SlideShare une entreprise Scribd logo
1  sur  60
Télécharger pour lire hors ligne
DNS “Openness”
Geoff Huston AM
APNIC Labs
Openness?
When speaking about openness, we do not mean open in a competitive
sense, but rather open as in everyone can access the service:
“Can users access and distribute information and content, use and
provide applications and services, and use terminal equipment of
their choice, irrespective of the user’s or provider’s location or the
location, origin or destination of the information, content,
application or service?”
2
But that was the entire POINT
of the DNS!
The DNS was engineered to deliver the same answer to the
same query, irrespective of the querier
• The answer did not depend on who was asking, where they were
asking from, what platform they were using to generate the query,
the resolvers they used to handle the query
• The answer did not depend on the origin of the information used
to form the response, the platform used to serve this information,
nor the location of information servers
3
Openness?
When speaking about openness, we do not mean open in a competitive
sense, but rather open as in everyone can access the service::
“Can users access and distribute information and content, use and
provide applications and services, and use terminal equipment of
their choice, irrespective of the user’s or provider’s location or the
location, origin or destination of the information, content,
application or service?”
The answer is ”Yes!”
4
Really?
• Is that really true? Do we all see the same DNS?
• Really?
5
Really?
• Is that really true? Do we all see the same DNS?
• Really?
6
No!
DNS: Not Fully Open!
Why not?
• Government regulatory requirements to block the “correct”
resolution of certain DNS names
• It happens in China, UK, America, Australia, India, Russia, Syria, Iran,
Vietnam, France, Turkey,…..
• Its VERY widespread, for all kinds of national motives
7
DNS: Not Fully Open!
Why not?
• Government regulatory requirements to block the “correct”
resolution of certain DNS names
• Occasional ISP desires to monetise the DNS
• NXDOMAIN substitution to direct traffic from named destinations
or services that do not exist to other destinations or services of
their choosing
8
DNS: Not Fully Open!
Why not?
• Government regulatory requirements to block the “correct”
resolution of certain DNS names
• Occasional ISP desires to monetise the DNS
• Threat mitigation where the DNS names associated with
malware are blocked
• Such as Quad9 threat intelligence informed DNS resolution
9
Is this a ”problem”?
Generally not:
• Nation states have a sovereign right to make such rules and bind
their citizens to such rules
• Threat mitigation is typically regarded as a Good Thing rather than
an incursion against the utility of a single DNS
10
Is this a ”problem”?
It’s a problem when it gets used as a lever in a different
fight
• Such as the Australian rule to force Australian ISPs to
block the DNS resolution of “thepiratebay.org”
• It only pushes determined users to alternate name resolution
strategies and ultimately is a comprehensive waste of
everyone’s time!
But even this is a relative sideshow to the larger DNS
11
Another interpretation of
“Openness”?
When speaking about openness we might not mean open in a sense of
consistency across providers and across client transactions, but rather:
Is the DNS an “open” system?
12
This is an echo of the 1980’s move by this industry to embrace “open” technology, as in Open Systems Interconnect (OSI) for
networking, open computer architectures, open operating systems. “Open” is being used here in the sense that it is intentionally
positioned as the opposite of a vendor-proprietary “Closed” technology.
Is the DNS “Open”?
Yes!
• The DNS name resolution protocol is openly specified without any IPR
encumbrance
• Fully functional implementations of the DNS protocol are available as
open source
• DNS name servers are configured as open “promiscuous” responders
and will provide the same response to a query irrespective of the
identity of the querier
• DNS information is openly available
• There is some subtle qualification here in that the collection of a zone file may
not be openly available, but the individual records in a zone can be queried
• DNS queries and responses are “open”
13
Is the DNS “Open”?
Yes!
• The DNS name resolution protocol is openly specified without any IPR
encumbrance
• Fully functional implementations of the DNS protocol are available as
open source
• DNS name servers are configured as open “promiscuous” responders
and will provide the same response to a query irrespective of the
identity of the querier
• DNS information is openly available
• There is some subtle qualification here in that the collection of a zone file may
not be openly available, but the individual records in a zone can be queried
• DNS queries and responses are “open”
14
Which is a massive problem!
When “openness” is a weakness
The DNS is used by everyone and everything
• Because pretty much everything you do on the net starts
with a call to the DNS
• If we could see your stream of DNS queries in real time we
could easily assemble a detailed profile of you and your
interests and activities - as it happens!
• If we could edit your DNS responses we could make services
disappear from your Internet!
15
https://xkcd.com/1361/
16
Lets look into this further
The DNS is mapping system which takes human-use labels that name
services and maps these labels to IP addresses
17
Lets look into this further
The DNS is mapping system which takes human-use labels that name
services and maps these labels to IP addresses
18
1. Connect to www.google.com
DNS: What’s an IP address for www.google.com?
DNS
System
142.250.204.4
2. Send a TCP SYN packet to destination 142.250.204.4
What’s in that DNS “cloud”?
19
DNS
System
queries
responses
The Hidden parts of “Open”
• For an open technology the infrastructure and process of name
resolution in the DNS is incredibly opaque
• Once queries are passed to the DNS resolution infrastructure they
are impossible to trace. Each element does not simply forward a
query, but casts an entirely new query using its own identity
• There is no query tracing and no clear way to probe into the DNS
infrastructure
• There could be query chains circling in the DNS infrastructure in a
hidden loop and no one would be any the wiser!
• It is challenging to gauge the level of hidden interdependency in the
DNS, nor the level of ongoing centralisation of infrastructure
functions in the DNS
20
The Hidden parts of “Open”
• For an open technology the infrastructure and process of name
resolution in the DNS is incredibly opaque
• Once queries are passed to the DNS resolution infrastructure they
are impossible to trace. Each element does not simply forward a
query, but casts an entirely new query using its own identity
• There is no query tracing and no clear way to probe into the DNS
infrastructure
• There could be query chains circling in the DNS infrastructure in a
hidden loop and no one would be any the wiser!
• It is challenging to gauge the level of hidden interdependency in the
DNS, nor the level of ongoing centralisation of infrastructure
functions in the DNS
21
The fact that the DNS works
at all is amazing. The fact that
it works at speed and volume
is a modern miracle!
But all that is still not all of
“the DNS”
• The DNS is more than its mapping role, and more than its
infrastructure elements of resolvers and servers
• So what is the DNS?
22
What is “the DNS”?
Multiple Choice – tick all that apply:
qA name space: A collection of word-strings that are organised into a
hierarchy of labels
qA distributed name registration framework that assigns a unique
“license to use” to human-centric word-strings to entities (for money)
qA distributed database that maps human-centric word-strings into IP
addresses
qA protocol used by DNS protocol speakers to “resolve” a word-string
into a defined attribute (usually an IP address)
qA signalling medium that is universally supported across all of
the Internet
23
Orchestration of the DNS
• If the DNS is a set of functions and a set of various actors in this space
then how are their individual actions orchestrated to provide a
cohesive outcome?
• How can client use the functions of “the DNS” if there is no one
orchestrating all these elements of the name infrastructure?
• Why does all this work in a completely deregulated space?
• The answers lie in Markets and Market Signalling
24
What are DNS “Markets”?
The DNS is not a single market – it is a highly devolved framework and there
are a number of discrete markets that are at best loosely coupled
Some of these markets are:
• The market for new “top level” labels (gTLDs) operated by ICANN. This market is open
to ICANN-qualified registry operators. A registry has an exclusive license to operate a
TLD.
• The market for “registrars”, who act as retailers of DNS names and deal with clients
(registrants) and register the client’s DNS names into the appropriate registry
• The market for clients to register a DNS name with a registry
• The market for DNS name certification, which is a third party that attests that an entity
has control of a domain name
• The market for DNS name resolution where users direct their queries to a resolver and
the resolver provides DNS “answers”
• The market for hosting authoritative name services, where “bigger is better” has
driven a highly aggregated market
• The market for DNS query logs 25
Maybe it’s more than markets
• Perhaps this is best viewed as a collection of market needs, or
requirements
• Some are well established
• Some are emergent requirements
• Perhaps the question could be rephrased as one that asks to what
extent are conventional open markets a good fit for these various
DNS requirements
• And to what extent these market-based mechanisms are failing to
respond to these needs?
26
So, what should we talk about?
If we want to talk about the DNS as a deregulated activity orchestrated
through the operation of open markets then there are a few more
things to bear in mind:
• The DNS is not a single market place, or even a collection of inter-dependent
and tightly coupled market place
• The DNS is constructed of many elements, some of which appear to behave
as tightly regulated markets, some of which are openly competitive markets,
some of which are comprehensive market failures!
27
So, what should we talk about?
Maybe we should think of the DNS using a number of themes to give
some focus to this consideration of market effectiveness
28
Current DNS Themes
There are so many themes in the DNS, and here are just a few:
• DNS as a control element
• DNS and privacy
• DNS and trust
• DNS and name space fragmentation
• DNS as a rendezvous tool
• DNS as a collection of markets
• DNS and market aggregation
• DNS and abuse and cyber attacks
• DNS as an economic failure
• DNS as the last remaining definition of a coherent Internet
29
This is now a very big agenda
• Far bigger than we have time for here!
• So I’ll just take a couple of themes and develop them further
30
I. The Open Market for Trust
31
DNS and Trust
Can you trust what you learn from the DNS?
32
DNS and Trust
Can you trust what you learn from the DNS?
NO!
33
DNS and Trust
Can you trust what you learn from the DNS?
NO!
• DNS responses can be altered in various ways that are challenging to detect
• We know how to improve this situation by using digital cryptography to protect
the integrity, accuracy and currency of DNS responses
• But does this capability for an improvement in the trust of the DNS correlate to
a visible consumer preference?
• Is security in the DNS a market failure?
34
DNSSEC
• A framework to attach digital signatures to DNS responses that attest
to the accuracy and currency of the DNS response
• The method of attachment does not alter the behaviour of the DNS protocol,
nor does it require any changes to DNS servers
• A procedure for clients to follow to validate the DNS response through
the processing of this digital signature
Changes:
• Zone management – add DNSSEC digital signature records through ”zone signing”
• Registry management – add DS records alongside NS records for delegated zones
• Client behaviour – perform additional DNS queries to perform digital signature
validation 35
Is DNSSEC being used?
You might think that a change to the DNS that improved the trust in the
DNS would prove to be highly popular in the DNS space
• DNS name “owners” would like their name to be trustworthy
• DNS users would like the names they use to be “genuine” and trustable
So every part of the DNS would want to use DNSSEC!
Right?
Let’s see if this requirement has been translated by the DNS service
market into a service offering by looking at the current metrics of the
use of DNSSEC
36
Is DNSSEC being used?
37
Who validates DNS responses?
Is DNSSEC being used?
38
Who validates DNS responses?
Is DNSSEC being used?
39
Validation Rate of Signed DNS responses
2014 2016 2018 2020
28% of users are
behind DNSSEC-
validating resolvers
who will not resolve
a badly signed DNS
name
Quarter Full, or
Three Quarters Empty??
40
Validation Rate of Signed DNS responses
2014 2016 2018 2020
Three quarters of
the Internet’s user
base can’t or won’t
check if a DNS
response is genuine
Problems with DNSSEC
41
• Large DNS responses cause robustness issues for DNS
• Getting large responses through the network has reliability issues with
UDP packet fragmentation and timing issues with signalled cut-over to
TCP
• The validator has to perform a full backtrace query sequence to
assemble the full DNSSEC signature chain
• So the problem is that DNSSEC validation may entail a sequence of
queries where each of the responses may require encounter UDP
fragmentation packet loss
All this adds to the time to resolve a signed name
And nobody is tolerant of delays in today’s Internet
Some More Problems with DNSSEC
42
• Cryptographically “stronger” keys tend to be bigger keys over time, so
the issue of cramming more data into DNS transactions is not going
away!
• The stub-to-recursive hop is generally not using validation, so the user
ends up trusting the validating recursive resolver in any case
The current DNSSEC framework represents a lot of effort for only a a
tiny marginal gain
DNSSEC is a Market Failure!
• Users don’t pay for queries
• Users have no leverage with recursive resolvers in terms of expressing
their preference for authenticity in DNS responses
• Users don’t have a choice in what they query for
• Users have no ability to express a preference for only using domain
names that are signed
• The benefits of a signed DNS zone and validating resolvers are
indirect
• Cost and benefit are totally mis-aligned in this space!
43
DNS Trust is a Market Failure!
• If it wasn’t for the lead taken by Google and their adoption of DNSSEC
validation in their Public DNS Service then its likely that DNSSEC
would still be a complete failure
• And only was possible because of the significant level of market share
in the use of Google’s Public DNS Service
• So perhaps we should look at the market for DNS resolvers to see if
others are taking up this lead
44
II. The Open Market for DNS
Resolution
45
Who Resolves My Names?
46
My ISP
Google
Same country, different network
(likely to still be my ISP)
Everyone else
Who Resolves My Names?
If this is a market then it appears to be highly skewed:
• Google has a market share of just under 30% of all users
• The next largest open resolvers are Cloudflare (4%), OpenDNS (2%) and Quad9
(0.5%)
• Everything else is just the default of the local ISP performing the name resolution
service for their customers
Why has this happened?
How has Google succeeded and other open DNS resolver services appear
to struggle to get significant adoption by clients? 47
The DNS Name Resolution Economy
• In the public Internet, end clients don’t normally pay directly for DNS
name resolution services
• Which implies that outside of the domain of the local ISP, DNS
resolvers are essentially unfunded by the resolver’s clients
• And efforts to monetise the DNS with various forms of funded
misdirection (such as NXDOMAIN substitution) are generally viewed
with extreme disfavour
• Open Resolver efforts run the risk of success-disaster
• The more they are used, the greater the funding problem to run them at scale
• The greater the funding problem the greater the temptation to monetise the
DNS resolver function in more subtle ways
48
Google is Special
• Search is a critical asset for GOOGLE
• Search drives eyeballs and profiles
• Eyeballs and profiles drive advertising
• Advertising drives revenue
• If we could use the DNS as a defacto search engine then Google has a problem
• But that’s what is happening when DNS resolvers don’t pass back NXDOMAIN but instead
pass back a reference to a search engine, or even better use a search engine to pass back
the resolution response that a hidden search engine result obtained when it processed
the queried DNS name
• So it’s in Google’s interests to have a fast, accurate and unaltered DNS
resolution service
• And Google’s real target market for this service is not individual users, but ISPs
• Because the real threat model for Google is NXDOMAIN substitution and other forms of
DNS response manipulation by ISPs as a local revenue source
• No other Open DNS resolver service shares Google’s motivation 49
III. Open Market Fragmentation
50
The DNS Name Resolution Economy
• The default option is that the ISP funds and operate the recursive DNS
service, funded by the ISP’s client base
>70% of all end clients use their ISPs’ DNS resolvers
• However the fact that it works today does not mean that you can
double the input costs and expect it to just keep on working
tomorrow
• For ISPs the DNS is a cost department, not a revenue source
• We should expect strong resistance from ISPs to increase their costs in DNS
service provision
51
The resistance to change in
the DNS
• The quality of an ISP’s DNS service does not appear to be a significant
competitive discriminatory factor in the consumer market
• So the ISP does not generally devote many resources to tuning their DNS
infrastructure for high performance, resiliency and innovation
• Most users don’t change their platform settings from the defaults and
CPE based service provisioning in the wired networks and direct
provisioning in mobile networks will persist
• So current innovations such as improved DNS privacy (DNS over TLS,
DNS over HTTPS) are looking like being another mainstream market
failure in the DNS space
52
The resistance to change in
the DNS
• The quality of an ISP’s DNS service does not appear to be a significant
competitive discriminatory factor in the consumer market
• So the ISP does not generally devote many resources to tuning their DNS
infrastructure for high performance, resiliency and innovation
• Most users don’t change their platform settings from the defaults and
CPE based service provisioning in the wired networks and direct
provisioning in mobile networks will persist
• So current innovations such as improved DNS privacy (DNS over TLS,
DNS over HTTPS) are looking like being another mainstream market
failure in the DNS space
53
But maybe this is not the full story …
Fragmenting the DNS
• Is appears more likely that applications who want to tailor their DNS
use to adopt a more private profile will hive off to use DNS over
HTTPS to an application-selected DNS service, while the platform
itself will continue to use libraries that will default to DNS over UDP to
the ISP-provided recursive DNS resolver
• That way the application ecosystem can fund its own DNS privacy
infrastructure and avoid waiting for everyone else to make the
necessary infrastructure and service investments before they can
adopt DNS privacy themselves
• The prospect of application-specific naming services is a very real
prospect in this scenario
54
Fragmenting the DNS
• Is appears more likely that applications who want to tailor their DNS
use to adopt a more private profile will hive off to use DNS over
HTTPS to an application-selected DNS service, while the platform
itself will continue to use libraries that will default to DNS over UDP to
the ISP-provided recursive DNS resolver
• That way the application ecosystem can fund its own DNS privacy
infrastructure and avoid waiting for everyone else to make the
necessary infrastructure and service investments before they can
adopt DNS privacy themselves
• The prospect of application-specific naming services is a very real
prospect in this scenario
Those parts of the Internet space with
sufficient motivation and resources will
simply stop waiting for everyone else
to move. They will just do what they
feel they need to do!
55
All the Money is in Content
• And this means that applications are driving the Internet market these
days
• Applications are increasingly drawing in platform and infrastructure
services directly into the application
• QUIC
• DNS over HTTPS
• That way they avoid paying the costs of upgrading legacy infrastructure
and waiting for platform upgrades
• And applications no longer have to sustain a single name space, or even
sustain uniform protocol interoperability
• Apart from UDP!
• So they just won’t pay 56
It’s life Jim, but not as we
know it!*
• The overall progression here is an evolution from network-centric
services to platform-centric services to today’s world of application-
centric services
• It’s clear that the DNS is being swept up in this shift, and the DNS is
changing in almost every respect
• The future prospects of a single unified coherent name space as
embodied in the DNS, as we currently know it, for the entire internet
service domain are looking pretty poor right now!
* With apologies to the Trekkies!
57
Is the DNS “Open”?
• Yes, today, its sort of open
58
Although the cracks are clearly evident with the use of various DNS customizations to tailor each
DNS response to the querier, the interest in lifting the DNS into the application space as an
application service and not a common infrastructure, the strong levels of centralisation and the
destruction of open competition in this space, the continuing erosion of trust and the strong
commercial impetus to use the DNS as a profiling tool in the surveillance economy.
Will it continue to be “open”?
• Probably not!
59
It’s just getting too hard to keep it together and keep it open and the market-based
pressures continue to tear the DNS apart and haul it away from a unified open space
into a set of close and opaque markets with a fragmented name space.
And the common benefit of a single, cohesive open name space for the Internet looks
like being a victim of the Tragedy of the Commons
Picture Credit: Fred Davis, Flickr, Creative COMMONS: Attribution-NonCommercial-NoDerivs 2.0 Generic (CC BY-NC-ND 2.0) https://bit.ly/31qpYGA
60

Contenu connexe

Tendances

Testing Rolling Roots
Testing Rolling RootsTesting Rolling Roots
Testing Rolling RootsAPNIC
 
VNIX-NOG 2021: IPv6 Deployment Update
VNIX-NOG 2021: IPv6 Deployment UpdateVNIX-NOG 2021: IPv6 Deployment Update
VNIX-NOG 2021: IPv6 Deployment UpdateAPNIC
 
Measuring the end user
Measuring the end userMeasuring the end user
Measuring the end userAPNIC
 
HKNOG 1.0 - DDoS attacks in an IPv6 World
HKNOG 1.0 -  DDoS attacks in an IPv6 WorldHKNOG 1.0 -  DDoS attacks in an IPv6 World
HKNOG 1.0 - DDoS attacks in an IPv6 WorldTom Paseka
 
28th TWNIC OPM and TWNOG 2017: Security best practices for network operators
28th TWNIC OPM and TWNOG 2017: Security best practices for network operators28th TWNIC OPM and TWNOG 2017: Security best practices for network operators
28th TWNIC OPM and TWNOG 2017: Security best practices for network operatorsAPNIC
 
DDosMon A Global DDoS Monitoring Project
DDosMon A Global DDoS Monitoring ProjectDDosMon A Global DDoS Monitoring Project
DDosMon A Global DDoS Monitoring ProjectAPNIC
 
NetFlow Best Practices - Tips and Tricks to Get the Most Out of Your Network ...
NetFlow Best Practices - Tips and Tricks to Get the Most Out of Your Network ...NetFlow Best Practices - Tips and Tricks to Get the Most Out of Your Network ...
NetFlow Best Practices - Tips and Tricks to Get the Most Out of Your Network ...SolarWinds
 
Community tools to fight against DDoS, SANOG 27
Community tools to fight against DDoS, SANOG 27Community tools to fight against DDoS, SANOG 27
Community tools to fight against DDoS, SANOG 27APNIC
 
DDOS Mitigation Experience from IP ServerOne by CL Lee
DDOS Mitigation Experience from IP ServerOne by CL LeeDDOS Mitigation Experience from IP ServerOne by CL Lee
DDOS Mitigation Experience from IP ServerOne by CL LeeMyNOG
 
Broadband India Forum Session on IPv6: The Post-IPocalypse Internet
Broadband India Forum Session on IPv6: The Post-IPocalypse InternetBroadband India Forum Session on IPv6: The Post-IPocalypse Internet
Broadband India Forum Session on IPv6: The Post-IPocalypse InternetAPNIC
 
Network State Awareness & Troubleshooting
Network State Awareness & TroubleshootingNetwork State Awareness & Troubleshooting
Network State Awareness & TroubleshootingAPNIC
 
Traffic Insight Using Netflow and Deepfield Systems
Traffic Insight Using Netflow and Deepfield SystemsTraffic Insight Using Netflow and Deepfield Systems
Traffic Insight Using Netflow and Deepfield SystemsMyNOG
 
Network Security and Visibility through NetFlow
Network Security and Visibility through NetFlowNetwork Security and Visibility through NetFlow
Network Security and Visibility through NetFlowLancope, Inc.
 
APNIC Hackathon CDN Ranking
APNIC Hackathon CDN Ranking APNIC Hackathon CDN Ranking
APNIC Hackathon CDN Ranking Siena Perry
 
Campus networking
Campus networkingCampus networking
Campus networkingJisc
 
Honeypots and Security
Honeypots and SecurityHoneypots and Security
Honeypots and SecurityAPNIC
 
Building and operating a global DNS content delivery anycast network
Building and operating a global DNS content delivery anycast networkBuilding and operating a global DNS content delivery anycast network
Building and operating a global DNS content delivery anycast networkAPNIC
 
NetFlow Auditor Anomaly Detection Plus Forensics February 2010 08
NetFlow Auditor Anomaly Detection Plus Forensics February 2010 08NetFlow Auditor Anomaly Detection Plus Forensics February 2010 08
NetFlow Auditor Anomaly Detection Plus Forensics February 2010 08NetFlowAuditor
 
NetFlow Deep Dive: NetFlow Tips and Tricks to get the Most Out of Your Networ...
NetFlow Deep Dive: NetFlow Tips and Tricks to get the Most Out of Your Networ...NetFlow Deep Dive: NetFlow Tips and Tricks to get the Most Out of Your Networ...
NetFlow Deep Dive: NetFlow Tips and Tricks to get the Most Out of Your Networ...SolarWinds
 

Tendances (20)

Testing Rolling Roots
Testing Rolling RootsTesting Rolling Roots
Testing Rolling Roots
 
VNIX-NOG 2021: IPv6 Deployment Update
VNIX-NOG 2021: IPv6 Deployment UpdateVNIX-NOG 2021: IPv6 Deployment Update
VNIX-NOG 2021: IPv6 Deployment Update
 
Measuring the end user
Measuring the end userMeasuring the end user
Measuring the end user
 
HKNOG 1.0 - DDoS attacks in an IPv6 World
HKNOG 1.0 -  DDoS attacks in an IPv6 WorldHKNOG 1.0 -  DDoS attacks in an IPv6 World
HKNOG 1.0 - DDoS attacks in an IPv6 World
 
28th TWNIC OPM and TWNOG 2017: Security best practices for network operators
28th TWNIC OPM and TWNOG 2017: Security best practices for network operators28th TWNIC OPM and TWNOG 2017: Security best practices for network operators
28th TWNIC OPM and TWNOG 2017: Security best practices for network operators
 
DDosMon A Global DDoS Monitoring Project
DDosMon A Global DDoS Monitoring ProjectDDosMon A Global DDoS Monitoring Project
DDosMon A Global DDoS Monitoring Project
 
NetFlow Best Practices - Tips and Tricks to Get the Most Out of Your Network ...
NetFlow Best Practices - Tips and Tricks to Get the Most Out of Your Network ...NetFlow Best Practices - Tips and Tricks to Get the Most Out of Your Network ...
NetFlow Best Practices - Tips and Tricks to Get the Most Out of Your Network ...
 
Community tools to fight against DDoS, SANOG 27
Community tools to fight against DDoS, SANOG 27Community tools to fight against DDoS, SANOG 27
Community tools to fight against DDoS, SANOG 27
 
DDOS Mitigation Experience from IP ServerOne by CL Lee
DDOS Mitigation Experience from IP ServerOne by CL LeeDDOS Mitigation Experience from IP ServerOne by CL Lee
DDOS Mitigation Experience from IP ServerOne by CL Lee
 
Broadband India Forum Session on IPv6: The Post-IPocalypse Internet
Broadband India Forum Session on IPv6: The Post-IPocalypse InternetBroadband India Forum Session on IPv6: The Post-IPocalypse Internet
Broadband India Forum Session on IPv6: The Post-IPocalypse Internet
 
Network State Awareness & Troubleshooting
Network State Awareness & TroubleshootingNetwork State Awareness & Troubleshooting
Network State Awareness & Troubleshooting
 
Traffic Insight Using Netflow and Deepfield Systems
Traffic Insight Using Netflow and Deepfield SystemsTraffic Insight Using Netflow and Deepfield Systems
Traffic Insight Using Netflow and Deepfield Systems
 
Network Security and Visibility through NetFlow
Network Security and Visibility through NetFlowNetwork Security and Visibility through NetFlow
Network Security and Visibility through NetFlow
 
APNIC Hackathon CDN Ranking
APNIC Hackathon CDN Ranking APNIC Hackathon CDN Ranking
APNIC Hackathon CDN Ranking
 
Campus networking
Campus networkingCampus networking
Campus networking
 
Honeypots and Security
Honeypots and SecurityHoneypots and Security
Honeypots and Security
 
RPKI Tutorial
RPKI Tutorial RPKI Tutorial
RPKI Tutorial
 
Building and operating a global DNS content delivery anycast network
Building and operating a global DNS content delivery anycast networkBuilding and operating a global DNS content delivery anycast network
Building and operating a global DNS content delivery anycast network
 
NetFlow Auditor Anomaly Detection Plus Forensics February 2010 08
NetFlow Auditor Anomaly Detection Plus Forensics February 2010 08NetFlow Auditor Anomaly Detection Plus Forensics February 2010 08
NetFlow Auditor Anomaly Detection Plus Forensics February 2010 08
 
NetFlow Deep Dive: NetFlow Tips and Tricks to get the Most Out of Your Networ...
NetFlow Deep Dive: NetFlow Tips and Tricks to get the Most Out of Your Networ...NetFlow Deep Dive: NetFlow Tips and Tricks to get the Most Out of Your Networ...
NetFlow Deep Dive: NetFlow Tips and Tricks to get the Most Out of Your Networ...
 

Similaire à NANOG 84: DNS Openness

DNS in IR: Collection, Analysis and Response
DNS in IR: Collection, Analysis and ResponseDNS in IR: Collection, Analysis and Response
DNS in IR: Collection, Analysis and Responsepm123008
 
NZNOG 2020: DOH
NZNOG 2020: DOHNZNOG 2020: DOH
NZNOG 2020: DOHAPNIC
 
RIPE 82: DNS Evolution
RIPE 82: DNS EvolutionRIPE 82: DNS Evolution
RIPE 82: DNS EvolutionAPNIC
 
How DNS works and How to secure it: An Introduction
How DNS works and How to secure it: An IntroductionHow DNS works and How to secure it: An Introduction
How DNS works and How to secure it: An Introductionyasithbagya1
 
Introduction DNSSec
Introduction DNSSecIntroduction DNSSec
Introduction DNSSecAFRINIC
 
THOTCON - The War over your DNS Queries
THOTCON - The War over your DNS QueriesTHOTCON - The War over your DNS Queries
THOTCON - The War over your DNS QueriesJohn Bambenek
 
NANOG 82: DNS Evolution
NANOG 82: DNS EvolutionNANOG 82: DNS Evolution
NANOG 82: DNS EvolutionAPNIC
 
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
2nd ICANN APAC-TWNIC Engagement Forum: DNS OblivionAPNIC
 
Measuring the centralization of DNS resolution' presentation by Geoff Huston...
Measuring the centralization of DNS resolution'  presentation by Geoff Huston...Measuring the centralization of DNS resolution'  presentation by Geoff Huston...
Measuring the centralization of DNS resolution' presentation by Geoff Huston...APNIC
 
Resolver concentration presentation for OARC 40 by Joao Damas and Geoff Huston
Resolver concentration presentation for OARC 40 by Joao Damas and Geoff HustonResolver concentration presentation for OARC 40 by Joao Damas and Geoff Huston
Resolver concentration presentation for OARC 40 by Joao Damas and Geoff HustonAPNIC
 
DNS-OARC 38: The resolvers we use
DNS-OARC 38: The resolvers we useDNS-OARC 38: The resolvers we use
DNS-OARC 38: The resolvers we useAPNIC
 
IGF 2023: DNS Privacy
IGF 2023: DNS PrivacyIGF 2023: DNS Privacy
IGF 2023: DNS PrivacyAPNIC
 
DNS privacy
DNS privacyDNS privacy
DNS privacyAPNIC
 
mnNOG 1: DNS privacy over DOH
mnNOG 1: DNS privacy over DOHmnNOG 1: DNS privacy over DOH
mnNOG 1: DNS privacy over DOHAPNIC
 
What Is DNS ?
What Is DNS ?What Is DNS ?
What Is DNS ?GTCSYS
 
bdNOG 7 - Re-engineering the DNS - one resolver at a time
bdNOG 7 - Re-engineering the DNS - one resolver at a timebdNOG 7 - Re-engineering the DNS - one resolver at a time
bdNOG 7 - Re-engineering the DNS - one resolver at a timeAPNIC
 
Domain Name System
Domain Name SystemDomain Name System
Domain Name SystemWhoisXML API
 

Similaire à NANOG 84: DNS Openness (20)

DNS in IR: Collection, Analysis and Response
DNS in IR: Collection, Analysis and ResponseDNS in IR: Collection, Analysis and Response
DNS in IR: Collection, Analysis and Response
 
NZNOG 2020: DOH
NZNOG 2020: DOHNZNOG 2020: DOH
NZNOG 2020: DOH
 
RIPE 82: DNS Evolution
RIPE 82: DNS EvolutionRIPE 82: DNS Evolution
RIPE 82: DNS Evolution
 
How DNS works and How to secure it: An Introduction
How DNS works and How to secure it: An IntroductionHow DNS works and How to secure it: An Introduction
How DNS works and How to secure it: An Introduction
 
Introduction DNSSec
Introduction DNSSecIntroduction DNSSec
Introduction DNSSec
 
THOTCON - The War over your DNS Queries
THOTCON - The War over your DNS QueriesTHOTCON - The War over your DNS Queries
THOTCON - The War over your DNS Queries
 
NANOG 82: DNS Evolution
NANOG 82: DNS EvolutionNANOG 82: DNS Evolution
NANOG 82: DNS Evolution
 
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
 
Measuring the centralization of DNS resolution' presentation by Geoff Huston...
Measuring the centralization of DNS resolution'  presentation by Geoff Huston...Measuring the centralization of DNS resolution'  presentation by Geoff Huston...
Measuring the centralization of DNS resolution' presentation by Geoff Huston...
 
Resolver concentration presentation for OARC 40 by Joao Damas and Geoff Huston
Resolver concentration presentation for OARC 40 by Joao Damas and Geoff HustonResolver concentration presentation for OARC 40 by Joao Damas and Geoff Huston
Resolver concentration presentation for OARC 40 by Joao Damas and Geoff Huston
 
DNS-OARC 38: The resolvers we use
DNS-OARC 38: The resolvers we useDNS-OARC 38: The resolvers we use
DNS-OARC 38: The resolvers we use
 
IGF 2023: DNS Privacy
IGF 2023: DNS PrivacyIGF 2023: DNS Privacy
IGF 2023: DNS Privacy
 
DNS privacy
DNS privacyDNS privacy
DNS privacy
 
mnNOG 1: DNS privacy over DOH
mnNOG 1: DNS privacy over DOHmnNOG 1: DNS privacy over DOH
mnNOG 1: DNS privacy over DOH
 
What Is DNS ?
What Is DNS ?What Is DNS ?
What Is DNS ?
 
Re-Engineering the DNS – One Resolver at a Time
Re-Engineering the DNS – One Resolver at a Time Re-Engineering the DNS – One Resolver at a Time
Re-Engineering the DNS – One Resolver at a Time
 
Session 4.1 Roy Arends
Session 4.1 Roy ArendsSession 4.1 Roy Arends
Session 4.1 Roy Arends
 
bdNOG 7 - Re-engineering the DNS - one resolver at a time
bdNOG 7 - Re-engineering the DNS - one resolver at a timebdNOG 7 - Re-engineering the DNS - one resolver at a time
bdNOG 7 - Re-engineering the DNS - one resolver at a time
 
Domain Name System
Domain Name SystemDomain Name System
Domain Name System
 
Grey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache PoisoningGrey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache Poisoning
 

Plus de APNIC

Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...APNIC
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonAPNIC
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonAPNIC
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPNIC
 
Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6APNIC
 
AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!APNIC
 
CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023APNIC
 
AFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet developmentAFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet developmentAPNIC
 
AFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment StatusAFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment StatusAPNIC
 
AFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressingAFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressingAPNIC
 
AFSIG 2023: APNIC - Registry & Development
AFSIG 2023: APNIC - Registry & DevelopmentAFSIG 2023: APNIC - Registry & Development
AFSIG 2023: APNIC - Registry & DevelopmentAPNIC
 
Afghanistan IGF 2023: The ABCs and importance of cybersecurity
Afghanistan IGF 2023: The ABCs and importance of cybersecurityAfghanistan IGF 2023: The ABCs and importance of cybersecurity
Afghanistan IGF 2023: The ABCs and importance of cybersecurityAPNIC
 
IDNIC OPM 2023: IPv6 deployment planning and security considerations
IDNIC OPM 2023: IPv6 deployment planning and security considerationsIDNIC OPM 2023: IPv6 deployment planning and security considerations
IDNIC OPM 2023: IPv6 deployment planning and security considerationsAPNIC
 
IDNIC OPM 2023 - Internet Number Registry System
IDNIC OPM 2023 - Internet Number Registry SystemIDNIC OPM 2023 - Internet Number Registry System
IDNIC OPM 2023 - Internet Number Registry SystemAPNIC
 
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or less
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or lessPacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or less
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or lessAPNIC
 
RIPE 87: On Low Earth Orbit Satellites (LEOs) and Starlink
RIPE 87: On Low Earth Orbit Satellites (LEOs) and StarlinkRIPE 87: On Low Earth Orbit Satellites (LEOs) and Starlink
RIPE 87: On Low Earth Orbit Satellites (LEOs) and StarlinkAPNIC
 
VNNIC Internet Day 2023: On LEOs and Starlink
VNNIC Internet Day 2023: On LEOs and StarlinkVNNIC Internet Day 2023: On LEOs and Starlink
VNNIC Internet Day 2023: On LEOs and StarlinkAPNIC
 
40th TWNIC Open Policy Meeting: APNIC PDP update
40th TWNIC Open Policy Meeting: APNIC PDP update40th TWNIC Open Policy Meeting: APNIC PDP update
40th TWNIC Open Policy Meeting: APNIC PDP updateAPNIC
 
40th TWNIC Open Policy Meeting: A quick look at QUIC
40th TWNIC Open Policy Meeting: A quick look at QUIC40th TWNIC Open Policy Meeting: A quick look at QUIC
40th TWNIC Open Policy Meeting: A quick look at QUICAPNIC
 

Plus de APNIC (20)

Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff Huston
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
 
Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6
 
AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!
 
CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023
 
AFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet developmentAFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet development
 
AFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment StatusAFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment Status
 
AFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressingAFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressing
 
AFSIG 2023: APNIC - Registry & Development
AFSIG 2023: APNIC - Registry & DevelopmentAFSIG 2023: APNIC - Registry & Development
AFSIG 2023: APNIC - Registry & Development
 
Afghanistan IGF 2023: The ABCs and importance of cybersecurity
Afghanistan IGF 2023: The ABCs and importance of cybersecurityAfghanistan IGF 2023: The ABCs and importance of cybersecurity
Afghanistan IGF 2023: The ABCs and importance of cybersecurity
 
IDNIC OPM 2023: IPv6 deployment planning and security considerations
IDNIC OPM 2023: IPv6 deployment planning and security considerationsIDNIC OPM 2023: IPv6 deployment planning and security considerations
IDNIC OPM 2023: IPv6 deployment planning and security considerations
 
IDNIC OPM 2023 - Internet Number Registry System
IDNIC OPM 2023 - Internet Number Registry SystemIDNIC OPM 2023 - Internet Number Registry System
IDNIC OPM 2023 - Internet Number Registry System
 
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or less
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or lessPacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or less
PacNOG 32: Resource Public Key Infrastructure (RPKI) in 30 minutes or less
 
RIPE 87: On Low Earth Orbit Satellites (LEOs) and Starlink
RIPE 87: On Low Earth Orbit Satellites (LEOs) and StarlinkRIPE 87: On Low Earth Orbit Satellites (LEOs) and Starlink
RIPE 87: On Low Earth Orbit Satellites (LEOs) and Starlink
 
VNNIC Internet Day 2023: On LEOs and Starlink
VNNIC Internet Day 2023: On LEOs and StarlinkVNNIC Internet Day 2023: On LEOs and Starlink
VNNIC Internet Day 2023: On LEOs and Starlink
 
40th TWNIC Open Policy Meeting: APNIC PDP update
40th TWNIC Open Policy Meeting: APNIC PDP update40th TWNIC Open Policy Meeting: APNIC PDP update
40th TWNIC Open Policy Meeting: APNIC PDP update
 
40th TWNIC Open Policy Meeting: A quick look at QUIC
40th TWNIC Open Policy Meeting: A quick look at QUIC40th TWNIC Open Policy Meeting: A quick look at QUIC
40th TWNIC Open Policy Meeting: A quick look at QUIC
 

Dernier

Introduction to ICANN and Fellowship program by Shreedeep Rayamajhi.pdf
Introduction to ICANN and Fellowship program  by Shreedeep Rayamajhi.pdfIntroduction to ICANN and Fellowship program  by Shreedeep Rayamajhi.pdf
Introduction to ICANN and Fellowship program by Shreedeep Rayamajhi.pdfShreedeep Rayamajhi
 
Computer 10 Lesson 8: Building a Website
Computer 10 Lesson 8: Building a WebsiteComputer 10 Lesson 8: Building a Website
Computer 10 Lesson 8: Building a WebsiteMavein
 
Niche Domination Prodigy Review Plus Bonus
Niche Domination Prodigy Review Plus BonusNiche Domination Prodigy Review Plus Bonus
Niche Domination Prodigy Review Plus BonusSkylark Nobin
 
A_Z-1_0_4T_00A-EN_U-Po_w_erPoint_06.pptx
A_Z-1_0_4T_00A-EN_U-Po_w_erPoint_06.pptxA_Z-1_0_4T_00A-EN_U-Po_w_erPoint_06.pptx
A_Z-1_0_4T_00A-EN_U-Po_w_erPoint_06.pptxjayshuklatrainer
 
Check out the Free Landing Page Hosting in 2024
Check out the Free Landing Page Hosting in 2024Check out the Free Landing Page Hosting in 2024
Check out the Free Landing Page Hosting in 2024Shubham Pant
 
Vision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced Horizons
Vision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced HorizonsVision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced Horizons
Vision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced HorizonsRoxana Stingu
 
WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024
WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024
WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024Jan Löffler
 
LESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdf
LESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdfLESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdf
LESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdfmchristianalwyn
 
Bio Medical Waste Management Guideliness 2023 ppt.pptx
Bio Medical Waste Management Guideliness 2023 ppt.pptxBio Medical Waste Management Guideliness 2023 ppt.pptx
Bio Medical Waste Management Guideliness 2023 ppt.pptxnaveenithkrishnan
 
Zero-day Vulnerabilities
Zero-day VulnerabilitiesZero-day Vulnerabilities
Zero-day Vulnerabilitiesalihassaah1994
 
Presentation2.pptx - JoyPress Wordpress
Presentation2.pptx -  JoyPress WordpressPresentation2.pptx -  JoyPress Wordpress
Presentation2.pptx - JoyPress Wordpressssuser166378
 
LESSON 10/ GROUP 10/ ST. THOMAS AQUINASS
LESSON 10/ GROUP 10/ ST. THOMAS AQUINASSLESSON 10/ GROUP 10/ ST. THOMAS AQUINASS
LESSON 10/ GROUP 10/ ST. THOMAS AQUINASSlesteraporado16
 
world Tuberculosis day ppt 25-3-2024.pptx
world Tuberculosis day ppt 25-3-2024.pptxworld Tuberculosis day ppt 25-3-2024.pptx
world Tuberculosis day ppt 25-3-2024.pptxnaveenithkrishnan
 
TYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDS
TYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDSTYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDS
TYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDSedrianrheine
 

Dernier (14)

Introduction to ICANN and Fellowship program by Shreedeep Rayamajhi.pdf
Introduction to ICANN and Fellowship program  by Shreedeep Rayamajhi.pdfIntroduction to ICANN and Fellowship program  by Shreedeep Rayamajhi.pdf
Introduction to ICANN and Fellowship program by Shreedeep Rayamajhi.pdf
 
Computer 10 Lesson 8: Building a Website
Computer 10 Lesson 8: Building a WebsiteComputer 10 Lesson 8: Building a Website
Computer 10 Lesson 8: Building a Website
 
Niche Domination Prodigy Review Plus Bonus
Niche Domination Prodigy Review Plus BonusNiche Domination Prodigy Review Plus Bonus
Niche Domination Prodigy Review Plus Bonus
 
A_Z-1_0_4T_00A-EN_U-Po_w_erPoint_06.pptx
A_Z-1_0_4T_00A-EN_U-Po_w_erPoint_06.pptxA_Z-1_0_4T_00A-EN_U-Po_w_erPoint_06.pptx
A_Z-1_0_4T_00A-EN_U-Po_w_erPoint_06.pptx
 
Check out the Free Landing Page Hosting in 2024
Check out the Free Landing Page Hosting in 2024Check out the Free Landing Page Hosting in 2024
Check out the Free Landing Page Hosting in 2024
 
Vision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced Horizons
Vision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced HorizonsVision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced Horizons
Vision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced Horizons
 
WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024
WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024
WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024
 
LESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdf
LESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdfLESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdf
LESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdf
 
Bio Medical Waste Management Guideliness 2023 ppt.pptx
Bio Medical Waste Management Guideliness 2023 ppt.pptxBio Medical Waste Management Guideliness 2023 ppt.pptx
Bio Medical Waste Management Guideliness 2023 ppt.pptx
 
Zero-day Vulnerabilities
Zero-day VulnerabilitiesZero-day Vulnerabilities
Zero-day Vulnerabilities
 
Presentation2.pptx - JoyPress Wordpress
Presentation2.pptx -  JoyPress WordpressPresentation2.pptx -  JoyPress Wordpress
Presentation2.pptx - JoyPress Wordpress
 
LESSON 10/ GROUP 10/ ST. THOMAS AQUINASS
LESSON 10/ GROUP 10/ ST. THOMAS AQUINASSLESSON 10/ GROUP 10/ ST. THOMAS AQUINASS
LESSON 10/ GROUP 10/ ST. THOMAS AQUINASS
 
world Tuberculosis day ppt 25-3-2024.pptx
world Tuberculosis day ppt 25-3-2024.pptxworld Tuberculosis day ppt 25-3-2024.pptx
world Tuberculosis day ppt 25-3-2024.pptx
 
TYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDS
TYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDSTYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDS
TYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDS
 

NANOG 84: DNS Openness

  • 2. Openness? When speaking about openness, we do not mean open in a competitive sense, but rather open as in everyone can access the service: “Can users access and distribute information and content, use and provide applications and services, and use terminal equipment of their choice, irrespective of the user’s or provider’s location or the location, origin or destination of the information, content, application or service?” 2
  • 3. But that was the entire POINT of the DNS! The DNS was engineered to deliver the same answer to the same query, irrespective of the querier • The answer did not depend on who was asking, where they were asking from, what platform they were using to generate the query, the resolvers they used to handle the query • The answer did not depend on the origin of the information used to form the response, the platform used to serve this information, nor the location of information servers 3
  • 4. Openness? When speaking about openness, we do not mean open in a competitive sense, but rather open as in everyone can access the service:: “Can users access and distribute information and content, use and provide applications and services, and use terminal equipment of their choice, irrespective of the user’s or provider’s location or the location, origin or destination of the information, content, application or service?” The answer is ”Yes!” 4
  • 5. Really? • Is that really true? Do we all see the same DNS? • Really? 5
  • 6. Really? • Is that really true? Do we all see the same DNS? • Really? 6 No!
  • 7. DNS: Not Fully Open! Why not? • Government regulatory requirements to block the “correct” resolution of certain DNS names • It happens in China, UK, America, Australia, India, Russia, Syria, Iran, Vietnam, France, Turkey,….. • Its VERY widespread, for all kinds of national motives 7
  • 8. DNS: Not Fully Open! Why not? • Government regulatory requirements to block the “correct” resolution of certain DNS names • Occasional ISP desires to monetise the DNS • NXDOMAIN substitution to direct traffic from named destinations or services that do not exist to other destinations or services of their choosing 8
  • 9. DNS: Not Fully Open! Why not? • Government regulatory requirements to block the “correct” resolution of certain DNS names • Occasional ISP desires to monetise the DNS • Threat mitigation where the DNS names associated with malware are blocked • Such as Quad9 threat intelligence informed DNS resolution 9
  • 10. Is this a ”problem”? Generally not: • Nation states have a sovereign right to make such rules and bind their citizens to such rules • Threat mitigation is typically regarded as a Good Thing rather than an incursion against the utility of a single DNS 10
  • 11. Is this a ”problem”? It’s a problem when it gets used as a lever in a different fight • Such as the Australian rule to force Australian ISPs to block the DNS resolution of “thepiratebay.org” • It only pushes determined users to alternate name resolution strategies and ultimately is a comprehensive waste of everyone’s time! But even this is a relative sideshow to the larger DNS 11
  • 12. Another interpretation of “Openness”? When speaking about openness we might not mean open in a sense of consistency across providers and across client transactions, but rather: Is the DNS an “open” system? 12 This is an echo of the 1980’s move by this industry to embrace “open” technology, as in Open Systems Interconnect (OSI) for networking, open computer architectures, open operating systems. “Open” is being used here in the sense that it is intentionally positioned as the opposite of a vendor-proprietary “Closed” technology.
  • 13. Is the DNS “Open”? Yes! • The DNS name resolution protocol is openly specified without any IPR encumbrance • Fully functional implementations of the DNS protocol are available as open source • DNS name servers are configured as open “promiscuous” responders and will provide the same response to a query irrespective of the identity of the querier • DNS information is openly available • There is some subtle qualification here in that the collection of a zone file may not be openly available, but the individual records in a zone can be queried • DNS queries and responses are “open” 13
  • 14. Is the DNS “Open”? Yes! • The DNS name resolution protocol is openly specified without any IPR encumbrance • Fully functional implementations of the DNS protocol are available as open source • DNS name servers are configured as open “promiscuous” responders and will provide the same response to a query irrespective of the identity of the querier • DNS information is openly available • There is some subtle qualification here in that the collection of a zone file may not be openly available, but the individual records in a zone can be queried • DNS queries and responses are “open” 14 Which is a massive problem!
  • 15. When “openness” is a weakness The DNS is used by everyone and everything • Because pretty much everything you do on the net starts with a call to the DNS • If we could see your stream of DNS queries in real time we could easily assemble a detailed profile of you and your interests and activities - as it happens! • If we could edit your DNS responses we could make services disappear from your Internet! 15
  • 17. Lets look into this further The DNS is mapping system which takes human-use labels that name services and maps these labels to IP addresses 17
  • 18. Lets look into this further The DNS is mapping system which takes human-use labels that name services and maps these labels to IP addresses 18 1. Connect to www.google.com DNS: What’s an IP address for www.google.com? DNS System 142.250.204.4 2. Send a TCP SYN packet to destination 142.250.204.4
  • 19. What’s in that DNS “cloud”? 19 DNS System queries responses
  • 20. The Hidden parts of “Open” • For an open technology the infrastructure and process of name resolution in the DNS is incredibly opaque • Once queries are passed to the DNS resolution infrastructure they are impossible to trace. Each element does not simply forward a query, but casts an entirely new query using its own identity • There is no query tracing and no clear way to probe into the DNS infrastructure • There could be query chains circling in the DNS infrastructure in a hidden loop and no one would be any the wiser! • It is challenging to gauge the level of hidden interdependency in the DNS, nor the level of ongoing centralisation of infrastructure functions in the DNS 20
  • 21. The Hidden parts of “Open” • For an open technology the infrastructure and process of name resolution in the DNS is incredibly opaque • Once queries are passed to the DNS resolution infrastructure they are impossible to trace. Each element does not simply forward a query, but casts an entirely new query using its own identity • There is no query tracing and no clear way to probe into the DNS infrastructure • There could be query chains circling in the DNS infrastructure in a hidden loop and no one would be any the wiser! • It is challenging to gauge the level of hidden interdependency in the DNS, nor the level of ongoing centralisation of infrastructure functions in the DNS 21 The fact that the DNS works at all is amazing. The fact that it works at speed and volume is a modern miracle!
  • 22. But all that is still not all of “the DNS” • The DNS is more than its mapping role, and more than its infrastructure elements of resolvers and servers • So what is the DNS? 22
  • 23. What is “the DNS”? Multiple Choice – tick all that apply: qA name space: A collection of word-strings that are organised into a hierarchy of labels qA distributed name registration framework that assigns a unique “license to use” to human-centric word-strings to entities (for money) qA distributed database that maps human-centric word-strings into IP addresses qA protocol used by DNS protocol speakers to “resolve” a word-string into a defined attribute (usually an IP address) qA signalling medium that is universally supported across all of the Internet 23
  • 24. Orchestration of the DNS • If the DNS is a set of functions and a set of various actors in this space then how are their individual actions orchestrated to provide a cohesive outcome? • How can client use the functions of “the DNS” if there is no one orchestrating all these elements of the name infrastructure? • Why does all this work in a completely deregulated space? • The answers lie in Markets and Market Signalling 24
  • 25. What are DNS “Markets”? The DNS is not a single market – it is a highly devolved framework and there are a number of discrete markets that are at best loosely coupled Some of these markets are: • The market for new “top level” labels (gTLDs) operated by ICANN. This market is open to ICANN-qualified registry operators. A registry has an exclusive license to operate a TLD. • The market for “registrars”, who act as retailers of DNS names and deal with clients (registrants) and register the client’s DNS names into the appropriate registry • The market for clients to register a DNS name with a registry • The market for DNS name certification, which is a third party that attests that an entity has control of a domain name • The market for DNS name resolution where users direct their queries to a resolver and the resolver provides DNS “answers” • The market for hosting authoritative name services, where “bigger is better” has driven a highly aggregated market • The market for DNS query logs 25
  • 26. Maybe it’s more than markets • Perhaps this is best viewed as a collection of market needs, or requirements • Some are well established • Some are emergent requirements • Perhaps the question could be rephrased as one that asks to what extent are conventional open markets a good fit for these various DNS requirements • And to what extent these market-based mechanisms are failing to respond to these needs? 26
  • 27. So, what should we talk about? If we want to talk about the DNS as a deregulated activity orchestrated through the operation of open markets then there are a few more things to bear in mind: • The DNS is not a single market place, or even a collection of inter-dependent and tightly coupled market place • The DNS is constructed of many elements, some of which appear to behave as tightly regulated markets, some of which are openly competitive markets, some of which are comprehensive market failures! 27
  • 28. So, what should we talk about? Maybe we should think of the DNS using a number of themes to give some focus to this consideration of market effectiveness 28
  • 29. Current DNS Themes There are so many themes in the DNS, and here are just a few: • DNS as a control element • DNS and privacy • DNS and trust • DNS and name space fragmentation • DNS as a rendezvous tool • DNS as a collection of markets • DNS and market aggregation • DNS and abuse and cyber attacks • DNS as an economic failure • DNS as the last remaining definition of a coherent Internet 29
  • 30. This is now a very big agenda • Far bigger than we have time for here! • So I’ll just take a couple of themes and develop them further 30
  • 31. I. The Open Market for Trust 31
  • 32. DNS and Trust Can you trust what you learn from the DNS? 32
  • 33. DNS and Trust Can you trust what you learn from the DNS? NO! 33
  • 34. DNS and Trust Can you trust what you learn from the DNS? NO! • DNS responses can be altered in various ways that are challenging to detect • We know how to improve this situation by using digital cryptography to protect the integrity, accuracy and currency of DNS responses • But does this capability for an improvement in the trust of the DNS correlate to a visible consumer preference? • Is security in the DNS a market failure? 34
  • 35. DNSSEC • A framework to attach digital signatures to DNS responses that attest to the accuracy and currency of the DNS response • The method of attachment does not alter the behaviour of the DNS protocol, nor does it require any changes to DNS servers • A procedure for clients to follow to validate the DNS response through the processing of this digital signature Changes: • Zone management – add DNSSEC digital signature records through ”zone signing” • Registry management – add DS records alongside NS records for delegated zones • Client behaviour – perform additional DNS queries to perform digital signature validation 35
  • 36. Is DNSSEC being used? You might think that a change to the DNS that improved the trust in the DNS would prove to be highly popular in the DNS space • DNS name “owners” would like their name to be trustworthy • DNS users would like the names they use to be “genuine” and trustable So every part of the DNS would want to use DNSSEC! Right? Let’s see if this requirement has been translated by the DNS service market into a service offering by looking at the current metrics of the use of DNSSEC 36
  • 37. Is DNSSEC being used? 37 Who validates DNS responses?
  • 38. Is DNSSEC being used? 38 Who validates DNS responses?
  • 39. Is DNSSEC being used? 39 Validation Rate of Signed DNS responses 2014 2016 2018 2020 28% of users are behind DNSSEC- validating resolvers who will not resolve a badly signed DNS name
  • 40. Quarter Full, or Three Quarters Empty?? 40 Validation Rate of Signed DNS responses 2014 2016 2018 2020 Three quarters of the Internet’s user base can’t or won’t check if a DNS response is genuine
  • 41. Problems with DNSSEC 41 • Large DNS responses cause robustness issues for DNS • Getting large responses through the network has reliability issues with UDP packet fragmentation and timing issues with signalled cut-over to TCP • The validator has to perform a full backtrace query sequence to assemble the full DNSSEC signature chain • So the problem is that DNSSEC validation may entail a sequence of queries where each of the responses may require encounter UDP fragmentation packet loss All this adds to the time to resolve a signed name And nobody is tolerant of delays in today’s Internet
  • 42. Some More Problems with DNSSEC 42 • Cryptographically “stronger” keys tend to be bigger keys over time, so the issue of cramming more data into DNS transactions is not going away! • The stub-to-recursive hop is generally not using validation, so the user ends up trusting the validating recursive resolver in any case The current DNSSEC framework represents a lot of effort for only a a tiny marginal gain
  • 43. DNSSEC is a Market Failure! • Users don’t pay for queries • Users have no leverage with recursive resolvers in terms of expressing their preference for authenticity in DNS responses • Users don’t have a choice in what they query for • Users have no ability to express a preference for only using domain names that are signed • The benefits of a signed DNS zone and validating resolvers are indirect • Cost and benefit are totally mis-aligned in this space! 43
  • 44. DNS Trust is a Market Failure! • If it wasn’t for the lead taken by Google and their adoption of DNSSEC validation in their Public DNS Service then its likely that DNSSEC would still be a complete failure • And only was possible because of the significant level of market share in the use of Google’s Public DNS Service • So perhaps we should look at the market for DNS resolvers to see if others are taking up this lead 44
  • 45. II. The Open Market for DNS Resolution 45
  • 46. Who Resolves My Names? 46 My ISP Google Same country, different network (likely to still be my ISP) Everyone else
  • 47. Who Resolves My Names? If this is a market then it appears to be highly skewed: • Google has a market share of just under 30% of all users • The next largest open resolvers are Cloudflare (4%), OpenDNS (2%) and Quad9 (0.5%) • Everything else is just the default of the local ISP performing the name resolution service for their customers Why has this happened? How has Google succeeded and other open DNS resolver services appear to struggle to get significant adoption by clients? 47
  • 48. The DNS Name Resolution Economy • In the public Internet, end clients don’t normally pay directly for DNS name resolution services • Which implies that outside of the domain of the local ISP, DNS resolvers are essentially unfunded by the resolver’s clients • And efforts to monetise the DNS with various forms of funded misdirection (such as NXDOMAIN substitution) are generally viewed with extreme disfavour • Open Resolver efforts run the risk of success-disaster • The more they are used, the greater the funding problem to run them at scale • The greater the funding problem the greater the temptation to monetise the DNS resolver function in more subtle ways 48
  • 49. Google is Special • Search is a critical asset for GOOGLE • Search drives eyeballs and profiles • Eyeballs and profiles drive advertising • Advertising drives revenue • If we could use the DNS as a defacto search engine then Google has a problem • But that’s what is happening when DNS resolvers don’t pass back NXDOMAIN but instead pass back a reference to a search engine, or even better use a search engine to pass back the resolution response that a hidden search engine result obtained when it processed the queried DNS name • So it’s in Google’s interests to have a fast, accurate and unaltered DNS resolution service • And Google’s real target market for this service is not individual users, but ISPs • Because the real threat model for Google is NXDOMAIN substitution and other forms of DNS response manipulation by ISPs as a local revenue source • No other Open DNS resolver service shares Google’s motivation 49
  • 50. III. Open Market Fragmentation 50
  • 51. The DNS Name Resolution Economy • The default option is that the ISP funds and operate the recursive DNS service, funded by the ISP’s client base >70% of all end clients use their ISPs’ DNS resolvers • However the fact that it works today does not mean that you can double the input costs and expect it to just keep on working tomorrow • For ISPs the DNS is a cost department, not a revenue source • We should expect strong resistance from ISPs to increase their costs in DNS service provision 51
  • 52. The resistance to change in the DNS • The quality of an ISP’s DNS service does not appear to be a significant competitive discriminatory factor in the consumer market • So the ISP does not generally devote many resources to tuning their DNS infrastructure for high performance, resiliency and innovation • Most users don’t change their platform settings from the defaults and CPE based service provisioning in the wired networks and direct provisioning in mobile networks will persist • So current innovations such as improved DNS privacy (DNS over TLS, DNS over HTTPS) are looking like being another mainstream market failure in the DNS space 52
  • 53. The resistance to change in the DNS • The quality of an ISP’s DNS service does not appear to be a significant competitive discriminatory factor in the consumer market • So the ISP does not generally devote many resources to tuning their DNS infrastructure for high performance, resiliency and innovation • Most users don’t change their platform settings from the defaults and CPE based service provisioning in the wired networks and direct provisioning in mobile networks will persist • So current innovations such as improved DNS privacy (DNS over TLS, DNS over HTTPS) are looking like being another mainstream market failure in the DNS space 53 But maybe this is not the full story …
  • 54. Fragmenting the DNS • Is appears more likely that applications who want to tailor their DNS use to adopt a more private profile will hive off to use DNS over HTTPS to an application-selected DNS service, while the platform itself will continue to use libraries that will default to DNS over UDP to the ISP-provided recursive DNS resolver • That way the application ecosystem can fund its own DNS privacy infrastructure and avoid waiting for everyone else to make the necessary infrastructure and service investments before they can adopt DNS privacy themselves • The prospect of application-specific naming services is a very real prospect in this scenario 54
  • 55. Fragmenting the DNS • Is appears more likely that applications who want to tailor their DNS use to adopt a more private profile will hive off to use DNS over HTTPS to an application-selected DNS service, while the platform itself will continue to use libraries that will default to DNS over UDP to the ISP-provided recursive DNS resolver • That way the application ecosystem can fund its own DNS privacy infrastructure and avoid waiting for everyone else to make the necessary infrastructure and service investments before they can adopt DNS privacy themselves • The prospect of application-specific naming services is a very real prospect in this scenario Those parts of the Internet space with sufficient motivation and resources will simply stop waiting for everyone else to move. They will just do what they feel they need to do! 55
  • 56. All the Money is in Content • And this means that applications are driving the Internet market these days • Applications are increasingly drawing in platform and infrastructure services directly into the application • QUIC • DNS over HTTPS • That way they avoid paying the costs of upgrading legacy infrastructure and waiting for platform upgrades • And applications no longer have to sustain a single name space, or even sustain uniform protocol interoperability • Apart from UDP! • So they just won’t pay 56
  • 57. It’s life Jim, but not as we know it!* • The overall progression here is an evolution from network-centric services to platform-centric services to today’s world of application- centric services • It’s clear that the DNS is being swept up in this shift, and the DNS is changing in almost every respect • The future prospects of a single unified coherent name space as embodied in the DNS, as we currently know it, for the entire internet service domain are looking pretty poor right now! * With apologies to the Trekkies! 57
  • 58. Is the DNS “Open”? • Yes, today, its sort of open 58 Although the cracks are clearly evident with the use of various DNS customizations to tailor each DNS response to the querier, the interest in lifting the DNS into the application space as an application service and not a common infrastructure, the strong levels of centralisation and the destruction of open competition in this space, the continuing erosion of trust and the strong commercial impetus to use the DNS as a profiling tool in the surveillance economy.
  • 59. Will it continue to be “open”? • Probably not! 59 It’s just getting too hard to keep it together and keep it open and the market-based pressures continue to tear the DNS apart and haul it away from a unified open space into a set of close and opaque markets with a fragmented name space. And the common benefit of a single, cohesive open name space for the Internet looks like being a victim of the Tragedy of the Commons
  • 60. Picture Credit: Fred Davis, Flickr, Creative COMMONS: Attribution-NonCommercial-NoDerivs 2.0 Generic (CC BY-NC-ND 2.0) https://bit.ly/31qpYGA 60