Legal pressure from companies and countries to censor certain content or content creators is growing drastically; and unfortunately, many have landed upon DNS resolution prevention as a tool to achieve these aims. When a country demands that access to a specific domain be blocked for its users, the common outcome is overly broad filtering that affects users far beyond that jurisdiction (along...
At Internet exchanges it is not uncommon to invite DNS operators to connect anycast nodes to their Internet Exchange. This is often done pro-bono, i.e. the DNS provider receives from the IX provider free colocation, IP transit for the management of the server, and IX connectivity. Also, at Internet exchanges asymmetric routing is not uncommon, for example, a DNS server hosted at the exchange...
Our DNS operators use IP Anycast to make .nl available throughout the world with improved resilience and faster response times. But which points of presence do they choose to optimize the latency of their anycast deployment?
Oftentimes, operators manually test and tweak anycast site selections over many iterations. In this blog we describe Autocast: a data-driven heuristic method to...
PCH is providing DNSSEC service for those who ask for it.
Up until recently the zone operator needed to choose if they sign their zones themselves or ask us to do it for them.
By utilizing RFC 8901 the operator of a zone can do the signing themselves and serve the signed zone on their authoritatives and have an external party do it for their systems as well to increase resiliency and...
Whether tryingly complex implementation and maintenance or downright breakages, DNSSEC related nuisances are a given.
This talk wants to give a light-hearted take on DNSSEC’s failures, deserved and undeserved, by:
• sketching how severely image has impacted DNSSEC deployment – all the more so because the tech community’s self-perception as a fact-driven body has made it oblivious to this...
DNS remains a foundational component of today’s Internet, yet it is a frequent target of increasingly sophisticated DDoS attacks. Traditional detection methods based on static rules or thresholds struggle to keep pace with evolving and obfuscated abuse tactics.
In this work, we take first steps toward exploring a protocol-aware detection approach that leverages large language models (LLMs)...
Web3 entities, such as Ethereum Name Service (ENS), increasingly face threats originating
from the traditional DNS ecosystem. Threat actors exploit vulnerable Web2 domains to
target Web3 users and decentralized finance (DeFi) platforms, blurring the lines between
Web2 and Web3 DNS abuse landscapes.
This talk will recount real-world ENS war stories of battling such DNS abuses, focusing...
This presentation focuses on realtime capable analysis and visualization of DSC processed authoritative DNS traffic data.
Still to this day, DSC and its legacy represent a fundamental part in world wide observability of DNS nameserver and resolver ecosystems. Unfortunately due to cloud era, AI innovations and cybersecure awareness, DSC's well known and distributed collector-presenter...
Correlation of performance data for specific queries coming from several DNS servers can be hard. This talk discusses how we use tracing data in the vendor agnostic OpenTelemetry Trace format to provide trace information in a standard form. We show a visual representation of example traces and discuss a proposed EDNS0 extension to pass trace IDs between so correlation of trace data coming from...
The Domain Name System (DNS) is a foundational layer of internet infrastructure, yet the operational complexity of managing DNS has outpaced many organizations’ ability to keep up. In a recent study, Akamai evaluated the DNS posture of over 19,000 financial services institutions worldwide. The study measured adoption and configuration of DNS-related controls including SPF, DKIM, DMARC, DNSSEC,...
The DNS4EU project, initiated by the European Commission, aims to create a secure, EU-based alternative to existing public DNS resolvers. DNS4EU provides EU citizens, companies, and institutions with a privacy-compliant and resilient recursive DNS, ensuring that DNS traffic data remains within the European Union and supports digital sovereignty and online privacy.
The presentation is...
DNSSEC is not infallible. In certain edge circumstances, DNSSEC fails due to accidental misconfiguration, or failures which can be validated to be not related to malicious activity. Much in the way that "serve stale" allows domains to keep some functionality even during outages, Negative Trust Anchors this may provide a temporary solution for recursive operators in order to prevent significant...
We'll give a short overview of the Mozilla Trusted Recursive Resolver (TRR) Program, with the intent of recruiting new DoH resolver partners for networks/regions where we have lots of Firefox users.
Enterprises operate DNS at scale, but face very different challenges than public DNS operators. Hybrid setups, multi-vendor silos, compliance requirements and limited expertise often make DNS fragile and underrepresented in broader discussions. This talk highlights these challenges and explores how enterprise DNS teams can benefit from, and contribute to, the OARC community.
Before we started with the devlopment of our DNSSEC signing solution Cascade, we interviewed 16 TLD operators about their DNS operations. We expected the conversation to be about tooling. Instead, the answers went deeper — about trust, continuity, and compliance.
We published the results of this survey here:
https://blog.nlnetlabs.nl/dnssec-operations-in-2026-what-keeps-16-tlds-up-at-night/
Over the last few DNS-OARC workshops, we have been floating the idea of creating a group inside the OARC community to create a DNS Best Current Practices set of documents.
The initiative has started to get traction and some work has been done.
The following lighting talk explains what has been done so far and where are we planning to go into the future, with a call for action for the...
