource. I appreciate all the hard work. That said, as I have used or tried to use the data over the years I have been bit by the lack of meta-data. I would encourage folks to document a few simple things as the data is collected.

        Speaker: Mark Allman (ICSI)
      • 3
        A Better Do-Not-Probe List


        For many years, OARC has been operating a Do Not Probe list, which is an advisory for researchers about network operators who would prefer not to be research subjects. For the last few years, OARC has been looking for someone with the resources to improve the way the list operates to take it over; in the coming months it will be taken over by Nimbus Operations (an OARC Supporter organization).

        The presentation has two goals:

        1. give researchers a heads up about the list moving
        2. request feedback about proposed changes from researchers who use the list, and operators who may want to list their networks
        Speaker: Matthew Pounsett (Nimbus)
    • 1:45 AM
      15 Minutes Break
    • OARC 35 Day 1: Session 2
      • 4
        Trufflehunter: Cache Snooping Rare Domains at Large Public DNS Resolvers

        DNS cache snooping on small, misconfigured, open DNS resolvers is considered a privacy threat, because users can be easily deanonymized. However, the large number of users of public DNS resolvers, such as Google Public DNS, allows cache snooping to be used as a privacy-preserving measurement tool instead. The growing footprint of such public resolvers presents an opportunity to observe rare domain usage, while preserving the privacy of the users accessing them. However, the complexity of large public resolvers raises challenges as well as opportunities. In this work, we present Trufflehunter, a DNS cache snooping tool for estimating the prevalence of rare and sensitive Internet applications. Trufflehunter models the complex behavior of large multi-layer distributed caching infrastructures. In particular, using controlled experiments, we have inferred the caching strategies of the four most popular public DNS resolvers (Google Public DNS, Cloudflare DNS, OpenDNS and Quad9). Using a controlled testbed, we evaluated how accurately Trufflehunter can estimate domain name usage across the U.S. By applying this technique in the wild, we provided a lower-bound estimate of the popularity of several rare and sensitive applications (most notably smartphone stalkerware) which are otherwise challenging to survey.

        Speaker: Audrey Randall (University of California San Diego)
      • 6
        Machine Learning Router Hostname Patterns

        I have been working on open source software (Hoiho) that automatically learns regular expressions that extract features from router hostnames. The general idea is to use a training set with labels inferred using heuristic algorithms, and then learn regular expressions that extract information congruent with those labels. Currently, the software extracts "router names" (portions of a hostname that are in common across all interfaces on a router and unique to that router) and "autonomous system numbers" (portions of a hostname that identify the ASN that operates the router). I have work ongoing to extract geolocation and AS name annotations, and beyond this there might be ideas in the DNS-OARC community on how to apply the idea to other types of hostnames.

        Speaker: Matthew Luckie (University of Waikato)
      • 7
        Evaluation of anti-DDoS features in full-service resolvers

        We conducted an experiment of anti‐DDoS functionalities implemented in full‐service resolver implementations with Japanese domestic ISPs.
        This presentation shows the results and some findings.

        Speaker: Yoshitaka Aharen (Japan Registry Services Co., Ltd.)
    • 3:05 AM
      85 Minutes Break
    • OARC 35 Day 1: Session 3
      • 8
        Oblivious DNS over HTTPS (ODoH): A Practical Privacy Enhancement to DNS

        The Internet’s Domain Name System (DNS) responds to client hostname queries with corresponding IP addresses and records. Traditional DNS is unencrypted and leaks user information to on-lookers. Recent efforts to secure DNS using DNS over TLS (DoT) and DNS over HTTPS (DoH) have been gaining traction, ostensibly protecting DNS messages from third parties. However, the small number of available public large-scale DoT and DoH resolvers has reinforced DNS privacy concerns, specifically that DNS operators could use query contents and client IP addresses to link activities with identities. Oblivious DNS over HTTPS (ODoH) safeguards against these problems. In this talk we present the implementation, measurement, and deployment of interoperable instantiations of the protocol, construct a corresponding formal model and analysis, and evaluate the protocol’s performance with wide-scale measurements. Results suggest that ODoH is a practical privacy-enhancing replacement for DNS.

        Speaker: Sudheesh Singanamalla (Cloudflare Inc / University of Washington)
      • 9
        Keep my privacy: DNS over HTTPS over CGN or public NAT64

        DNS over HTTPS (doh) is useful for protecting DNS query information
        from wire tapping on the route. However, DoH providers need query
        information for name resolution and client IP addresses for
        communication. Then, DoH providers know all the users' privacy
        information as in the case of traditional DNS. To protect clients'
        privacy, this presentation proposes to hide query source IP addresses
        from DoH providers by using Carrier Grade NAT (CGN), open NAT64, IPv6
        transition technology and open HTTP(S) proxies.

        Speaker: Kazunori Fujiwara (Japan Registry Services Co., Ltd)
      • 10
        Public Disclosure DNS vulnerability

        During OARC34, we disclosed privately a vulnerability affecting DNS servers that could be exploited for DDoS.

        Now it is time to do a public disclosure AND provide an update on what has happened since them.

        We have seen a lot of community engagement through:

        • Improving our detection software
        • Fixing Bugs

        We will also include an updated version of our technical report.

        Speaker: Dr Giovane Moura (SIDN Labs/TU Delft)
    • 5:20 AM
      20 Minutes break
    • OARC 35 Day 1: Session 4
      • 11
        30 years of operating a root name server - challenges now and then

        The root name servers, identified by letters A through M, provide the entry points to the Domain Name System (DNS). They perform a critical role in reaching basically any service on the Internet.

        Netnod operates i.root-servers.net, one of the Internet’s 13 root name servers, and the first to be located outside of the United States. This summer it celebrates 30 years of service.

        How does Netnod accomplish this challenging and responsible task? Swedish top chef Lars-Johan Liman (aka Liman) will show you around in his kitchen and reveal the secret recipe for running the I root server performant and reliably! He might even share a few historic anecdotes.

        Speaker: Mr Lars-Johan Liman (Netnod)
      • 12
        Multi-Signer DNSSEC Automation

        RFC 8901 describes modes for operating a domain with multiple independent signers. We discuss how the setup and dissolve a multi-signer arrangement. We describe our current status for the draft, implementation and testbed. And we will describe future development and some specific problems with algorithm usage and validation.
        As it turns out this is the exact same operation for changing name server operators without going insecure.

        Speaker: Ulrich Wisser (IIS)
      • 13
        DNS Migrations - Getting It Done

        With organisations using DNS for more complex requirements, improving security and increasing resiliency - typically, their legacy DNS platform may not support new requirements, and they need to make changes. In this presentation, we'll look at the process that has served as the framework for carrying out numerous successful migrations over the years.

        Speaker: Kier PW
    • 6:35 AM
      BYOD OARC Social Event
    • 12:45 AM
      Webinar room opens - while waiting, grab a drink and mingle with your peers at https://chat.dns-oarc.net
    • OARC 35 Day 2: Session 1
      • 14
        Botnet Traffic Observed at Various Levels of the DNS Hierarchy

        This presentation explores DNS traffic patterns for a garrulous botnet observed at the root, authoritative TLD name servers, and delegated name servers. We will present measurements of DNS query volume observed at each of these layers while conducting various experiments on the sinkholed domains including variations of TTL, response codes, response sizes, and more. Our results highlight some operational insights into recursive resolver behaviors and the implications of managing / addressing botnet traffic.

        Speaker: Duane Wessels (Verisign)
      • 15
        Behind Closed Doors: A Network Tale of Spoofing, Intrusion, and False DNS Security

        Networks not employing destination-side source address validation (DSAV) expose themselves to a class of pernicious attacks which could be easily prevented by filtering inbound traffic purporting to originate from within the network. In this work, we survey the pervasiveness of networks vulnerable to infiltration using spoofed addresses internal to the network. We issue recursive Domain Name System (DNS) queries to a large set of known DNS servers worldwide, using various spoofed-source addresses. We classify roughly half of the 62,000 networks (autonomous systems) we tested as vulnerable to infiltration due to lack of DSAV. As an illustration of the dangers these networks expose themselves to, we demonstrate the ability to fingerprint the operating systems of internal DNS servers. Additionally, we identify nearly 4,000 DNS server instances vulnerable to cache poisoning attacks due to insufficient---and often non-existent---source port randomization, a vulnerability widely publicized 12 years ago. Finally, we introduce a Web-based tool for testing one's own network for DSAV.

        Speaker: Casey Deccio (Brigham Young University)
    • 1:45 AM
      15 Minutes Break
    • OARC 35 Day 2: Session 2
      • 16
        Dnstap Updates

        The dnstap specification has recently been updated to reflect changes in the recursive DNS landscape, including the use ofnewer DNS transport protocols and response policy filtering. This talk will present background and detail on these changes, as well as general updates on the state of dnstap.

        Speaker: Chris Mikkelson (Farsight Security, Inc.)
      • 17
        “So you think your Nameservers are Correct?” : Finding Errors Automatically in Nameserver Implementations

        Correct DNS nameserver software is highly crucial for the smooth functioning of the Internet, but writing an efficient, high-throughput implementation that is also bug-free is challenging. Today, developers use an ad hoc collection of regression tests they authored to test the implementations for crashes, RFC deviations and also to compare with other implementations. Writing regression tests manually is an onerous task. We will present a systematic and principled approach that automatically generates high-coverage test suites.

        We will describe how our tool, Ferret, generates and uses the tests to compare responses from multiple nameserver implementations to find crashes and disagreements. Using these tests, Ferret uncovered 24 unique bugs in 8 eight different implementations, including popular ones like Bind and Knot, with at least one bug in every implementation. For example, we will describe a performance bug relating to the “glue cache” that Ferret uncovered in Bind and a critical error (fixed now) that crashed the CoreDNS server. We will show how developers and operators can leverage our tests and framework to check their implementations’ correctness and any implementation-specific behavior on their zone files.

        Speaker: Siva Kesava Reddy Kakarla (University of California, Los Angeles)
      • 18
        Planning and Deployment of DNS Zone Transfers-over-TLS

        This talk prepares the ground for planning and deploying DNS Zone Transfers-over-TLS (XoT). The specification is submitted to IESG for publication as a Proposed Standard. BIND stack has shipped it in product, and managed DNS vendors are planning product offerings.

        Why XoT? DNS zones today often contain data that the zone owner has good reason to want to keep private. For example, the contents of the zone could include sensitive corporate information or names of persons used in names of hosts. There may also be regulatory, policy or other reasons why the zone contents in full must be treated as private.
        Currently, DNS zone transfers (both full zone transfer i.e. AXFR [RFC 1035] and incremental zone transfer i.e. IXFR [RFC 1995]) occur in clear text, which gives an eavesdropper the opportunity to collect the contents of a zone by passively surveilling the network connection.

        DNS zone transfers-over-TLS (XoT) specifies the use of TLS to prevent zone content collection via passive monitoring. The XoT Internet Draft has passed Working Group Last Call by the DPRIVE (DNS Privacy) Working Group at the Internet Engineering Task Force (IETF). BIND 9.17 includes support for XoT for incoming and outgoing zone transfers, and there are open Pull Requests for NSD that add support. This talk will discuss various aspects of this evolution of zone transfers including:

        • Current state of development and adoption of XoT
        • New operational models for authentication that could be used with XoT (including the basic recommendations, how to use transfer group policies, and when you might use mTLS)
        • The benefits of connection re-use for multiple transfers involving same and different zones,
        • Real-world deployment challenges and potential solutions.
        Speakers: Shivan Sahib (Brave Software), Allison Mankin (Salesforce)
    • 3:00 AM
      90 Minutes Break
    • OARC 35 Day 2: Session 3
      • 19
        Keeping up with the DNS at the IETF

        In an effort to bridge the IETF standardisation with the OARC operations and research community, the presentation aims to provide a comprehensive overview of the DNS activities in the IETF.

        The presentation will cover the DNS related WGs DNSOP and DPRIVE, and to a lesser extend ADD this time. Focus is on WG activities finished, activities nearing completion (WGCL for review) and drafts that need work and feedback from the community, such as OARC members and participants.

        Speaker: Benno Overeinder (NLnet Labs)
      • 20
        TCP Fast Open? Not so fast!

        In this talk I'll take a look at the implementation hurdles seen when trying to implement and use TCP Fast Open in PowerDNS Recursor in the role of a TCP client, i.e. when talking to authoritative servers or forwarding queries.

        Speaker: Otto Moerbeek (PowerDNS/Open-XChange)
      • 21
        Fragmentation, truncation, and timeouts: are large DNS messages falling to bits?

        (we submitted this presentation during OARC34, so I'll re-post it here)

        So this is a paper that got accepted at the peer-reviewed PAM2021 conference, and it covers the issues of truncation,fragmentation, and timeouts from the point of view of a TLD.

        Geoff Houston has been long working on this, but our vantage point is different but complementary to his ad network method. I think the main diff is that Geoff does lots of experiments with pushing the limits of data over UDP; we however analyze real-world data form a TLD.
        (in short: we have far better news than him :)

        We also address the issue of the flag day.

        Speaker: Dr Giovane Moura (SIDN Labs/TU Delft)
    • 5:35 AM
      25 Minute Break
    • OARC 35 Day 2: Session 4 - OARC Updates
      Convener: Keith Mitchell (DNS-OARC)