DNS Realities in Organizations Where DNS Is Not their Business
DNS is mission-critical for enterprises, yet it is rarely their core business. Unlike TLD operators or public DNS providers, enterprises operate DNS within complex organizations shaped by hybrid infrastructures, regulatory pressure, fragmented ownership, and...
A resilient Internet requires a resilient Domain Name System (DNS).
A resilient DNS ensures the continuous availability of many services and should withstand outages (e.g., power outages or cable cuts), attacks (e.g., DDoS), and technical disruptions while still maintaining integrity and confidentiality.
In this talk, we briefly introduce our project to measure DNS resilience.
The...
QNAME minimization is an extension to the DNS protocol, designed to allow DNS resolvers to prevent disclosure of DNS activity beyond that which is necessary for resolution. Since it was originally proposed in 2014, QNAME minimization has been incorporated into most of the well-known DNS resolvers. But the question remains: how effective is QNAME minimization at preserving privacy in...
AS112 is an anycast DNS deployment that responds to junk queries, i.e. leaked queries from internal networks, which should have been handled locally. This includes reverse DNS queries for RFC1918 and link local addresses, and queries for home.arpa and service.arpa.
Unlike other anycast deployments, AS112 is volunteer-run and uncoordinated. Anyone can contribute to AS112 by setting up a DNS...
We will present a simple and comprehensive DNS cache POisoning Prevention System (POPS), designed to integrate as a module in Intrusion Prevention Systems
(IPS).
POPS addresses statistical DNS poisoning attacks - documented from 2002 to the present - and offers robust protection against similar future threats. It comprises
a detection module, which employs three simple rules, and a...
By way of an example, whatismyipaddress.com DNS resolution result can be used to then connect to evilsite.ai. This abuse at the DNS level leads to the following problem we now see widely abused:
Source network pDNS only sees known-good domain of whatismyipaddress.com.
Destination CDN only sees what appears like a valid connection to evilsite.ai.
As our industry attempts to increase...
Multi-provider DNS, relies on various non-standardized setup and configuration mechanisms. As multi-provider DNS becomes more and more mainstream moving from ad-hoc to a transparent and robust mechanism for orchestration is increasingly important. We present a general architecture for this, which has been implemented, is working and, more or less as a side-effect, mostly solves the...
DNSSEC at scale: Enabling signing across 5,500 domains in the real world
Enabling DNSSEC for a single domain is straightforward: sign the zone, submit the DS record to your registrar, verify the chain of trust. Now do it 5,500 times, across hundreds of TLDs, multiple registrars, and every corner of the global domain registry ecosystem.
This talk is a war story from an ongoing project...
A short talk about the upcoming root key rollover. Important dates and milestones, and what to watch out for..
DNS resolvers increasingly support various encryption protocols, ensuring their communication with end clients remains confidential to external observers. The recursive-to-authoritative link has long been overlooked though, despite multiple reports on traffic analysis and response injection by state censors. The experimental RFC 9539 addresses this confidentiality gap with a unilateral and...
RFC 9539 - Unilateral Opportunistic Deployment of Encrypted Recursive-to-Authoritative DNS (also known as ‘Blind Probing’) was published over two years ago and amongst the stated goals were:
- Protection from passive attackers for recursive-to-authoritative DNS queries.
- A road map for gaining real-world experience at scale with encrypted protections of this traffic.
- A bridge to...
DELEG is the upcoming incremental revolution of DNS, improving security, privacy and manageability. What shall authoritative DNS operators consider and do before introducing DELEGs into their zones? Let's talk about software support, DE bit, ADT bit, non/existence proofs, specification requirements, pre-requsites and clear overview of necessary steps.
We think we understand how DNS is used. But what does authoritative DNS traffic at scale actually reveal about resolver behavior, application trends, and operational reality? Authoritative DNS servers sit at a uniquely powerful vantage point in enterprise infrastructure. The query and response traffic they handle offers a rich and frequently under-explored source of operational, architectural,...
