OARC 44 (Atlanta, Georgia, USA)

6 Feb 2025, 09:00 → 7 Feb 2025, 17:05 America/New_York

Imperial Salon B ( Atlanta Marriott Marquis)

Cathy Almond (Internet Systems Consortium), Phil Regnauld (DNS-OARC)

OARC 44 will be a hybrid in-person and online workshop.

The workshop will be held in Atlanta, Georgia on February 6-7th, 2025

---

DNS-OARC is a non-profit, membership organization that seeks to improve the security, stability, and understanding of the Internet's DNS infrastructure. Part of these aims are achieved through workshops.

DNS-OARC Workshops are open to OARC members and to all other parties interested in DNS operations and research.

Social Media hashtag: #OARC44 #LoveDNS 

Mattermost Chatroom: Workshops on chat.dns-oarc.net (sign-up here)

---

OARC 44 SPONSORS

DELUXE

---

OARC 44 PATRONS

---

Patronage opportunities for OARC 44 are available. Please contact us for details.

---

OARC ANNUAL WORKSHOP PATRONS 2025

 

 

---

Workshop Patronages for 2025 are available. Details at:

https://www.dns-oarc.net/workshop/patronage-opportunities

---

 

Thursday 6 February

09:00 → 10:00 In-person Registration

10:00 → 10:15 OARC 44 Day 1: Welcome to OARC 44

10:00 Welcome to OARC 44

Speaker: Phil Regnauld (DNS-OARC)

OARC-44-Welcome-intro.pdf

OARC-44-Welcome-intro.pptx

10:15 → 10:20 Session 1 Start

Session Chair introduction

10:20 → 11:00 OARC 44 Day 1: Session 1

10:20 How are Internet users affected by DNS resolver authoritative server selection

The selection of which authoritative DNS server to use by a user's DNS resolver of choice greatly determines the user experience when accesing the Internet.

In the past, some studies have looked at the behaviour of a set of implementations describing how they perform authoritative server selection and how they re-evaluate their choices in time [1].
Other studies have leveraged the RIPE Atlas infrastructure to observe DNS resolution of a researcher-owned domain name from various points on the Internet [2].

We extend and complement these studies by using APNIC's distributed ad system to recruit several million end-users throughout the global Internet to observe the resolution selection process as well as its time evolution through a several day period.

References
[1] Secure Nameserver Selection Algorithm for DNS Resolvers.
https://datatracker.ietf.org/doc/draft-zhang-dnsop-ns-selection/

[2] Recursives in the Wild: Engineering Authoritative DNS Servers
https://ant.isi.edu/~johnh/PAPERS/Mueller17b.pdf

Speaker: Geoff Huston (APNIC)

2025-02-10-oarc44-recursives.pdf

2025-02-10-oarc44-recursives.pptx

10:45 Who Forged My DNS Answers?

This talk presents a real DNS hijacking incident from last year and how my team traced the issue. We discovered that certain queries to root/.com servers were receiving random, forged responses. To address this, we developed “DNS Traceroute,” a tool that traces the path of DNS queries to identify the source of hijacking, inspired by how Traceroute functions.

This talk was first delivered at the APAC DNS Forum 2024 Pre-Event Webinar (watch here) and received positive feedback. I think it might also interest the OARC community.

Speaker: Dr Linjian (Davey) Song (Alibaba Cloud)

Who forged my DNS answers - Alibaba-OARC2.pdf

Who forged my DNS answers - Alibaba-OARC2.pptx

11:00 → 11:30 Mid-morning Break

11:30 → 11:35 Session 2 Start

11:35 → 12:30 OARC 44 Day 1: Session 2

11:35 Increasing DNSSEC visibility in a multi-signer environment using fake-root stack

Using the multi-signer model can be challenging and can add complexity to your handling of zone maintenance and distribution.
The work shared in this presentation attempts to show examples or alternatives for improving DNSSEC monitoring and anticipating problems before users are affected.
This is a perspective from a ccTLD that has been adopting the multi-signer model for a long time.

Speaker: Mr Felipe Agnelli Barbosa (InternetNZ)

fakeroot-oarc44.pdf

11:50 DNS Anycast Stack

This presentation deals with the fundamental design and evaluation of DNS anycast stacks for high performance and portable nameserver locations placed on cloud, prem or mixed infrastructure.
According to the challenges of our time, facing innovations in AI and cloud techniques as well as new geopolitcal crisis, marketing aspects and the increasing lack in DNS expert skills, this proposal focuses further criterias like effort in system administration, fast setup time, flexible network routing and high scalability, too.
As a proof of concept, a short live demo will be part of the talk by setting up a full multi tenancy virtual anycast stack in less than 5 minutes.

Speaker: Benjamin Schönbach (Denic eG)

OARC44_DNS_ANYCAST.odp

OARC44_DNS_ANYCAST.pdf

OARC44_DNS_ANYCAST.pptx

12:10 Zone transfer performance

Zone update performance in large-scale DNS installations can be an
important metric to pay attention to. Zone transfer performance
measurements get less attention than query performance because it is
less operationally acute, and because it is harder to measure, as has
been discussed in previous presentations. Benchmarking zone transfer
performance is the first and most important step, but more
measurements of complex behaviour can also help to clarify performance
considerations and optimizations.

Taking a slightly different view of load generation in terms of
concurrent connections, as is sometimes seen in HTTP load generation,
experimental results will compare update rate performance between
selected nameserver implementations and installations. Supporting
data and qualitative observations from UltraDNS systems will be used
to describe differences in nameserver behaviour, and limitations on
performance. A variety of data conditions including size and number
of updates to catalog and member zones, and installation topology will
be included.

The presentation will highlight differences in implementations and
possible tuning opportunities, installation choices, future
development, and performance test concepts. This may help current and
future operators to consider zone transfers where alternative data
propagation has been used the past.

Speaker: Bill Snow (UltraDNS)

Bill Snow Digicert OARC44 - Zone Transfer Performance.pdf

Bill Snow Digicert OARC44 - Zone Transfer Performance.pptx

12:30 → 14:00 Lunch

14:00 → 14:05 Session 3 Start

14:05 → 15:00 OARC 44 Day 1: Session 3

14:05 ECH from a DNS (data) perspective

This talk will look into what the ECH uptake is both from a domain as well as from a client requestor perspective based on DNS data from authoritative and recursive name servers.

Speaker: Ralf Weber (Akamai Technologies)

WideHTTPSWeber.20250131.pdf

14:25 Exploration of the deployment and use of the DNS HTTPS Resource Record

The HTTPS DNS resource record (RR), defined in RFC 9460, is a new DNS record designed for the delivery of configuration information and parameters required to initiate connections to HTTPS network services. It can coexist with other record types (unlike the CNAME record) and thus allows name redirection at zone apexes and any arbitrary location in a zone where CNAME could not. It can also enable enhanced privacy by providing cryptographic keying material needed to encrypt the initial exchange in TLS (using the new Encrypted Client Hello mechanism). While relatively new, the HTTPS record already has many implementations and has seen quite a bit of deployment in the field.

We conduct a detailed longitudinal study of real-world implementations of the HTTPS RR, focusing on the primary apex domains and their corresponding www subdomains in the Tranco List of popular domains since May 2023. Moreover, we perform investigations into the behavior of client-side support for the HTTPS RR.

This research is published in a peer-reviewed paper presented at the Internet Measurement Conference (IMC) 2024, and we aim to share these findings more broadly with the DNS-focused community. The talk will showcase the up-to-date findings from both server-side analysis and client-side behavior studies.

Aspects of this study we will share include:
1. Server-side HTTPS RR deployment:
- Overall HTTPS RR adoption and the changing trend
- Name servers supporting HTTPS RR
- HTTPS RR parameters used by domains, including IP mismatches between IP hint and A/AAAA records
- Encrypted ClientHello (ECH) deployment and major involvers
- DNSSEC signing of HTTPS records
2. Client-side HTTPS RR support
- Major browser’s support of HTTPS RR parameters
- Major browser’s support and fall back mechanisms of ECH

What will the audience take away from this talk?

An understanding of the benefits of the DNS HTTPS record, how it can improve the privacy of HTTPS connections, a picture of the scale of its current deployment and observed issues, and the state of client support in web browsers.

Speakers: Hongying Dong (University of Virginia), Yizhe Zhang (University of Virginia)

OARC44_ DNSHTTPSStudy.pdf

OARC44_ DNSHTTPSStudy.pptx

14:45 Encrypted Client Hello and Network Operators

The presentation will include a brief explanation of the proposed Encrypted Client Hello (ECH) extension to TLS 1.3. The main focus will be on explaining why network operators need to be aware of the potential implications of ECH so that they are able to mitigate any negative impacts.

Speaker: Andrew Campling (419 Consulting Ltd)

Andrew Campling, Encrypted Client Hello and Network Operators, 25-01-24.pdf

15:00 → 15:30 Mid-afternoon Break

15:30 → 15:35 Session 4 Start

15:35 → 17:00 OARC 44 Day 1: Session 4

15:35 Thinking about serve-stale?

RFC 8767 "Serving Stale Data to Improve DNS Resiliency" defines a method (serve-stale) for recursive resolvers to use stale DNS data to avoid outages when authoritative nameservers cannot be reached to refresh expired data.

Should you enable this feature on your resolvers? If you do enable it, what are the advantages and disadvantages? Which serve-stale options are available on the most popular open-source resolver implementations to manage and serve stale DNS data? How do the serve-stale configuration options affect the behaviour and operation of your DNS resolver?

This talk will introduce the basics of serve-stale, and then explore how you might choose to customise the options to suit your own resolver requirements and/or constraints.

Speaker: Cathy Almond (Internet Systems Consortium)

Thinking About Serve Stale - OARC44.pdf

Thinking About Serve Stale - OARC44.pptx

Thinking About Serve Stale - OARC44 - with notes.pdf

16:00 Kobayashi Maru: Packet Sizes

Using the DNS Flag Day 2020 limits for EDNS packet sizes from the IBM NS1 Connect servers resulted in resolvers increasing query load when faced with large apex TXT records.

Is this a no-win scenario?

Speaker: Shane Kerr (IBM)

DNS OARC - Packet Size Kobayashi Maru (1).pdf

16:15 Intro to Best Practices and Panel Discussion

The DNS ecosystem thrives on collaboration and shared knowledge. OARC provides critical platforms for these discussions, from the dns-operations mailing list and Mattermost server to the OARC meetings themselves. This panel will explore the potential for OARC to become the central hub for evaluating and shaping DNS Best Practices (BCPs). The discussion will focus on DNS-OARC as a proving ground for new ideas and improvements, a place to review, refine, or retire existing BCPs, and, importantly, to define the sometimes blurry line between desirable and recommended practices. The panel will emphasize that not all best practices are universally applicable, highlighting the importance of defining scope, especially considering the inherent link between zone content and operations.

Panelists bringing diverse perspectives to the conversation:

Stefan Ubbink (SIDN): TLD Operator (Authoritative)
Nicolai Leymann (Telekom): Operator
John Todd (Quad9): Operator (Resolver)
Tejas Karandikar (Microsoft): Developer
Suzanne Woolf (PIR): Expert advisor, Registry services
Ralf Weber (Akamai): Operator, Content Provider
Steve DeJong (Vercara): Operator (Authoritative)
Eddy Winstead (ISC): Vendor
Puneet Sood (Google): Resolver

This panel will underscore the importance of community involvement in shaping the future of DNS best practices.

Speakers: Phil Regnauld (DNS-OARC), Raffaele Sommese (University of Twente)

OARC-bcp.pdf

OARC-bcp.pptx

18:00 → 20:00 OARC 44 Social Event

Friday 7 February

09:30 → 10:00 Registration

10:00 → 10:05 Session 1 Start

10:05 → 11:00 OARC 44 Day 2: Session 1

10:05 Lame Delegation: The Hidden Goldmine for Cybercriminals

While lame delegation may be a warning in the DNS operators world, we discovered this past summer that it is a goldmine in the cybercrime operators world. In many DNS service providers, the malicious actor can claim the forgotten domain, leaving less fingerprint than a traditional dangling CNAME hijack. If there were concerns in the DNS community of this hijacking vector, it wasn't heard over in the security community, even after high profile attacks in 2019. Russian threat actors operate with impunity on free accounts, their delivery of malware and phishing going undetected over the last four years. This talk will detail several of the actors using this method to support their criminal activities and invite discussion about how to minimize this attack vector in the future.

Speaker: Chance Tudor (Infoblox)

Tudor_Chance_DNSOARC44.pdf

10:20 DGA Domain Detection and Classification with Passive DNS and Deep Learning

A brief presentation on detecting and classifying DGA domains identified in real-world traffic using Passive DNS and Deep Learning.
We present the principles of DGA and Botnets, the fundamentals of Passive DNS and the tool used, and the Monitoring Panel that uses Deep Learning models integrated with Passive DNS to identify and classify these malicious domains in the São Paulo State University network traffic.
The detector and classifier models were recently published in scientific articles authored by us and are included in the presentation.

Speaker: Kim Morgan de Oliveira Ito Porto (Sao Paulo State University (UNESP))

DNS-OARC 44 - Deep Learning Malicious Domain Detection.pdf

10:40 Academic Thoughts on Data Needs for Fighting DNS Abuse

Malicious actors exploit the DNS namespace to carry out spam campaigns, phishing attacks, malware distribution, and other harmful activities. Combating these threats demands visibility into domain existence, ownership, and nameservice activity—insights that the DNS protocol itself does not inherently provide.

In this talk, I aim to brainstorm with the operational community about the challenges and possibilities of sharing data beyond daily zone snapshots. We will explore the need for finer-grained visibility into DNS changes, the complexities of sharing business and privacy-sensitive information, and ultimately, how to enable a "follow-the-money" process to trace DNS abusers.

The goal is to spark a discussion on the feasibility of sharing additional data: What are the benefits of such sharing? What types of harm can it help prevent? What are the risks involved, and what mitigation strategies might be possible?

Speaker: Raffaele Sommese (University of Twente)

OARC44 - Transparency.pdf

11:00 → 11:30 Mid-morning Break

11:30 → 11:35 Session 2 Start

11:35 → 12:30 OARC 44 Day 2: Session 2

11:35 Detection, Analysis and Measurement of DNS Tunneling Techniques

DNS tunneling is a covert communication method that can bypass traditional security mechanisms, facilitating data exfiltration and unauthorized access. This thesis investigates DNS tunneling detection on a large scale, focusing on .nl traffic at the country code top-level domain (ccTLD) level.

The research explores existing detection methodologies and adapts them to real world constraints, leveraging a controlled DNS testbed and the ENTRADA analysis tool. Detection rules are developed and validated against testbed data and .nl traffic, employing a scoring system to identify suspicious DNS queries. Comprehensive measurements of DNS query traffic are conducted across specific dates, highlighting geographical patterns and query types linked to potential tunneling activity.

Findings reveal that while most DNS tunneling activity is concentrated in specific regions and query types, such as "TXT" records, the proposed detection rules effectively filter out benign traffic and isolate suspicious activity. These results emphasize the importance of tailored detection strategies to enhance DNS security, offering insights for further research and practical applications in cybersecurity.

Speaker: Damianos Christos Nikou (Radboud University)

Presentation_DNS_OARC.pdf

Presentation_DNS_OARC.pptx

11:55 Pink-Lemur - Convolutional Neural Network (CNN) DNS Tunneling Detection

Pink-Lemur is a convolutional neural network trained to identify string encodings associated with data-exfiltration techniques in DNS. Using a character embedding table, and bottleneck convolutional architecture, we achieve an efficient and accurate technique to distinguish exfiltration and domain name labels that are prevalent in DNS. In addition to low false-positive requirements, fast and scalable performance is required. Using a custom tensor library developed in C, we translate PyTorch models into models that can run at the edge in DNS resolvers and classify traffic in realtime. We discuss implementation challenges that were overcome and discuss performance results of implementing this algorithm on a resolver host.

Speakers: David Rodriguez (Cisco Systems), Dr Dejan Donin (Cisco)

OARC44-pink-lemur-2.pdf

12:20 Special Presentation

Speaker: Paul Ebersman

joe-crowe-obit.pdf

joe-crowe-obit.pptx

12:30 → 14:00 Lunch

14:00 → 14:05 Session 3 Start

14:05 → 15:00 OARC 44 Day 2: Session 3

14:05 Future Submissions: Insights from the Programme Committee

Speaker: Cathy Almond (Internet Systems Consortium)

OARC44 Future Submissions - Insights from the Programme Committee.pdf

OARC44 Future Submissions - Insights from the Programme Committee.pptx

14:10 A survey of authenticated denial of existence in DNSSEC

Authenticated Denial of Existence is one of the more challenging aspects of the DNSSEC protocol to understand. It is also one of the leading causes of implementation bugs in the field (as I've described at past OARC talks). Over time, a number of distinct variants of authenticated denial have emerged further complicating the landscape. This presentation will survey and compare the various authenticated denial of existence methods in use today, like NSEC, NSEC3, NSEC/NSEC3 White Lies, Compact Denial of Existence, etc. It will provide a brief history of protocol development in this area, discuss various negative response synthesis techniques, and tradeoffs involving traffic & computational costs, and relative security properties, like zone enumeration protection. Lastly it will quickly give an overview of implementation and deployment status of these various techniques in the field.

Speaker: Shumon Huque (Salesforce)

AuthenticatedDenial.pdf

14:35 New Method for Signing Wildcard Responses in Compact Denial of Existence

DNSSEC online signing is computationally expensive. In general, DNSSEC signature cache can reduce the overhead of generating signature on the fly. However, signature caching will not be effective for responses of wildcard record in current Compact Denial of Existence implementations, because query names can be unique and valid with wildcard expansion. In this talk, we present a new method of signing wildcard response for Compact Denial of Existence, by using a fabricated NSEC record which is smaller than the real NSEC range but is still large enough to cover a set of non-existent records. We show that this type of wildcard response can improve the signature cache hit ratio for some DNS zones, reducing query latency and improve server performance. We verify that this new type of wildcard responses is compatible with DNS protocol and is accepted by common DNS recursive implementations like BIND and Unbound.

Speaker: Liang Zhu (Microsoft)

online-signing-wildcard-submit.pdf

online-signing-wildcard-submit.pptx

15:00 → 15:30 Mid-afternoon Break

15:30 → 15:35 Session 4 Start

15:35 → 16:55 OARC 44 Day 2: Session 4

15:35 Realistic Benchmarking of DNS Resolver Cache Policies

The cache is arguably the most crucial component for the performance of a recursive resolver as perceived by its clients. In the case of a cache hit, the client receives a response without requiring the resolver to query the authoritative servers. Conversely, in the case of a cache miss, at least one (but often more) query to the authoritative servers is required.

Decisions about the cache—such as which records to evict when it is full and which records to store initially—are governed by a cache policy, such as Least Recently Used (LRU), which is widely employed in open-source resolver implementations.

In this talk, I will present an extensible toolchain for evaluating these cache policies using realistic traffic, while operating outside the ever-changing environment of the real Internet. The toolchain includes preprocessing an input packet capture containing client queries, collecting relevant authoritative data from the Internet, defining a high-level DNS cache policy interface, and systematically evaluating cache policies based on the provided traffic and collected data.

Additionally, I will share preliminary results from evaluating some cache policies using traffic data from an ISP. These findings, along with future insights derived from this toolchain, should provide valuable guidance for DNS vendors in selecting caching policies for their implementations.

Speaker: Štěpán Balážik (ISC)

Realistic Benchmarking of DNS Resolver Cache Policies.pdf

16:00 Open Source Software in DNS and Name Registration Infrastructure

The Internet relies on names: the ability to register and use domain names is fundamental to internet-based services. The global, distributed infrastructure that enables naming on the Internet depends on open-source software, maintained by a delicate balance of nonprofit organizations, volunteers, and commercial entities.

In this context, ICANN’s Security and Stability Advisory Committee (SSAC) established a work party to analyze the adoption of open-source software in the DNS supply chain. The work party considers in particular the use of open source software to implement nameserver, recursive resolver, DNSSEC signing, RDAP/WHOIS, EPP/registry and escrow functions.
The SSAC’s goal is to inform policy making efforts or regulatory interventions that aim to discuss, modify, or regulate the development and use of such software in infrastructure, often without fully considering the critical yet hidden role of open-source software at the core of the Internet.

This presentation will detail our initiative and planned objectives as well as enumerate where regulatory work may impact open-source projects relevant to the DNS ecosystem. We will look to gather added feedback from the operational community on the use of DNS open-source software, and explore how regulations are impacting their processes and accountability.

Speaker: Warren Kumari (N/A)

Open Source Software in DNS and Name Registration Infrastructure0.3.pdf

16:15 A Devil's Advocacy for DoH

It is no secret that DNS-over-HTTPS has a mixed reputation among the DNS community. While most of the discussion revolves around privacy and centralization; censorship resiliency is often overlooked.

In this talk I want to talk about why built-in censorship resistance has tangible benefits, how societal circumstances are another factor alongside technical design for DNS deployments and have a small discussion about how we can further improve DoH and other existing/future encrypted DNS transports in this regard.

Speaker: Aydın Mercan (ISC)

oarc44-doh-devil-advocacy.pdf

16:30 Hot Off the Presses: RFC 9704 - Validated Split-Horizon DNS

At the end of January, the IETF published RFC 9704 - Validated Split-Horizon DNS. This talk will cover:

• What is Split-Horizon DNS?
• Why would someone want to validate it?
• How do I publish a validation record for this protocol?
• Implementation status (... none) and call to action.

Speaker: Benjamin Schwartz (Meta)

Hot off the Queue_ RFC 9704 Validated Split Horizon DNS.pdf

16:35 The Last Leg: The case for Encryption for Recursive to Authoritative

Three components to this lightning talk:

1) I'd like to describe the threat that still remains to the DNS because we do not have encryption between recursive resolvers and authoritative servers. This is based on real-world experiences from Quad9, and what we think the future holds.

2) A plea for current operators to try out opportunistic DOT as the costs are low and the testing return is quite interesting.

3) Make a case for standards to be worked on again for getting this turned into a more formal model that can be applied on a zone-by-zone basis, with resistance to downgrade attacks. DELEG has potential for this, but are there non-DELEG methods that are in people's minds? This is a plea for people thinking and helping on this concept - DNS-OARC/IETC/etc.

Speaker: John Todd

lightningtalk-jtodd-20250207-dnsoarc.key.pdf

16:40 How do we get users to want DNSSEC?

IMO DNSSEC Adoption will not get better without getting end users involved. When a user tells a business they are taking their money elsewhere because they can't trust the domain that will be the motivation for businesses to suffer the cost of DNSSEC. What does it take to get web browsers to change the behavior of the padlock to show that DNSSEC has failed or is not implemented. Is there any better way to get adoption?

Speaker: Peter DeVries (Quotient Inc)

Peter-OARC-44-Lightning-DNSSEC.pdf

16:45 OARC 44 Closing

Speaker: Phil Regnauld (DNS-OARC)

OARC-44-Wrapup.pdf

OARC-44-Wrapup.pptx