Conveners
OARC 42 Day 2: Session 1
- Suzanne Woolf (Public Interest Registry (.ORG))
- Puneet Sood (Google)
OARC 42 Day 2: Session 2
- Suzanne Woolf (Public Interest Registry (.ORG))
- Puneet Sood (Google)
OARC 42 Day 2: Session 3
- Benjamin Schwartz (Meta)
- Petr Špaček (Internet Systems Consortium (ISC))
OARC 42 Day 2: Session 4
- Benjamin Schwartz (Meta)
- Petr Špaček (Internet Systems Consortium (ISC))
DNS can be compared to a game of chess in that its rules are simple, yet the possibilities it presents are endless. While the fundamental rules of DNS are straightforward, DNS implementations can be extremely complex. In this study, we intend to explore the complexities and vulnerabilities in DNS response pre-processing by systematically analyzing DNS RFCs and DNS software implementations. We...
The Domain Name System (DNS) is a fundamental protocol of the Internet. Enhancing its efficiency requires in-depth analysis of DNS data. The analysis of negative responses (with a focus on the NXDOMAIN response code of 3 in this paper) is a critical area of research, as it directly affects the security and performance of servers from the root to the recursive level. In September 2022, a bug in...
Domain Name System (DNS) is a critical component of the Internet. DNS resolvers, which act as the cache between DNS clients and DNS nameservers, are the central piece of the DNS infrastructure, essential to the scalability of DNS. However, finding the resolver vulnerabilities is non-trivial, and this problem is not well addressed by the existing tools. To list a few reasons, first, most of the...
How to meaningfully benchmark DNS systems?
We will cover the main methodological differences between:
- resolvers
- authoritative servers
- normal traffic
- DoS traffic
By end of the talk the audience will learn which tools are suitable for what scenarios and how to avoid the most common pitfalls.
If you prefer lengthy wording, here it is!
Discover the art of...
NS1 Managed DNS runs on a large anycast deployment with approximately 25 POPs. We frequently need to assess new hardware for upgrades and expansion, and to do so, we must understand how our software performs. This presentation will discuss how DNS packets are processed on Linux, how the software interacts with hardware, and how to configure the software for optimal performance. We will also...
Our presentation at DNS OARC 42 focuses on developing and operating a robust DNS monitoring system, across various environments, including traditional and cloud infrastructures. We will discuss our journey in managing a large-scale DNS monitoring setup, consisting of more than 2500 zones distributed across 500 service instances and 15 regions all over the world, each zone containing 2000 -...
There is a new draft in the IETF that proposes that all recursive resolvers and authoritative servers SHOULD include IPv6 service. But is the DNS ready for IPv6? This presentations looks at the problems that the DNS has with IPv6, arond the issues of IP fragmentation using large UDP payloads and the consequences of this in terms of delayed resolution and increased query loads.
The intended...
Network and security operators are continually bombarded by strange deviations in network traffic that are sometimes operationally problematic, sometimes a threat to security, and other times just plain odd. These show up as large traffic spikes sometimes, and other times are just low-level plateaus. It's often very hard to quickly figure out exactly what these spikes come from. Wouldn't it...
The RIPE community created a task force in response to the DNS4EU effort, with the goal of producing a document which provides recommendations for operators interested in running DNS resolvers, especially public resolvers.
This lightning talk introduces this work, and gives a quick review of the document, and the status.
Help crowd source a high level estimate of the "size" of the world-wide DNS system, in order to help compare the growth and size of the DNS root, to the growth and size of the DNS overall.
If you were to draw four clouds, representing the traffic to All Authoritative Servers, All Resolvers, All TLDs, and the DNS Root, what would be the relative size of each cloud? It would be helpful to be...
This brief talk is about the problem of expired RRSIGs. I will talk about a couple of scenarios which result in this situation, and how we might want to react.
Different DNS vendors implement different features (IXFR support, EDNS expiry support, ZONEMD verification).
These are not 100% the same. Some of these are documented, some are not.
For zonemd support one can go to a DNS oarc talk, catalog zones has a website.
dnstap has a website.
Maybe there should be a directory or wiki page for these?
Would it be a good idea to have such at DNS OARC?
There are multiple approaches taken today using unencrypted and encrypted DNS to identify stub resolvers to recursive resolvers, including using the query source IP address or injecting additional records with custom labels the recursive resolver can parse. In this presentation, we will recommend using mTLS as a best practice when stub resolvers need to provide secure identities to recursive...
