Legal pressure from companies and countries to censor certain content or content creators is growing drastically; and unfortunately, many have landed upon DNS resolution prevention as a tool to achieve these aims. When a country demands that access to a specific domain be blocked for its users, the common outcome is overly broad filtering that affects users far beyond that jurisdiction (along...
I want to share our experience for implementation of new .PG Registry System (Cocca) and signing DNSSEC recently.
PCH is providing DNSSEC service for those who ask for it.
Up until recently the zone operator needed to choose if they sign their zones themselves or ask us to do it for them.
By utilizing RFC 8901 the operator of a zone can do the signing themselves and serve the signed zone on their authoritatives and have an external party do it for their systems as well to increase resiliency and...
At Internet exchanges it is not uncommon to invite DNS operators to connect anycast nodes to their Internet Exchange. This is often done pro-bono, i.e. the DNS provider receives from the IX provider free colocation, IP transit for the management of the server and IX connectivity. Also, at Internet exchanges asymmetric routing is not uncommon, for example a DNS server hosted at the exchange...
DNS operators use IP Anycast to make their DNS zones available throughout the world with improved resilience and faster response times. But which points of presence do they choose to optimize the performance of their anycast deployment?
Oftentimes, operators guess and/or empirically test anycast configurations over many iterations. We propose Autocast: a simple heuristic method to...
DNS remains a foundational component of today's Internet infrastructure, yet it continues to be targeted by abuse techniques such as flooding, amplification, and redirection. Traditional detection approaches, often based on static rules or statistical models, struggle to adapt to evolving and obfuscated abuse tactics.
In this research, we explore a protocol-aware detection approach that...
Web3 entities, such as Ethereum Name Service (ENS), increasingly face threats originating
from the traditional DNS ecosystem. Threat actors exploit vulnerable Web2 domains to
target Web3 users and decentralized finance (DeFi) platforms, blurring the lines between
Web2 and Web3 DNS abuse landscapes.
This talk will recount real-world ENS war stories of battling such DNS abuses, focusing...
Correlation of performance data for specific queries coming from several DNS servers can be hard. This talk discusses how we use tracing data in the vendor agnostic OpenTelemetry Trace format to provide trace information in a standard form. We show a visual representation of example traces and discuss a proposed EDNS0 extension to pass trace IDs between so correlation of trace data coming from...
This presentation focuses on realtime capable analysis and visualization of DSC processed authoritative DNS traffic data.
Still to this day, DSC and its legacy represent a fundamental part in world wide observability of DNS nameserver and resolver ecosystems. Unfortunately due to cloud era, AI innovations and cybersecure awareness, DSC's well known and distributed collector-presenter...
The Domain Name System (DNS) is a foundational layer of internet infrastructure, yet the operational complexity of managing DNS has outpaced many organizations’ ability to keep up. In a recent study, Akamai evaluated the DNS posture of over 19,000 financial services institutions worldwide. The study measured adoption and configuration of DNS-related controls including SPF, DKIM, DMARC, DNSSEC,...
