Description
Main Session
Given the DNS’s critical role in today’s Internet, any errors in zone files can have highly disruptive effects on related services. For example, [Microsoft experienced a severe global outage][1] in 2019, impacting all Azure customers for two hours due to a DNS misconfiguration. Other major DNS-related outages include those at [Slack][2], [Salesforce][3], [GitHub][4], [LinkedIn][5],...
Several different DNSSEC configurations have been suggested in recent years in an attempt to address different security and privacy issues in the DNS system. In this presentation we briefly review, and analyse the performances of different configurations using a baseline throughput measurement (based on DNSPERF). We show that while each configuration serves an important role by solving some...
We present the first implementation of post-quantum DNSSEC. As a prototype, we extended PowerDNS authoritative DNS server and recursor to sign, serve, and validate DNSSEC-signatures based on the FALCON signature scheme.
A high-level overview of the implementation work, which is based on a modification of the OpenSSL post-quantum fork, will be given, and statistics on performance and packet...
We have performed an Internet survey to extract the DANE/TLSA
records in the DNS which are foreseen to indicate TLS capabilities and
to enable X.509 certificate fingerprinting for MX services. Their partic-
ular use and the application scenarios for DANE records are analyzed
on a wide scale base indicating the acceptance of policy information in
the DNS giving security recommendations for...
Microsoft has implemented a dual-stack recursive resolver system for its internal resolver fleet. This talk focuses on learning and the challenges we faced during this process.
We will cover below items
- Implementing dual-stack recursive DNS using Unbound and Windows DNS Server
- Learnings/Issues encountered to achieve dual-stack
- Implementing serve-stale data from the cache...
In October 2021, a large social media platform experienced a widespread outage of its network. In this presentation, we will show how the outage led to a significant traffic increase on Verisign's authoritative name servers. Furthermore, we will show how this incident is similar to other events and conditions, and discuss our proposal for stricter protocol requirements on negative caching of...
Two data products are being made available for beta testing. The TLD Apex History data set contains the history of DNSSEC-related records published by TLDs since mid-2011. The DNS Core Census (v010) is a daily aggregation of metadata related to TLDs and other zones in the upper reaches of the global public DNS hierarchy. This presentation will cover the data, how it is assembled and how it...
There are several attack methods aimed at the DNS, and most of them
are well understood, with mitigations already deployed. One relatively
new attack method abuses IP Fragmentation to circumvent some of the
mitigations and security features currently built into DNS software.
Previous research has shown that it is possible to use fragmented DNS response
messages to implant false or...
All Root Servers use IP anycast and operate root DNS servers at many locations in the world. This talk proposes an idea of IP anycast analysis using the DITL dataset.
To analyze the effect of IP anycast, we need to know the location of each instance, location information of clients, and latency information between clients and root servers.
The location information of each instance can be...
