DNS is designed to drive Internet traffic, directing users to the IP addresses hosting Internet services. Modern, replicated services use DNS to direct users to desired (low latency, available) servers, and DNS uses caches to limit DNS overhead on users and services. However, little is known about how these interactions play out in practice, partly due to the proprietary nature of traffic...
If you're operating a recursive DNS resolver, you're likely interested in implementing the EDNS Client Subnet, as it's a vital component many top-tier CDN providers use for geo-balancing.
However, simply forwarding the user's subnet to name servers carries serious privacy implications. I'll share how AdGuard DNS navigates this challenge, ensuring we protect user privacy, deliver the best...
USC/ISI is renumbering both its IPv4 and IPv6 addresses for b.root-servers.net on 2023-11-27. Our new IPv4 address will be 170.247.170.2 and our new IPv6 address will be 2801:1b8:10::b. USC/ISI will continue to support root service over our current IPv4 and IPv6 addresses for at least one year (until 2024-11-27) in order to provide a stable transition period while new root hints files are...
InternetNZ faced its biggest crisis involving DNSSEC.
Much has been learnt from this incident since it occurred.
This talk aims to share the pains and lessons learnt from this challenging situation, with the hope other DNS operators never experience a similar issue.
An overview of what we dealt with technically as well as giving more context with a macro view of the incident.
Authoritative nameservers are delegated to provide the final resource record. Since the security and robustness of DNS are critical to the general operation of the Internet, domain owners often deploy multiple candidate nameservers for load balancing according to the requirement of DNS specifications (RFC 1034 and RFC 2182). Once the load balancing mechanism is compromised, an adversary can...
This presentation will focus on our journey towards building a FedRAMP version of OpenDNS/Cisco Umbrella resolver, all the challenges we encountered along the way and the strategy we took to overcome them.
Agenda:
- Our experiences (struggles) with moving to OpenSSL3 and using the FIPS provider within it.
- How we support both commercial (openssl 1.1.1) and FedRAMP (openssl 3)...
In this talk, we present a new DNS amplification attack named TsuKing. Instead of exploiting individual DNS resolvers independently to achieve an amplification effect, TsuKing deftly coordinates numerous vulnerable DNS resolvers and crafted queries together to form potent DoS amplifiers. We demonstrate that with TsuKing, an initial small amplification factor can increase exponentially through...
In these slides, we describe some technical details about DNSSEC implementation and promotion DNSSEC to end-users.
We are giving brief overview of our online visualization ttools and browser extension and sharing future plans.
The standard way for transmitting zone updates from a Primary Nameserver to a Secondary Namserver is NOTIFY+XFR, with out-of-protocal zone provisioning on the Primary and the Secondary. The rather new catalog zones helped to automate the zone provisioning on the Secondary, but zone updates still use NOTIFY+XFR with additional freshness checks performed by Secondary. This works fine when...
The talk with cover the DNS platform of Deutsche Telekom (architecture, performance, features) and the implementation status of encrypted DNS (mainly DoT and DoH) with Deutsche Telekom Group. It will give an overview about challenges arising from DNS discovery (DDR) with a focus on home networks. It will also cover the potential impact of Encrypted Client Hello in the context of encrypted DNS.
There are problems brewing. On-going and increasing problems with privacy leaks is the most talked about but there is also a growing use of DNS queries for malicious software to communicate and ping home.
These problems prompt a response and various, mostly commercial, efforts are underway or have already been deployed. None of them, however, present a truly open and transparent approach...
A view of dnssec usage in query stream of a popular open resolver
