SlideShare une entreprise Scribd logo

Presentation on 'The Path to Resolverless DNS' by Geoff Huston

APNIC
APNIC

Presentation on 'The Path to Resolverless DNS' by Geoff Huston for OARC 39 and 47th CENTR technical workshop, held in Belgrade on 22 and 23 October 2022

Internet
1  sur  30
Télécharger pour lire hors ligne
The Path to Resolverless DNS Geoff Huston AM Chief Scientist, APNIC
DNS System Architecture Authoritative Servers Recursive Resolver Stub Resolver Cache Application
DNS System Architecture Authoritative Servers Recursive Resolver Stub Resolver Cache Application ISP Client Internet
Issues • Speed – the DNS can be exceptionally slow, and the interaction with resolver caches makes resolution unpredictable • Filtering – the DNS is a convenient control point for content management • MetaData collection – the DNS is a real time window on user behaviour • This can be performed at the recursive resolver, or by a third party on the path between the stub resolver and the recursive resolver • Search – NXDOMAIN rewriting into active search
Background • Browser vendors were simplifying the UI and combined the navigation and search input boxes to a single input pane • This resulted in a significant level of cross leakage between DNS and Search • Some DNS resolver operators saw an opportunity to gather revenue by re- directing NXDOMAIN to search • Google responded quickly with a large scale open DNS service that provided absolute integrity of responses, and supported DNSSEC validation to back this up • Google’s DNS service rapidly gathered momentum, particularly in the enterprise sector
DNS System Architecture Authoritative Servers Open Recursive Resolver Stub Resolver Cache Application ISP Client Internet Internet !!
Use of Resolvers in the Internet 66% of users direct their DNS queries to the ISP-operated recursive resolvers 17% of users direct their DNS queries to in-country DNS resolvers 17% of users direct their DNS queries to Google’s DNS service https://stats.labs.apnic.net/rvrs
But… • DNS queries use unencrypted UDP by default • Which itself is a huge DOS issue • Combining this with a transit across the public Internet between the stub and open recursive resolver exposes further issues: • The potential for third party monitoring, interception and substitution • Loss of locational accuracy if the DNS is used to perform content steering for CDNs
DNS Privacy The response to the issues of DNS over UDP has been the development of DNS stub-to-recursive connections over encrypted transport sessions • DNS over TLS (DoT) uses DNS over TCP over a persistent TLS session • DNS over QUIC (DoQ) uses DNS over an encrypted QUIC transport session over UDP • DNS over HTTPS (DoH) uses DNS over HTTP/3 (over QUIC) where supported, and DNS over HTTP/2 (over TLS) otherwise
DoT/DoQ/DoH properties • The stub resolver can authenticate the recursive resolver server identity • Which mitigates various forms of session interception • Session encryption • Which mitigates various forms of payload tampering • No Head of Line Blocking (in DNS over HTTPS/3, and DoQ) • No UDP fragmentation and TCP failover issues • Long-held stub/recursive sessions and TCPFO can amortise the encryption and session overheads over many queries • Which means it’s not much different to UDP in terms of per query overheads
DOH/DOT Use Query Data from Cloudflare’s 1.1.1.1 open resolver 75% of queries use UDP 19% of queries use DOH 5% of queries use DOT
Why DoH in particular? • DoH is simply DNS queries and responses packaged with an HTTP header, so why bother? Why not just use DoT or DoQ? One view: Paul Vixie, DNS Wars: Episode IV, NANOG 85, 2019
Why DoH? • Maybe its more than a political project: • Because DoH sits alongside all other HTTPS traffic on TCP port 443 (HTTP/2) and UDP port 443 (HTTP/3) and is harder for network level isolation of DNS traffic • Because generic HTTP caching controls can be used to enable or disable the use of HTTP caching • Because HTTP/2 and HTTP/3 includes support for reordering, parallelism, priority and header compression • Because applications need not use the local stub DNS resolver and can direct DoH queries to a recursive resolver of its own choice • Because HTTP/2 and HTTP/3 includes “Server Push”
“Server Push”? • RFC 7540: Hypertext Transfer Protocol Version 2 (HTTP/2) 8.2. Server Push HTTP/2 allows a server to pre-emptively send (or "push") responses (along with corresponding "promised" requests) to a client in association with a previous client-initiated request. This can be useful when the server knows the client will need to have those responses available in order to fully process the response to the original request.
But in DoH this means… 8.2. Server Push HTTP/2 allows a server to pre-emptively send (or "push") responses (along with corresponding "promised" requests) to a client in association with a previous client-initiated request. This can be useful when the server knows the client will need to have those responses available in order to fully process the response to the original request. DNS DNS DNS
What about HTTP/3? • Yes – draft-ietf-quic-http 4.4. Server Push Server push is an interaction mode that permits a server to push a request-response exchange to a client in anticipation of the client making the indicated request. This trades off network usage against a potential latency gain. HTTP/3 server push is similar to what is described in Section 8.2 of [HTTP2], but uses different mechanisms. Each server push is assigned a unique Push ID by the server. The Push ID is used to refer to the push in various contexts throughout the lifetime of the HTTP/3 connection.
Which means… • When a server sends a response to an HTTP request it can also push unrequested DNS responses • This allows the user application to use these DNS resolution outcomes immediately and bypass DNS resolution delays • It’s faster • The user is not making these resolution queries, and is not generating meta data within the DNS • It has privacy benefits
For Example: Potential Server Push DNS objects
But … • How do you know that the server is pushing the “truth” when it provides these DNS answers? • The secure transport means that tampering is challenging, but the user should still validate these responses (assuming that they are DNSSEC- signed in the DNS) • Which would mean that the user still has to chase down the DNSSEC validation chain, and most of the the original speedup advantages are lost • Or maybe not… • The server could also push the collection of DNSSEC validation responses to the client • The server could also repackage these responses into a RFC 7901 EDNS0 Chain Response, attached to the original response
DNSSEC-Validated DNS data • DNSSEC validation provides the user with assurance that the data is: • Authentic • Current • Complete (for each RRType) • If that’s the case then why does it matter how the stub learned the data? • It could be a DNS query / response transaction • It could be via a server push over DoH • DNSSEC validation is providing the assurance that the data is usable
What if the pushed DNS response is unsigned? • Er, um, er… • It’s probably best to discard it! • You have no idea how the server obtained the DNS data in the first place • You don’t know how current the data is • You really don’t know if the server is trying to deceive you • And you have no idea who you are implicitly trusting if you use the data
What can we say about Resolverless DNS? • It gives HTTP-based applications and services far more control over the quality of the user experience • It allows the server to pre-provision the client with DNS data that is likely to be useful in the context of the application • It allows the client side application to perform rapid DNSSEC validation without relying on stub resolver capabilities and settings • It can replace UDP-based timers, query retries, fragmentation and TCP switching with server-to-client provision • It operates over a secured connection with an authenticated server • It does not leak metadata through DNS query streams • As long as the DNS data is DNSSEC-signed
What about unsigned DNS data? • Forget it! • Resolverless DNS responses of unsigned DNS data just opens up more potential vulnerabilities with little in the way of reasonable mitigation
Where is this leading? The changing economics of the Internet • The shift to advertiser-funded content and service has sucked the revenue base from access and common infrastructure • Internet infrastructure is a commodity-based activity which resists innovation • The incentives to innovate lie in the application and service layers • Infrastructure is under continued pressure to achieve further efficiencies and there is a consequent pressure to scale up and centralise The DNS is caught up in this, and innovation in the DNS is extremely challenging to get adoption these days Does Resolverless DNS have a chance?
Is there a role for Resolverless DNS? Perhaps… • But I would suggest it necessarily assumes DNSSEC • Which, at present, is a tough assumption • Because few zones are signed • Because DNSSEC signatures tend to create larger responses, which is a problem in UDP DNS • Because advanced zone signing a zone is infeasible for very large zones • And signing on the fly can be fragile • In summary, few zones are DNSSEC are signed is because its unreliable and expensive and the benefits do not seem to offset against the additional risks • And few resolvers validate • Because it takes time • And stresses out UDP DNS
What about RFC 7901? • What is a pushed DNS response was framed as if the client had set the EDNS0 CHAIN option with the root zone as the closest trust point? • That way the client is provided with the DNS response and the chain of signatures that permit the client to perform local validation of the response in a single pushed DNS object • And if the zone is unsigned - then no DNS response is pushed
Why is this interesting? • The DNS is: • A massive time penalty • A significant privacy leak • A consistent source of failure • Resolverless DNS won’t fix all the DNS all at once • But it can hand a significant amount of control over application and service quality back to these HTTPS-based applications and services • And it’s a whole lot faster! • And is hides the client from the DNS resolution infrastructure • And for those reasons it’s a very interesting step in the possible evolution of the DNS
Why is this interesting? We have spent a huge amount of effort over the last decade trying to make the Internet faster: • We’ve been deploying CDNs to replicate content and services and bring them closer to users • We’ve been deploying non-blocking transport protocols (such as QUIC) to exploit parallelism • We’ve been tuning TCP and network behaviour to create more efficient and faster network transactions • We’ve been packing more information in the DNS to make service startup faster (SVC and HTTPS records) And much of this innovation is happening at the application levels of the protocol stack where there is ample money and an impatient agenda, avoiding incurring any further dependencies on the lower layers of common infrastructure where there is neither money nor impatience!
DIscuss!

Recommandé

RIPE 82: DNS Evolution
RIPE 82: DNS EvolutionRIPE 82: DNS Evolution
RIPE 82: DNS EvolutionAPNIC
 
NANOG 82: DNS Evolution
NANOG 82: DNS EvolutionNANOG 82: DNS Evolution
NANOG 82: DNS EvolutionAPNIC
 
RIPE 86: DNSSEC — Yes or No?
RIPE 86: DNSSEC — Yes or No?RIPE 86: DNSSEC — Yes or No?
RIPE 86: DNSSEC — Yes or No?APNIC
 
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
2nd ICANN APAC-TWNIC Engagement Forum: DNS OblivionAPNIC
 
NZNOG 2020: DOH
NZNOG 2020: DOHNZNOG 2020: DOH
NZNOG 2020: DOHAPNIC
 
IGF 2023: DNS Privacy
IGF 2023: DNS PrivacyIGF 2023: DNS Privacy
IGF 2023: DNS PrivacyAPNIC
 
Domain Name System and Dynamic Host Configuration Protocol.pptx
Domain Name System and Dynamic Host Configuration Protocol.pptxDomain Name System and Dynamic Host Configuration Protocol.pptx
Domain Name System and Dynamic Host Configuration Protocol.pptxUsmanAhmed269749
 
DNS
DNSDNS
DNSHogrGoran
 

Recommandé

RIPE 82: DNS Evolution
RIPE 82: DNS EvolutionRIPE 82: DNS Evolution
RIPE 82: DNS EvolutionAPNIC
 
NANOG 82: DNS Evolution
NANOG 82: DNS EvolutionNANOG 82: DNS Evolution
NANOG 82: DNS EvolutionAPNIC
 
RIPE 86: DNSSEC — Yes or No?
RIPE 86: DNSSEC — Yes or No?RIPE 86: DNSSEC — Yes or No?
RIPE 86: DNSSEC — Yes or No?APNIC
 
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
2nd ICANN APAC-TWNIC Engagement Forum: DNS OblivionAPNIC
 
NZNOG 2020: DOH
NZNOG 2020: DOHNZNOG 2020: DOH
NZNOG 2020: DOHAPNIC
 
IGF 2023: DNS Privacy
IGF 2023: DNS PrivacyIGF 2023: DNS Privacy
IGF 2023: DNS PrivacyAPNIC
 
Domain Name System and Dynamic Host Configuration Protocol.pptx
Domain Name System and Dynamic Host Configuration Protocol.pptxDomain Name System and Dynamic Host Configuration Protocol.pptx
Domain Name System and Dynamic Host Configuration Protocol.pptxUsmanAhmed269749
 
DNS
DNSDNS
DNSHogrGoran
 
Introduction DNSSec
Introduction DNSSecIntroduction DNSSec
Introduction DNSSecAFRINIC
 
Session 4.1 Roy Arends
Session 4.1 Roy ArendsSession 4.1 Roy Arends
Session 4.1 Roy ArendsCommonwealth Telecommunications Organisation
 
Understanding DNS Security
Understanding DNS SecurityUnderstanding DNS Security
Understanding DNS SecurityNihal Pasham, CISSP
 
Domain name system
Domain name systemDomain name system
Domain name systemmahakant sharma
 
Network latency - measurement and improvement
Network latency - measurement and improvementNetwork latency - measurement and improvement
Network latency - measurement and improvementMatt Willsher
 
What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]
What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]
What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]APNIC
 
How DNS works and How to secure it: An Introduction
How DNS works and How to secure it: An IntroductionHow DNS works and How to secure it: An Introduction
How DNS works and How to secure it: An Introductionyasithbagya1
 
NZNOG 2013 - Experiments in DNSSEC
NZNOG 2013 - Experiments in DNSSECNZNOG 2013 - Experiments in DNSSEC
NZNOG 2013 - Experiments in DNSSECAPNIC
 
23rd PITA AGM and Conference: DNS Security - A holistic view
23rd PITA AGM and Conference: DNS Security - A holistic view 23rd PITA AGM and Conference: DNS Security - A holistic view
23rd PITA AGM and Conference: DNS Security - A holistic view APNIC
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonAPNIC
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionSam Bowne
 
DNS Openness
DNS OpennessDNS Openness
DNS OpennessAPNIC
 
Local DNS with pfSense 2.4 - pfSense Hangout April 2018
Local DNS with pfSense 2.4 - pfSense Hangout April 2018Local DNS with pfSense 2.4 - pfSense Hangout April 2018
Local DNS with pfSense 2.4 - pfSense Hangout April 2018Netgate
 
2 technical-dns-workshop-day1
2 technical-dns-workshop-day12 technical-dns-workshop-day1
2 technical-dns-workshop-day1DNS Entrepreneurship Center
 
Private DNS Infrastructure Support in Hybrid Scenarios
Private DNS Infrastructure Support in Hybrid ScenariosPrivate DNS Infrastructure Support in Hybrid Scenarios
Private DNS Infrastructure Support in Hybrid ScenariosDaniel Toomey
 
Private DNS Infrastructure Support in Hybrid Scenarios
Private DNS Infrastructure Support in Hybrid ScenariosPrivate DNS Infrastructure Support in Hybrid Scenarios
Private DNS Infrastructure Support in Hybrid ScenariosDaniel Toomey
 
Data Retrieval over DNS in SQL Injection Attacks
Data Retrieval over DNS in SQL Injection AttacksData Retrieval over DNS in SQL Injection Attacks
Data Retrieval over DNS in SQL Injection AttacksMiroslav Stampar
 
Demystifying SharePoint Infrastructure – for NON-IT People
Demystifying SharePoint Infrastructure – for NON-IT People Demystifying SharePoint Infrastructure – for NON-IT People
Demystifying SharePoint Infrastructure – for NON-IT People SPC Adriatics
 
8 technical-dns-workshop-day4
8 technical-dns-workshop-day48 technical-dns-workshop-day4
8 technical-dns-workshop-day4DNS Entrepreneurship Center
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionSam Bowne
 
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0APNIC
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC
 

Contenu connexe

Similaire à Presentation on 'The Path to Resolverless DNS' by Geoff Huston

Introduction DNSSec
Introduction DNSSecIntroduction DNSSec
Introduction DNSSecAFRINIC
 
Network latency - measurement and improvement
Network latency - measurement and improvementNetwork latency - measurement and improvement
Network latency - measurement and improvementMatt Willsher
 
What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]
What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]
What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]APNIC
 
How DNS works and How to secure it: An Introduction
How DNS works and How to secure it: An IntroductionHow DNS works and How to secure it: An Introduction
How DNS works and How to secure it: An Introductionyasithbagya1
 
NZNOG 2013 - Experiments in DNSSEC
NZNOG 2013 - Experiments in DNSSECNZNOG 2013 - Experiments in DNSSEC
NZNOG 2013 - Experiments in DNSSECAPNIC
 
23rd PITA AGM and Conference: DNS Security - A holistic view
23rd PITA AGM and Conference: DNS Security - A holistic view 23rd PITA AGM and Conference: DNS Security - A holistic view
23rd PITA AGM and Conference: DNS Security - A holistic view APNIC
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonAPNIC
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionSam Bowne
 
DNS Openness
DNS OpennessDNS Openness
DNS OpennessAPNIC
 
Local DNS with pfSense 2.4 - pfSense Hangout April 2018
Local DNS with pfSense 2.4 - pfSense Hangout April 2018Local DNS with pfSense 2.4 - pfSense Hangout April 2018
Local DNS with pfSense 2.4 - pfSense Hangout April 2018Netgate
 
Private DNS Infrastructure Support in Hybrid Scenarios
Private DNS Infrastructure Support in Hybrid ScenariosPrivate DNS Infrastructure Support in Hybrid Scenarios
Private DNS Infrastructure Support in Hybrid ScenariosDaniel Toomey
 
Private DNS Infrastructure Support in Hybrid Scenarios
Private DNS Infrastructure Support in Hybrid ScenariosPrivate DNS Infrastructure Support in Hybrid Scenarios
Private DNS Infrastructure Support in Hybrid ScenariosDaniel Toomey
 
Data Retrieval over DNS in SQL Injection Attacks
Data Retrieval over DNS in SQL Injection AttacksData Retrieval over DNS in SQL Injection Attacks
Data Retrieval over DNS in SQL Injection AttacksMiroslav Stampar
 
Demystifying SharePoint Infrastructure – for NON-IT People
Demystifying SharePoint Infrastructure – for NON-IT People Demystifying SharePoint Infrastructure – for NON-IT People
Demystifying SharePoint Infrastructure – for NON-IT People SPC Adriatics
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionSam Bowne
 

Similaire à Presentation on 'The Path to Resolverless DNS' by Geoff Huston (20)

Introduction DNSSec
Introduction DNSSecIntroduction DNSSec
Introduction DNSSec
 
Session 4.1 Roy Arends
Session 4.1 Roy ArendsSession 4.1 Roy Arends
Session 4.1 Roy Arends
 
Understanding DNS Security
Understanding DNS SecurityUnderstanding DNS Security
Understanding DNS Security
 
Domain name system
Domain name systemDomain name system
Domain name system
 
Network latency - measurement and improvement
Network latency - measurement and improvementNetwork latency - measurement and improvement
Network latency - measurement and improvement
 
What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]
What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]
What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]
 
How DNS works and How to secure it: An Introduction
How DNS works and How to secure it: An IntroductionHow DNS works and How to secure it: An Introduction
How DNS works and How to secure it: An Introduction
 
NZNOG 2013 - Experiments in DNSSEC
NZNOG 2013 - Experiments in DNSSECNZNOG 2013 - Experiments in DNSSEC
NZNOG 2013 - Experiments in DNSSEC
 
23rd PITA AGM and Conference: DNS Security - A holistic view
23rd PITA AGM and Conference: DNS Security - A holistic view 23rd PITA AGM and Conference: DNS Security - A holistic view
23rd PITA AGM and Conference: DNS Security - A holistic view
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
 
DNS Openness
DNS OpennessDNS Openness
DNS Openness
 
Local DNS with pfSense 2.4 - pfSense Hangout April 2018
Local DNS with pfSense 2.4 - pfSense Hangout April 2018Local DNS with pfSense 2.4 - pfSense Hangout April 2018
Local DNS with pfSense 2.4 - pfSense Hangout April 2018
 
2 technical-dns-workshop-day1
2 technical-dns-workshop-day12 technical-dns-workshop-day1
2 technical-dns-workshop-day1
 
Private DNS Infrastructure Support in Hybrid Scenarios
Private DNS Infrastructure Support in Hybrid ScenariosPrivate DNS Infrastructure Support in Hybrid Scenarios
Private DNS Infrastructure Support in Hybrid Scenarios
 
Private DNS Infrastructure Support in Hybrid Scenarios
Private DNS Infrastructure Support in Hybrid ScenariosPrivate DNS Infrastructure Support in Hybrid Scenarios
Private DNS Infrastructure Support in Hybrid Scenarios
 
Data Retrieval over DNS in SQL Injection Attacks
Data Retrieval over DNS in SQL Injection AttacksData Retrieval over DNS in SQL Injection Attacks
Data Retrieval over DNS in SQL Injection Attacks
 
Demystifying SharePoint Infrastructure – for NON-IT People
Demystifying SharePoint Infrastructure – for NON-IT People Demystifying SharePoint Infrastructure – for NON-IT People
Demystifying SharePoint Infrastructure – for NON-IT People
 
8 technical-dns-workshop-day4
8 technical-dns-workshop-day48 technical-dns-workshop-day4
8 technical-dns-workshop-day4
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
 

Plus de APNIC

APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0APNIC
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024APNIC
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...APNIC
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024APNIC
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGAPNIC
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119APNIC
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119APNIC
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119APNIC
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119APNIC
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119APNIC
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...APNIC
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonAPNIC
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPNIC
 
Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6APNIC
 
AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!APNIC
 
CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023APNIC
 
AFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet developmentAFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet developmentAPNIC
 

Plus de APNIC (20)

APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOG
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff Huston
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
 
Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6
 
AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!
 
CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023
 
AFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet developmentAFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet development
 

Dernier

Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...kumargunjan9515
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtrahman018755
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsMonica Sydney
 
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...kajalverma014
 
Leading-edge AI Image Generators of 2024
Leading-edge AI Image Generators of 2024Leading-edge AI Image Generators of 2024
Leading-edge AI Image Generators of 2024SOFTTECHHUB
 
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency""Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency"growthgrids
 
💚 Call Girls Bahraich 9332606886 High Profile Call Girls You Can Get The S...
💚 Call Girls Bahraich 9332606886 High Profile Call Girls You Can Get The S...💚 Call Girls Bahraich 9332606886 High Profile Call Girls You Can Get The S...
💚 Call Girls Bahraich 9332606886 High Profile Call Girls You Can Get The S...Sareena Khatun
 
Research Assignment - NIST SP800 [172 A] - Presentation.pptx
Research Assignment - NIST SP800 [172 A] - Presentation.pptxResearch Assignment - NIST SP800 [172 A] - Presentation.pptx
Research Assignment - NIST SP800 [172 A] - Presentation.pptxi191686
 
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsMonica Sydney
 
PIC Microcontroller Structure & Assembly Language.ppsx
PIC Microcontroller Structure & Assembly Language.ppsxPIC Microcontroller Structure & Assembly Language.ppsx
PIC Microcontroller Structure & Assembly Language.ppsxjeykeydeveloper
 
一比一原版犹他大学毕业证如何办理
一比一原版犹他大学毕业证如何办理一比一原版犹他大学毕业证如何办理
一比一原版犹他大学毕业证如何办理F
 
一比一原版贝德福特大学毕业证学位证书
一比一原版贝德福特大学毕业证学位证书一比一原版贝德福特大学毕业证学位证书
一比一原版贝德福特大学毕业证学位证书F
 
一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理F
 
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...meghakumariji156
 
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrStory Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrHenryBriggs2
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...gajnagarg
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样ayvbos
 
一比一原版帝国理工学院毕业证如何办理
一比一原版帝国理工学院毕业证如何办理一比一原版帝国理工学院毕业证如何办理
一比一原版帝国理工学院毕业证如何办理F
 
一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理F
 
Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.krishnachandrapal52
 

Dernier (20)

Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirt
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
 
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
 
Leading-edge AI Image Generators of 2024
Leading-edge AI Image Generators of 2024Leading-edge AI Image Generators of 2024
Leading-edge AI Image Generators of 2024
 
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency""Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
 
💚 Call Girls Bahraich 9332606886 High Profile Call Girls You Can Get The S...
💚 Call Girls Bahraich 9332606886 High Profile Call Girls You Can Get The S...💚 Call Girls Bahraich 9332606886 High Profile Call Girls You Can Get The S...
💚 Call Girls Bahraich 9332606886 High Profile Call Girls You Can Get The S...
 
Research Assignment - NIST SP800 [172 A] - Presentation.pptx
Research Assignment - NIST SP800 [172 A] - Presentation.pptxResearch Assignment - NIST SP800 [172 A] - Presentation.pptx
Research Assignment - NIST SP800 [172 A] - Presentation.pptx
 
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
 
PIC Microcontroller Structure & Assembly Language.ppsx
PIC Microcontroller Structure & Assembly Language.ppsxPIC Microcontroller Structure & Assembly Language.ppsx
PIC Microcontroller Structure & Assembly Language.ppsx
 
一比一原版犹他大学毕业证如何办理
一比一原版犹他大学毕业证如何办理一比一原版犹他大学毕业证如何办理
一比一原版犹他大学毕业证如何办理
 
一比一原版贝德福特大学毕业证学位证书
一比一原版贝德福特大学毕业证学位证书一比一原版贝德福特大学毕业证学位证书
一比一原版贝德福特大学毕业证学位证书
 
一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理
 
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
 
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrStory Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
 
一比一原版帝国理工学院毕业证如何办理
一比一原版帝国理工学院毕业证如何办理一比一原版帝国理工学院毕业证如何办理
一比一原版帝国理工学院毕业证如何办理
 
一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理
 
Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.
 

Presentation on 'The Path to Resolverless DNS' by Geoff Huston

  • 1. The Path to Resolverless DNS Geoff Huston AM Chief Scientist, APNIC
  • 2. DNS System Architecture Authoritative Servers Recursive Resolver Stub Resolver Cache Application
  • 3. DNS System Architecture Authoritative Servers Recursive Resolver Stub Resolver Cache Application ISP Client Internet
  • 4. Issues • Speed – the DNS can be exceptionally slow, and the interaction with resolver caches makes resolution unpredictable • Filtering – the DNS is a convenient control point for content management • MetaData collection – the DNS is a real time window on user behaviour • This can be performed at the recursive resolver, or by a third party on the path between the stub resolver and the recursive resolver • Search – NXDOMAIN rewriting into active search
  • 5.
  • 6. Background • Browser vendors were simplifying the UI and combined the navigation and search input boxes to a single input pane • This resulted in a significant level of cross leakage between DNS and Search • Some DNS resolver operators saw an opportunity to gather revenue by re- directing NXDOMAIN to search • Google responded quickly with a large scale open DNS service that provided absolute integrity of responses, and supported DNSSEC validation to back this up • Google’s DNS service rapidly gathered momentum, particularly in the enterprise sector
  • 7. DNS System Architecture Authoritative Servers Open Recursive Resolver Stub Resolver Cache Application ISP Client Internet Internet !!
  • 8. Use of Resolvers in the Internet 66% of users direct their DNS queries to the ISP-operated recursive resolvers 17% of users direct their DNS queries to in-country DNS resolvers 17% of users direct their DNS queries to Google’s DNS service https://stats.labs.apnic.net/rvrs
  • 9. But… • DNS queries use unencrypted UDP by default • Which itself is a huge DOS issue • Combining this with a transit across the public Internet between the stub and open recursive resolver exposes further issues: • The potential for third party monitoring, interception and substitution • Loss of locational accuracy if the DNS is used to perform content steering for CDNs
  • 10. DNS Privacy The response to the issues of DNS over UDP has been the development of DNS stub-to-recursive connections over encrypted transport sessions • DNS over TLS (DoT) uses DNS over TCP over a persistent TLS session • DNS over QUIC (DoQ) uses DNS over an encrypted QUIC transport session over UDP • DNS over HTTPS (DoH) uses DNS over HTTP/3 (over QUIC) where supported, and DNS over HTTP/2 (over TLS) otherwise
  • 11. DoT/DoQ/DoH properties • The stub resolver can authenticate the recursive resolver server identity • Which mitigates various forms of session interception • Session encryption • Which mitigates various forms of payload tampering • No Head of Line Blocking (in DNS over HTTPS/3, and DoQ) • No UDP fragmentation and TCP failover issues • Long-held stub/recursive sessions and TCPFO can amortise the encryption and session overheads over many queries • Which means it’s not much different to UDP in terms of per query overheads
  • 12. DOH/DOT Use Query Data from Cloudflare’s 1.1.1.1 open resolver 75% of queries use UDP 19% of queries use DOH 5% of queries use DOT
  • 13. Why DoH in particular? • DoH is simply DNS queries and responses packaged with an HTTP header, so why bother? Why not just use DoT or DoQ? One view: Paul Vixie, DNS Wars: Episode IV, NANOG 85, 2019
  • 14. Why DoH? • Maybe its more than a political project: • Because DoH sits alongside all other HTTPS traffic on TCP port 443 (HTTP/2) and UDP port 443 (HTTP/3) and is harder for network level isolation of DNS traffic • Because generic HTTP caching controls can be used to enable or disable the use of HTTP caching • Because HTTP/2 and HTTP/3 includes support for reordering, parallelism, priority and header compression • Because applications need not use the local stub DNS resolver and can direct DoH queries to a recursive resolver of its own choice • Because HTTP/2 and HTTP/3 includes “Server Push”
  • 15. “Server Push”? • RFC 7540: Hypertext Transfer Protocol Version 2 (HTTP/2) 8.2. Server Push HTTP/2 allows a server to pre-emptively send (or "push") responses (along with corresponding "promised" requests) to a client in association with a previous client-initiated request. This can be useful when the server knows the client will need to have those responses available in order to fully process the response to the original request.
  • 16. But in DoH this means… 8.2. Server Push HTTP/2 allows a server to pre-emptively send (or "push") responses (along with corresponding "promised" requests) to a client in association with a previous client-initiated request. This can be useful when the server knows the client will need to have those responses available in order to fully process the response to the original request. DNS DNS DNS
  • 17. What about HTTP/3? • Yes – draft-ietf-quic-http 4.4. Server Push Server push is an interaction mode that permits a server to push a request-response exchange to a client in anticipation of the client making the indicated request. This trades off network usage against a potential latency gain. HTTP/3 server push is similar to what is described in Section 8.2 of [HTTP2], but uses different mechanisms. Each server push is assigned a unique Push ID by the server. The Push ID is used to refer to the push in various contexts throughout the lifetime of the HTTP/3 connection.
  • 18. Which means… • When a server sends a response to an HTTP request it can also push unrequested DNS responses • This allows the user application to use these DNS resolution outcomes immediately and bypass DNS resolution delays • It’s faster • The user is not making these resolution queries, and is not generating meta data within the DNS • It has privacy benefits
  • 19. For Example: Potential Server Push DNS objects
  • 20. But … • How do you know that the server is pushing the “truth” when it provides these DNS answers? • The secure transport means that tampering is challenging, but the user should still validate these responses (assuming that they are DNSSEC- signed in the DNS) • Which would mean that the user still has to chase down the DNSSEC validation chain, and most of the the original speedup advantages are lost • Or maybe not… • The server could also push the collection of DNSSEC validation responses to the client • The server could also repackage these responses into a RFC 7901 EDNS0 Chain Response, attached to the original response
  • 21. DNSSEC-Validated DNS data • DNSSEC validation provides the user with assurance that the data is: • Authentic • Current • Complete (for each RRType) • If that’s the case then why does it matter how the stub learned the data? • It could be a DNS query / response transaction • It could be via a server push over DoH • DNSSEC validation is providing the assurance that the data is usable
  • 22. What if the pushed DNS response is unsigned? • Er, um, er… • It’s probably best to discard it! • You have no idea how the server obtained the DNS data in the first place • You don’t know how current the data is • You really don’t know if the server is trying to deceive you • And you have no idea who you are implicitly trusting if you use the data
  • 23. What can we say about Resolverless DNS? • It gives HTTP-based applications and services far more control over the quality of the user experience • It allows the server to pre-provision the client with DNS data that is likely to be useful in the context of the application • It allows the client side application to perform rapid DNSSEC validation without relying on stub resolver capabilities and settings • It can replace UDP-based timers, query retries, fragmentation and TCP switching with server-to-client provision • It operates over a secured connection with an authenticated server • It does not leak metadata through DNS query streams • As long as the DNS data is DNSSEC-signed
  • 24. What about unsigned DNS data? • Forget it! • Resolverless DNS responses of unsigned DNS data just opens up more potential vulnerabilities with little in the way of reasonable mitigation
  • 25. Where is this leading? The changing economics of the Internet • The shift to advertiser-funded content and service has sucked the revenue base from access and common infrastructure • Internet infrastructure is a commodity-based activity which resists innovation • The incentives to innovate lie in the application and service layers • Infrastructure is under continued pressure to achieve further efficiencies and there is a consequent pressure to scale up and centralise The DNS is caught up in this, and innovation in the DNS is extremely challenging to get adoption these days Does Resolverless DNS have a chance?
  • 26. Is there a role for Resolverless DNS? Perhaps… • But I would suggest it necessarily assumes DNSSEC • Which, at present, is a tough assumption • Because few zones are signed • Because DNSSEC signatures tend to create larger responses, which is a problem in UDP DNS • Because advanced zone signing a zone is infeasible for very large zones • And signing on the fly can be fragile • In summary, few zones are DNSSEC are signed is because its unreliable and expensive and the benefits do not seem to offset against the additional risks • And few resolvers validate • Because it takes time • And stresses out UDP DNS
  • 27. What about RFC 7901? • What is a pushed DNS response was framed as if the client had set the EDNS0 CHAIN option with the root zone as the closest trust point? • That way the client is provided with the DNS response and the chain of signatures that permit the client to perform local validation of the response in a single pushed DNS object • And if the zone is unsigned - then no DNS response is pushed
  • 28. Why is this interesting? • The DNS is: • A massive time penalty • A significant privacy leak • A consistent source of failure • Resolverless DNS won’t fix all the DNS all at once • But it can hand a significant amount of control over application and service quality back to these HTTPS-based applications and services • And it’s a whole lot faster! • And is hides the client from the DNS resolution infrastructure • And for those reasons it’s a very interesting step in the possible evolution of the DNS
  • 29. Why is this interesting? We have spent a huge amount of effort over the last decade trying to make the Internet faster: • We’ve been deploying CDNs to replicate content and services and bring them closer to users • We’ve been deploying non-blocking transport protocols (such as QUIC) to exploit parallelism • We’ve been tuning TCP and network behaviour to create more efficient and faster network transactions • We’ve been packing more information in the DNS to make service startup faster (SVC and HTTPS records) And much of this innovation is happening at the application levels of the protocol stack where there is ample money and an impatient agenda, avoiding incurring any further dependencies on the lower layers of common infrastructure where there is neither money nor impatience!