SlideShare a Scribd company logo

DNS privacy

APNIC
APNIC

Presentation by Geoff Huston at APRICOT 2019 on Tuesday, 26 February 2019.

Internet
1 of 50
#apricot2019 2019 47 DNS Privacy Geoff Huston APNIC
#apricot2019 2019 47https://xkcd.com/1361/
#apricot2019 2019 47 Why? • Because everything you do on the net starts with a call to the DNS • If we could see your stream of queries in real time we could assemble a detailed profile of you and interests and activities • Do we have any evidence of DNS data mining? – Data miners don’t disclose their sources as a rule
#apricot2019 2019 47 Why? • Because everything you do on the net starts with a call to the DNS • If we could see your stream of queries in real time we could assemble a detailed profile of you and interests and activities • Do we have any evidence of DNS data mining? – Data miners don’t disclose their sources as a rule • How about something related: – Do we have any evidence of DNS stalking?
#apricot2019 2019 47 What if… • I gave you an absolutely unique name to resolve: – The name never existed before now – The name will never be used again – The name includes the time when the name was created • If I am the authoritative server for the name’s zone then I should see your efforts to resolve the name • Then I should never see the name as a resolution query ever again Unless you have attracted a digital stalker who performs re-queries of your DNS names!
#apricot2019 2019 47
#apricot2019 2019 47 DNS Re-query Rate • Over 30 days, some 5.3% of users had some kind of DNS stalker that is asking the same query more than 30 seconds after the initial query • Only some of these ‘ghost’ queries could be explained by incredibly slow DNS resolver systems Daily Counts Daily Ratios
#apricot2019 2019 47 DNS Stalking • There are two kinds of DNS stalkers – Rapid tracking stalkers that appear to track users in real time – Bulk replay stalkers that replay DNS queries at a very high rate in bursts
#apricot2019 2019 47 DNS Stalking DNS Stalking uses both really recent data and more than year-old data!
#apricot2019 2019 47 DNS Surveillance • The DNS appears to be used by many actors as a means of looking at what we do online and censoring what services we can access online
#apricot2019 2019 47 DNS Surveillance • The DNS appears to be used by many actors as a means of looking at what we do online and censoring what services we can access online • Can we stop DNS surveillance completely? – Probably not! • Can we make it harder to collect individual profiles of activity? – Well, yes – And that’s what I want to talk about today
#apricot2019 2019 47 The DNS Privacy Issue • Lots of actors get to see what I do in the DNS – My OS platform provider – My ISP’s recursive resolver – Their forwarding resolver, if they have one – Authoritative Name servers – Snoopers on the wire • Can we make it harder for these “others” to snoop on me?
#apricot2019 2019 47 How we might think the DNS works Client DNS Resolver DNS Server
#apricot2019 2019 47 What we suspect the DNS is like Client DNS Resolver DNS Server DNS Resolve r DNS Resolve r DNS Resolve r DNS Resolve r DNS Resolve r DNS Resolve r DNS Resolve r DNS Resolve r DNS Resolve r DNS Resolve r DNS Resolve r DNS Resolve r
#apricot2019 2019 47 What we suspect the DNS is like Client DNS Resolver DNS Server DNS Resolve r DNS Resolve r DNS Resolve r DNS Resolve r DNS Resolve r DNS Resolve r DNS Resolve r DNS Resolve r DNS Resolve r DNS Resolve r DNS Resolve r DNS Resolve r Corrupted host platforms Wireline and middleware Inspection and interception Resolvers that leak queries Servers that leak queries
#apricot2019 2019 47 Why pick on the DNS? • The DNS is very easy to tap – Its open and unencrypted • DNS traffic is easy to tamper with – Its payload is not secured and tampering cannot be detected – Its predictable and false answers can be readily inserted • The DNS is hard to trace – Noone knows exactly where their queries go – Noone can know precisely where their answers come from
#apricot2019 2019 47 Second-hand DNS queries are a business opportunity these days
#apricot2019 2019 47 How can we improve DNS Privacy? • Lets look at a few behaviours of the DNS and see what we are doing to try and improve its privacy properties
#apricot2019 2019 47 The DNS is overly chatty The DNS uses the full query name to discover the identity of the name servers for the query name Hi root server, I want to resolve www.example.com Not me – try asking the servers for .com
#apricot2019 2019 47 The DNS is overly chatty The DNS uses the full query name to discover the identity of the name servers for the query name Hi root server, I want to resolve www.example.com Not me – try asking the servers for .com Hi .com server, I want to resolve www.example.com Not me – try asking the servers for example.com
#apricot2019 2019 47 The DNS is overly chatty The DNS uses the full query name to discover the identity of the name servers for the query name Hi root server, I want to resolve www.example.com Not me – try asking the servers for .com Hi .com server, I want to resolve www.example.com Not me – try asking the servers for example.com Hi example.com server, I want to resolve www.example.com Sure – its 93.184.216.34
#apricot2019 2019 47 The DNS is overly chatty The DNS uses the full query name to discover the identity of the name servers for the query name Why are we telling root servers all our DNS secrets? In our example case, both a root server and a .com server now know that I am attempting to resolve the name www.example.com Maybe I don’t want them to know this!
#apricot2019 2019 47 The DNS is overly chatty Is there an alternative approach to name server discovery that strips the query name in iterative search for a zone’s servers? Yes – the extra information was inserted into the query to make the protocol simpler and slightly more efficient in some cases But we can alter query behaviour to only expose as much as is necessary to the folk who need to know in order to answer the query
#apricot2019 2019 47 QNAME Minimisation • A resolver technique intended to improve DNS privacy where a DNS resolver no longer sends the entire original query name to the upstream name server • Described in RFC 7816
#apricot2019 2019 47 Example of QNAME Minimisation Ask the authoritative server for a zone for the NS records of the next zone: Hi Root server, I want to know the nameservers for com Sure, here are the servers for .com Hi .com server, I want to know the nameservers for example.com Sure, here are the servers for example.com Hi example.com server, I want to resolve www.example.com Sure – its 93.184.216.34
#apricot2019 2019 47 Interception and Rewriting • The DNS is an easy target for the imposition of control over access – Try asking for www.thepiratebay.org in Australia – Try asking for www.facebook.com in China – Etc etc • These days interception systems typically offer an incorrect response • How can you tell is the answer that the DNS gives you is the genuine answer or not?
#apricot2019 2019 47 DNSSEC • DNSSEC is defined in RFCs 4033, 4034 & 4035 – Adds a number of new RRtypes that allow a digital signature to be attached to RRsets in a zone and to define how keys that are used to generate signatures are also stored in the zone • DNSSEC validation of the DNS response can tell you if the response is genuine or if it is out of date or has been altered • DNSSEC can’t tell you what the “good” answer is, just that the answer you got was not it! • DNSSEC will also tell if is an NXDOMAIN response is authentic
#apricot2019 2019 47 DNSSEC and Recursive Resolvers • A DNS response that has been modified will fail to validate. When: • a client asks a security-aware resolver to resolve a name, and • sets the EDNS(0) DNSSEC OK bit, and • the zone is DNSSEC-signed then the recursive resolver will only return a RRset for the query if it can validate the response using the attached digital signature It will set the AD bit in the resolver response to indicate validation success Otherwise it will return SERVFAIL • But SERVFAIL is not the same as “I smell tampering” • Its ”nope, I failed. Try another resolver”
#apricot2019 2019 47 DNSSEC and Recursive Resolvers • If you are going to use a DNSSEC-validating recursive resolver – Such as 1.1.1.1, 8.8.8.8, 9.9.9.9 or any other validating open resolver • Then make sure that all your resolvers perform DNSSEC validation if you don’t want to be mislead – Because SERVFAIL from a validating resolver means “try the next resolver in your resolver list”
#apricot2019 2019 47 DNSSEC in Korea
#apricot2019 2019 47 Negative Chattiness • Names that do not exist in the DNS are also passed to the authoritative servers in order to return the NXDOMAIN response • Sometimes the questions we ask are informative, whether or not the DNS gives an answer
#apricot2019 2019 47 Aggressive NSEC Caching • Described in RFC 8198 • When a zone is DNSSEC-signed an authoritative server will answer a query for a non-existent name with an authenticated denial of existence response (NSEC or NSEC3) • These records describe two adjacent labels in the zone that span the non-existent record • If recursive resolvers cache the NSEC span record then they can answer subsequent queries for any label within the span without passing the specific query onward for the cache lifetime of the NSEC record
#apricot2019 2019 47 Aggressive NSEC caching • It’s a tool for recursive resolvers • Stops queries for non-existent names always heading to the zone authoritative servers • Improves the efficiency of the resolver’s cache
#apricot2019 2019 47 Middleware and WireTapping • Protecting the content of DNS responses is part of what we need to make the DNS more robust • If we want to prevent DNS inspection we also should look at encrypting the transport used by DNS queries and responses • Today the standard tool is TLS, which uses dynamically generated session keys to encrypt all traffic between two parties • We could use TLS between the end client and the client’s recursive resolver – It’s more challenging to use encryption between recursive resolvers and authoritative servers
#apricot2019 2019 47 DNS over TLS • Similar to DNS over TCP: – Open a TLS session with a recursive resolver – Pass the DNS query using DNS wireline format – Wait for the response • Can use held DNS sessions to allow the TLS session to be used for multiple DNS queries • The queries and the responses are hidden from intermediaries • The client validates the recursive resolver’s identity
#apricot2019 2019 47 DNS over TLS • TLS is a TCP ‘overlay’ that adds server authentication and session encryption to TCP • TLS uses an initial handshake to allow a client to: – Validate the identity of the server – Negotiate a session key to be used in all subsequent packets in the TCP session • RFC 7858, RFC 8310 TLS 1.2 handshake
#apricot2019 2019 47 DNS over TLS and Android https://android-developers.googleblog.com/2018/04/dns-over-tls-support-in-android-p.html
#apricot2019 2019 47 DNS over TLS • Will generate a higher recursive resolver memory load as each client may have a held state with one or more recursive resolvers • The TCP session state is on port 853 – DNS over TLS can be readily blocked by middleware • The privacy is relative, as the recursive resolver still knows all your DNS queries • Supported by Bind (stunnel), Unbound, DNSDist
#apricot2019 2019 47 DNS over TLS • It seems odd to me that the IETF standardised DNS over TLS on TCP port 853 • If you want to hide then it makes far more sense to reuse port 443 • And if you really want to hide the DNS place both a web service and a DNS recursive resolver behind the same port 443 on the server
#apricot2019 2019 47 DNS over DTLS • DTLS is a UDP variant of TLS that is intended to work over UDP rather than TCP (RFC 8094) • However: – DTLS is intolerant of fragmentation – It appears to have similar overheads to TLS – I’m not sure if there are any implementations of DNS over DTLS
#apricot2019 2019 47 DNS over QUIC • QUIC is a transport protocol originally developed by Google and passed over to the IETF for standardised profile development • QUIC uses a thin UDP shim and an encrypted payload – The payload is divided into a TCP-like transport header and a payload • The essential difference between DOT and DOQ is the deliberate hiding of the transport protocol from network middleware with the use of QUIC • No known production implementations of DNS over QUIC exist, though IETF work continues draft-huitema-quic-dnsoquic-05 DNS TLS TCP IP DNS QUIC UDP IP DOT DOQ
#apricot2019 2019 47 DNS over HTTPS • DNS over HTTPS • Uses an HTTPS session with a resolver • Similar to DNS over TLS, but with HTTP object semantics • Uses TCP port 443, so can be masked within other HTTPS traffic • Can use DNS wireformat or JSON format DNS payload https://dns.google.com/query?name=www.potaroo.net
#apricot2019 2019 47 DNS over HTTPS within the Browser • Firefox’s “Trusted Recursive Resolver” • Avoids using the local DNS resolver library and local DNS infrastructure • Has the browser sending its DNS queries directly to a trusted resolver over HTTPS • Servers available from Cloudflare, Google, Cleanbrowsing https://blog.usejournal.com/getting-started-with-dns-over-https-on-firefox-e9b5fc865a43
#apricot2019 2019 47 Push DNS HTTP/2 allows for server push For example, the HTTP header: Link: </css/styles.css>; rel=preload What if… Link: </dns-query/dns=<query>; rel=preload
#apricot2019 2019 47 Push DNS • It can make web loads a whole lot faster – This can allow a web page to push a DNS result to the client without the client performing a query – There is no need for these DNS names to be separately defined by conventional DNS queries • But can you trust the answer? • Raises some disturbing possibilities for segmented namespaces
#apricot2019 2019 47 Push DNS • What if the only way to resolve a particular name was via pushed DNS over HTTPS ? • What if we push an entire dictionary of resolved names? • Pushed DNS over HTTPS would permit a server to associate an entire private namespace with a web resource that is loaded into the user’s browser context
#apricot2019 2019 47 DIY DNS • Run your own resolver – The issue here is limited opportunity for caching, which means that performance could be painful! • Run your own validating stub resolver – Getdns API interface – Stubby stub resolver – Still need to select a recursive resolver, and take advantage of caching, but allows the local resolver to perform its own DNSSEC validation
#apricot2019 2019 47 If you care about DNS privacy • You might want to think about how want to interact with the DNS • The careful choice of an open recursive resolver and an encrypted DNS session might go a long way along the path to DNS privacy • But a poor choice of recursive resolver will probably compromise your privacy more than just doing nothing!
#apricot2019 2019 47 My current DNS Config I use DNS over HTTPS – I have configured Cloudflare’s Cloudflared * to listen of localhost:53 – I have set up my local /etc/resolv.conf to contain 127.0.0.1 – All my DNS queries leave my laptop in an HTTPS port 443 stream towards 1.1.1.1 * https://developers.cloudflare.com/1.1.1.1/dns-over-https/cloudflared-proxy/
#apricot2019 2019 47 Thanks!

Recommended

2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters
2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters
2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI MattersAPNIC
 
DNS
DNSDNS
DNSTristan Schleining
 
ICANN 51: Name Collision
ICANN 51: Name CollisionICANN 51: Name Collision
ICANN 51: Name CollisionICANN
 
NZNOG 2013 - Experiments in DNSSEC
NZNOG 2013 - Experiments in DNSSECNZNOG 2013 - Experiments in DNSSEC
NZNOG 2013 - Experiments in DNSSECAPNIC
 
Understanding the DNS & DNSSEC
Understanding the DNS & DNSSECUnderstanding the DNS & DNSSEC
Understanding the DNS & DNSSECICANN
 
Domain name system presentation
Domain name system presentationDomain name system presentation
Domain name system presentationAnchit Dhingra
 
DNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security ExtensionsDNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security ExtensionsPeter R. Egli
 
IGF 2023: DNS Privacy
IGF 2023: DNS PrivacyIGF 2023: DNS Privacy
IGF 2023: DNS PrivacyAPNIC
 

Recommended

2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters
2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters
2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI MattersAPNIC
 
DNS
DNSDNS
DNSTristan Schleining
 
ICANN 51: Name Collision
ICANN 51: Name CollisionICANN 51: Name Collision
ICANN 51: Name CollisionICANN
 
NZNOG 2013 - Experiments in DNSSEC
NZNOG 2013 - Experiments in DNSSECNZNOG 2013 - Experiments in DNSSEC
NZNOG 2013 - Experiments in DNSSECAPNIC
 
Understanding the DNS & DNSSEC
Understanding the DNS & DNSSECUnderstanding the DNS & DNSSEC
Understanding the DNS & DNSSECICANN
 
Domain name system presentation
Domain name system presentationDomain name system presentation
Domain name system presentationAnchit Dhingra
 
DNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security ExtensionsDNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security ExtensionsPeter R. Egli
 
IGF 2023: DNS Privacy
IGF 2023: DNS PrivacyIGF 2023: DNS Privacy
IGF 2023: DNS PrivacyAPNIC
 
NANOG 84: DNS Openness
NANOG 84: DNS OpennessNANOG 84: DNS Openness
NANOG 84: DNS OpennessAPNIC
 
RIPE 82: DNS Evolution
RIPE 82: DNS EvolutionRIPE 82: DNS Evolution
RIPE 82: DNS EvolutionAPNIC
 
NANOG 82: DNS Evolution
NANOG 82: DNS EvolutionNANOG 82: DNS Evolution
NANOG 82: DNS EvolutionAPNIC
 
DNS Openness
DNS OpennessDNS Openness
DNS OpennessAPNIC
 
DINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNS
DINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNSDINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNS
DINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNSAPNIC
 
Domain name system
Domain name systemDomain name system
Domain name systemmahakant sharma
 
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
2nd ICANN APAC-TWNIC Engagement Forum: DNS OblivionAPNIC
 
23rd PITA AGM and Conference: DNS Security - A holistic view
23rd PITA AGM and Conference: DNS Security - A holistic view 23rd PITA AGM and Conference: DNS Security - A holistic view
23rd PITA AGM and Conference: DNS Security - A holistic view APNIC
 
2 technical-dns-workshop-day1
2 technical-dns-workshop-day12 technical-dns-workshop-day1
2 technical-dns-workshop-day1DNS Entrepreneurship Center
 
Domain Name System and Dynamic Host Configuration Protocol.pptx
Domain Name System and Dynamic Host Configuration Protocol.pptxDomain Name System and Dynamic Host Configuration Protocol.pptx
Domain Name System and Dynamic Host Configuration Protocol.pptxUsmanAhmed269749
 
understanding-dns-essential
understanding-dns-essentialunderstanding-dns-essential
understanding-dns-essentialwael eshag eshag
 
How DNS works and How to secure it: An Introduction
How DNS works and How to secure it: An IntroductionHow DNS works and How to secure it: An Introduction
How DNS works and How to secure it: An Introductionyasithbagya1
 
RIPE 86: DNSSEC — Yes or No?
RIPE 86: DNSSEC — Yes or No?RIPE 86: DNSSEC — Yes or No?
RIPE 86: DNSSEC — Yes or No?APNIC
 
What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]
What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]
What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]APNIC
 
Re-Engineering the DNS – One Resolver at a Time
Re-Engineering the DNS – One Resolver at a Time Re-Engineering the DNS – One Resolver at a Time
Re-Engineering the DNS – One Resolver at a Time Bangladesh Network Operators Group
 
HKNOG 5.0 - NSEC caching
HKNOG 5.0 - NSEC cachingHKNOG 5.0 - NSEC caching
HKNOG 5.0 - NSEC cachingAPNIC
 
DNS - Jaringan Komputer
DNS - Jaringan KomputerDNS - Jaringan Komputer
DNS - Jaringan KomputerImam Suharjo
 
DNSSEC and VoIP: Who are you really calling?
DNSSEC and VoIP: Who are you really calling?DNSSEC and VoIP: Who are you really calling?
DNSSEC and VoIP: Who are you really calling?Deploy360 Programme (Internet Society)
 
Intro to DNS
Intro to DNSIntro to DNS
Intro to DNSThousandEyes
 
Session 4.1 Roy Arends
Session 4.1 Roy ArendsSession 4.1 Roy Arends
Session 4.1 Roy ArendsCommonwealth Telecommunications Organisation
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024APNIC
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...APNIC
 

More Related Content

Similar to DNS privacy

NANOG 84: DNS Openness
NANOG 84: DNS OpennessNANOG 84: DNS Openness
NANOG 84: DNS OpennessAPNIC
 
RIPE 82: DNS Evolution
RIPE 82: DNS EvolutionRIPE 82: DNS Evolution
RIPE 82: DNS EvolutionAPNIC
 
NANOG 82: DNS Evolution
NANOG 82: DNS EvolutionNANOG 82: DNS Evolution
NANOG 82: DNS EvolutionAPNIC
 
DNS Openness
DNS OpennessDNS Openness
DNS OpennessAPNIC
 
DINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNS
DINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNSDINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNS
DINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNSAPNIC
 
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
2nd ICANN APAC-TWNIC Engagement Forum: DNS OblivionAPNIC
 
23rd PITA AGM and Conference: DNS Security - A holistic view
23rd PITA AGM and Conference: DNS Security - A holistic view 23rd PITA AGM and Conference: DNS Security - A holistic view
23rd PITA AGM and Conference: DNS Security - A holistic view APNIC
 
Domain Name System and Dynamic Host Configuration Protocol.pptx
Domain Name System and Dynamic Host Configuration Protocol.pptxDomain Name System and Dynamic Host Configuration Protocol.pptx
Domain Name System and Dynamic Host Configuration Protocol.pptxUsmanAhmed269749
 
understanding-dns-essential
understanding-dns-essentialunderstanding-dns-essential
understanding-dns-essentialwael eshag eshag
 
How DNS works and How to secure it: An Introduction
How DNS works and How to secure it: An IntroductionHow DNS works and How to secure it: An Introduction
How DNS works and How to secure it: An Introductionyasithbagya1
 
RIPE 86: DNSSEC — Yes or No?
RIPE 86: DNSSEC — Yes or No?RIPE 86: DNSSEC — Yes or No?
RIPE 86: DNSSEC — Yes or No?APNIC
 
What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]
What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]
What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]APNIC
 
HKNOG 5.0 - NSEC caching
HKNOG 5.0 - NSEC cachingHKNOG 5.0 - NSEC caching
HKNOG 5.0 - NSEC cachingAPNIC
 
DNS - Jaringan Komputer
DNS - Jaringan KomputerDNS - Jaringan Komputer
DNS - Jaringan KomputerImam Suharjo
 

Similar to DNS privacy (20)

NANOG 84: DNS Openness
NANOG 84: DNS OpennessNANOG 84: DNS Openness
NANOG 84: DNS Openness
 
RIPE 82: DNS Evolution
RIPE 82: DNS EvolutionRIPE 82: DNS Evolution
RIPE 82: DNS Evolution
 
NANOG 82: DNS Evolution
NANOG 82: DNS EvolutionNANOG 82: DNS Evolution
NANOG 82: DNS Evolution
 
DNS Openness
DNS OpennessDNS Openness
DNS Openness
 
DINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNS
DINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNSDINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNS
DINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNS
 
Domain name system
Domain name systemDomain name system
Domain name system
 
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
 
23rd PITA AGM and Conference: DNS Security - A holistic view
23rd PITA AGM and Conference: DNS Security - A holistic view 23rd PITA AGM and Conference: DNS Security - A holistic view
23rd PITA AGM and Conference: DNS Security - A holistic view
 
2 technical-dns-workshop-day1
2 technical-dns-workshop-day12 technical-dns-workshop-day1
2 technical-dns-workshop-day1
 
Domain Name System and Dynamic Host Configuration Protocol.pptx
Domain Name System and Dynamic Host Configuration Protocol.pptxDomain Name System and Dynamic Host Configuration Protocol.pptx
Domain Name System and Dynamic Host Configuration Protocol.pptx
 
understanding-dns-essential
understanding-dns-essentialunderstanding-dns-essential
understanding-dns-essential
 
How DNS works and How to secure it: An Introduction
How DNS works and How to secure it: An IntroductionHow DNS works and How to secure it: An Introduction
How DNS works and How to secure it: An Introduction
 
RIPE 86: DNSSEC — Yes or No?
RIPE 86: DNSSEC — Yes or No?RIPE 86: DNSSEC — Yes or No?
RIPE 86: DNSSEC — Yes or No?
 
What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]
What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]
What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]
 
Re-Engineering the DNS – One Resolver at a Time
Re-Engineering the DNS – One Resolver at a Time Re-Engineering the DNS – One Resolver at a Time
Re-Engineering the DNS – One Resolver at a Time
 
HKNOG 5.0 - NSEC caching
HKNOG 5.0 - NSEC cachingHKNOG 5.0 - NSEC caching
HKNOG 5.0 - NSEC caching
 
DNS - Jaringan Komputer
DNS - Jaringan KomputerDNS - Jaringan Komputer
DNS - Jaringan Komputer
 
DNSSEC and VoIP: Who are you really calling?
DNSSEC and VoIP: Who are you really calling?DNSSEC and VoIP: Who are you really calling?
DNSSEC and VoIP: Who are you really calling?
 
Intro to DNS
Intro to DNSIntro to DNS
Intro to DNS
 
Session 4.1 Roy Arends
Session 4.1 Roy ArendsSession 4.1 Roy Arends
Session 4.1 Roy Arends
 

More from APNIC

DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024APNIC
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...APNIC
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024APNIC
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGAPNIC
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119APNIC
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119APNIC
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119APNIC
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119APNIC
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119APNIC
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...APNIC
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonAPNIC
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonAPNIC
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPNIC
 
Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6APNIC
 
AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!APNIC
 
CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023APNIC
 
AFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet developmentAFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet developmentAPNIC
 
AFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment StatusAFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment StatusAPNIC
 
AFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressingAFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressingAPNIC
 

More from APNIC (20)

DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOG
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff Huston
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
 
Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6
 
AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!
 
CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023
 
AFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet developmentAFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet development
 
AFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment StatusAFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment Status
 
AFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressingAFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressing
 

Recently uploaded

Russian Call Girls Thane Swara 8617697112 Independent Escort Service Thane
Russian Call Girls Thane Swara 8617697112 Independent Escort Service ThaneRussian Call Girls Thane Swara 8617697112 Independent Escort Service Thane
Russian Call Girls Thane Swara 8617697112 Independent Escort Service ThaneCall girls in Ahmedabad High profile
 
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceEnjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceDelhi Call girls
 
Russian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsRussian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsstephieert
 
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With RoomVIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Roomdivyansh0kumar0
 
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls KolkataVIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts servicesonalikaur4
 
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls KolkataLow Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)Damian Radcliffe
 
Gram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of indiaGram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of indiaimessage0108
 
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Delhi Call girls
 
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$kojalkojal131
 
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With RoomVIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Roomishabajaj13
 
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With RoomVIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Roomgirls4nights
 
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Callshivangimorya083
 
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call GirlVIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girladitipandeya
 

Recently uploaded (20)

Russian Call Girls Thane Swara 8617697112 Independent Escort Service Thane
Russian Call Girls Thane Swara 8617697112 Independent Escort Service ThaneRussian Call Girls Thane Swara 8617697112 Independent Escort Service Thane
Russian Call Girls Thane Swara 8617697112 Independent Escort Service Thane
 
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceEnjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
 
Russian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsRussian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girls
 
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With RoomVIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
 
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
 
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
 
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls KolkataVIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
 
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls KolkataLow Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)
 
Gram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of indiaGram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of india
 
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
 
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
 
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With RoomVIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
 
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With RoomVIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
 
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
 
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call GirlVIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
 
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICECall Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
 

DNS privacy

  • 1. #apricot2019 2019 47 DNS Privacy Geoff Huston APNIC
  • 3. #apricot2019 2019 47 Why? • Because everything you do on the net starts with a call to the DNS • If we could see your stream of queries in real time we could assemble a detailed profile of you and interests and activities • Do we have any evidence of DNS data mining? – Data miners don’t disclose their sources as a rule
  • 4. #apricot2019 2019 47 Why? • Because everything you do on the net starts with a call to the DNS • If we could see your stream of queries in real time we could assemble a detailed profile of you and interests and activities • Do we have any evidence of DNS data mining? – Data miners don’t disclose their sources as a rule • How about something related: – Do we have any evidence of DNS stalking?
  • 5. #apricot2019 2019 47 What if… • I gave you an absolutely unique name to resolve: – The name never existed before now – The name will never be used again – The name includes the time when the name was created • If I am the authoritative server for the name’s zone then I should see your efforts to resolve the name • Then I should never see the name as a resolution query ever again Unless you have attracted a digital stalker who performs re-queries of your DNS names!
  • 7. #apricot2019 2019 47 DNS Re-query Rate • Over 30 days, some 5.3% of users had some kind of DNS stalker that is asking the same query more than 30 seconds after the initial query • Only some of these ‘ghost’ queries could be explained by incredibly slow DNS resolver systems Daily Counts Daily Ratios
  • 8. #apricot2019 2019 47 DNS Stalking • There are two kinds of DNS stalkers – Rapid tracking stalkers that appear to track users in real time – Bulk replay stalkers that replay DNS queries at a very high rate in bursts
  • 9. #apricot2019 2019 47 DNS Stalking DNS Stalking uses both really recent data and more than year-old data!
  • 10. #apricot2019 2019 47 DNS Surveillance • The DNS appears to be used by many actors as a means of looking at what we do online and censoring what services we can access online
  • 11. #apricot2019 2019 47 DNS Surveillance • The DNS appears to be used by many actors as a means of looking at what we do online and censoring what services we can access online • Can we stop DNS surveillance completely? – Probably not! • Can we make it harder to collect individual profiles of activity? – Well, yes – And that’s what I want to talk about today
  • 12. #apricot2019 2019 47 The DNS Privacy Issue • Lots of actors get to see what I do in the DNS – My OS platform provider – My ISP’s recursive resolver – Their forwarding resolver, if they have one – Authoritative Name servers – Snoopers on the wire • Can we make it harder for these “others” to snoop on me?
  • 13. #apricot2019 2019 47 How we might think the DNS works Client DNS Resolver DNS Server
  • 14. #apricot2019 2019 47 What we suspect the DNS is like Client DNS Resolver DNS Server DNS Resolve r DNS Resolve r DNS Resolve r DNS Resolve r DNS Resolve r DNS Resolve r DNS Resolve r DNS Resolve r DNS Resolve r DNS Resolve r DNS Resolve r DNS Resolve r
  • 15. #apricot2019 2019 47 What we suspect the DNS is like Client DNS Resolver DNS Server DNS Resolve r DNS Resolve r DNS Resolve r DNS Resolve r DNS Resolve r DNS Resolve r DNS Resolve r DNS Resolve r DNS Resolve r DNS Resolve r DNS Resolve r DNS Resolve r Corrupted host platforms Wireline and middleware Inspection and interception Resolvers that leak queries Servers that leak queries
  • 16. #apricot2019 2019 47 Why pick on the DNS? • The DNS is very easy to tap – Its open and unencrypted • DNS traffic is easy to tamper with – Its payload is not secured and tampering cannot be detected – Its predictable and false answers can be readily inserted • The DNS is hard to trace – Noone knows exactly where their queries go – Noone can know precisely where their answers come from
  • 17. #apricot2019 2019 47 Second-hand DNS queries are a business opportunity these days
  • 18. #apricot2019 2019 47 How can we improve DNS Privacy? • Lets look at a few behaviours of the DNS and see what we are doing to try and improve its privacy properties
  • 19. #apricot2019 2019 47 The DNS is overly chatty The DNS uses the full query name to discover the identity of the name servers for the query name Hi root server, I want to resolve www.example.com Not me – try asking the servers for .com
  • 20. #apricot2019 2019 47 The DNS is overly chatty The DNS uses the full query name to discover the identity of the name servers for the query name Hi root server, I want to resolve www.example.com Not me – try asking the servers for .com Hi .com server, I want to resolve www.example.com Not me – try asking the servers for example.com
  • 21. #apricot2019 2019 47 The DNS is overly chatty The DNS uses the full query name to discover the identity of the name servers for the query name Hi root server, I want to resolve www.example.com Not me – try asking the servers for .com Hi .com server, I want to resolve www.example.com Not me – try asking the servers for example.com Hi example.com server, I want to resolve www.example.com Sure – its 93.184.216.34
  • 22. #apricot2019 2019 47 The DNS is overly chatty The DNS uses the full query name to discover the identity of the name servers for the query name Why are we telling root servers all our DNS secrets? In our example case, both a root server and a .com server now know that I am attempting to resolve the name www.example.com Maybe I don’t want them to know this!
  • 23. #apricot2019 2019 47 The DNS is overly chatty Is there an alternative approach to name server discovery that strips the query name in iterative search for a zone’s servers? Yes – the extra information was inserted into the query to make the protocol simpler and slightly more efficient in some cases But we can alter query behaviour to only expose as much as is necessary to the folk who need to know in order to answer the query
  • 24. #apricot2019 2019 47 QNAME Minimisation • A resolver technique intended to improve DNS privacy where a DNS resolver no longer sends the entire original query name to the upstream name server • Described in RFC 7816
  • 25. #apricot2019 2019 47 Example of QNAME Minimisation Ask the authoritative server for a zone for the NS records of the next zone: Hi Root server, I want to know the nameservers for com Sure, here are the servers for .com Hi .com server, I want to know the nameservers for example.com Sure, here are the servers for example.com Hi example.com server, I want to resolve www.example.com Sure – its 93.184.216.34
  • 26. #apricot2019 2019 47 Interception and Rewriting • The DNS is an easy target for the imposition of control over access – Try asking for www.thepiratebay.org in Australia – Try asking for www.facebook.com in China – Etc etc • These days interception systems typically offer an incorrect response • How can you tell is the answer that the DNS gives you is the genuine answer or not?
  • 27. #apricot2019 2019 47 DNSSEC • DNSSEC is defined in RFCs 4033, 4034 & 4035 – Adds a number of new RRtypes that allow a digital signature to be attached to RRsets in a zone and to define how keys that are used to generate signatures are also stored in the zone • DNSSEC validation of the DNS response can tell you if the response is genuine or if it is out of date or has been altered • DNSSEC can’t tell you what the “good” answer is, just that the answer you got was not it! • DNSSEC will also tell if is an NXDOMAIN response is authentic
  • 28. #apricot2019 2019 47 DNSSEC and Recursive Resolvers • A DNS response that has been modified will fail to validate. When: • a client asks a security-aware resolver to resolve a name, and • sets the EDNS(0) DNSSEC OK bit, and • the zone is DNSSEC-signed then the recursive resolver will only return a RRset for the query if it can validate the response using the attached digital signature It will set the AD bit in the resolver response to indicate validation success Otherwise it will return SERVFAIL • But SERVFAIL is not the same as “I smell tampering” • Its ”nope, I failed. Try another resolver”
  • 29. #apricot2019 2019 47 DNSSEC and Recursive Resolvers • If you are going to use a DNSSEC-validating recursive resolver – Such as 1.1.1.1, 8.8.8.8, 9.9.9.9 or any other validating open resolver • Then make sure that all your resolvers perform DNSSEC validation if you don’t want to be mislead – Because SERVFAIL from a validating resolver means “try the next resolver in your resolver list”
  • 31. #apricot2019 2019 47 Negative Chattiness • Names that do not exist in the DNS are also passed to the authoritative servers in order to return the NXDOMAIN response • Sometimes the questions we ask are informative, whether or not the DNS gives an answer
  • 32. #apricot2019 2019 47 Aggressive NSEC Caching • Described in RFC 8198 • When a zone is DNSSEC-signed an authoritative server will answer a query for a non-existent name with an authenticated denial of existence response (NSEC or NSEC3) • These records describe two adjacent labels in the zone that span the non-existent record • If recursive resolvers cache the NSEC span record then they can answer subsequent queries for any label within the span without passing the specific query onward for the cache lifetime of the NSEC record
  • 33. #apricot2019 2019 47 Aggressive NSEC caching • It’s a tool for recursive resolvers • Stops queries for non-existent names always heading to the zone authoritative servers • Improves the efficiency of the resolver’s cache
  • 34. #apricot2019 2019 47 Middleware and WireTapping • Protecting the content of DNS responses is part of what we need to make the DNS more robust • If we want to prevent DNS inspection we also should look at encrypting the transport used by DNS queries and responses • Today the standard tool is TLS, which uses dynamically generated session keys to encrypt all traffic between two parties • We could use TLS between the end client and the client’s recursive resolver – It’s more challenging to use encryption between recursive resolvers and authoritative servers
  • 35. #apricot2019 2019 47 DNS over TLS • Similar to DNS over TCP: – Open a TLS session with a recursive resolver – Pass the DNS query using DNS wireline format – Wait for the response • Can use held DNS sessions to allow the TLS session to be used for multiple DNS queries • The queries and the responses are hidden from intermediaries • The client validates the recursive resolver’s identity
  • 36. #apricot2019 2019 47 DNS over TLS • TLS is a TCP ‘overlay’ that adds server authentication and session encryption to TCP • TLS uses an initial handshake to allow a client to: – Validate the identity of the server – Negotiate a session key to be used in all subsequent packets in the TCP session • RFC 7858, RFC 8310 TLS 1.2 handshake
  • 37. #apricot2019 2019 47 DNS over TLS and Android https://android-developers.googleblog.com/2018/04/dns-over-tls-support-in-android-p.html
  • 38. #apricot2019 2019 47 DNS over TLS • Will generate a higher recursive resolver memory load as each client may have a held state with one or more recursive resolvers • The TCP session state is on port 853 – DNS over TLS can be readily blocked by middleware • The privacy is relative, as the recursive resolver still knows all your DNS queries • Supported by Bind (stunnel), Unbound, DNSDist
  • 39. #apricot2019 2019 47 DNS over TLS • It seems odd to me that the IETF standardised DNS over TLS on TCP port 853 • If you want to hide then it makes far more sense to reuse port 443 • And if you really want to hide the DNS place both a web service and a DNS recursive resolver behind the same port 443 on the server
  • 40. #apricot2019 2019 47 DNS over DTLS • DTLS is a UDP variant of TLS that is intended to work over UDP rather than TCP (RFC 8094) • However: – DTLS is intolerant of fragmentation – It appears to have similar overheads to TLS – I’m not sure if there are any implementations of DNS over DTLS
  • 41. #apricot2019 2019 47 DNS over QUIC • QUIC is a transport protocol originally developed by Google and passed over to the IETF for standardised profile development • QUIC uses a thin UDP shim and an encrypted payload – The payload is divided into a TCP-like transport header and a payload • The essential difference between DOT and DOQ is the deliberate hiding of the transport protocol from network middleware with the use of QUIC • No known production implementations of DNS over QUIC exist, though IETF work continues draft-huitema-quic-dnsoquic-05 DNS TLS TCP IP DNS QUIC UDP IP DOT DOQ
  • 42. #apricot2019 2019 47 DNS over HTTPS • DNS over HTTPS • Uses an HTTPS session with a resolver • Similar to DNS over TLS, but with HTTP object semantics • Uses TCP port 443, so can be masked within other HTTPS traffic • Can use DNS wireformat or JSON format DNS payload https://dns.google.com/query?name=www.potaroo.net
  • 43. #apricot2019 2019 47 DNS over HTTPS within the Browser • Firefox’s “Trusted Recursive Resolver” • Avoids using the local DNS resolver library and local DNS infrastructure • Has the browser sending its DNS queries directly to a trusted resolver over HTTPS • Servers available from Cloudflare, Google, Cleanbrowsing https://blog.usejournal.com/getting-started-with-dns-over-https-on-firefox-e9b5fc865a43
  • 44. #apricot2019 2019 47 Push DNS HTTP/2 allows for server push For example, the HTTP header: Link: </css/styles.css>; rel=preload What if… Link: </dns-query/dns=<query>; rel=preload
  • 45. #apricot2019 2019 47 Push DNS • It can make web loads a whole lot faster – This can allow a web page to push a DNS result to the client without the client performing a query – There is no need for these DNS names to be separately defined by conventional DNS queries • But can you trust the answer? • Raises some disturbing possibilities for segmented namespaces
  • 46. #apricot2019 2019 47 Push DNS • What if the only way to resolve a particular name was via pushed DNS over HTTPS ? • What if we push an entire dictionary of resolved names? • Pushed DNS over HTTPS would permit a server to associate an entire private namespace with a web resource that is loaded into the user’s browser context
  • 47. #apricot2019 2019 47 DIY DNS • Run your own resolver – The issue here is limited opportunity for caching, which means that performance could be painful! • Run your own validating stub resolver – Getdns API interface – Stubby stub resolver – Still need to select a recursive resolver, and take advantage of caching, but allows the local resolver to perform its own DNSSEC validation
  • 48. #apricot2019 2019 47 If you care about DNS privacy • You might want to think about how want to interact with the DNS • The careful choice of an open recursive resolver and an encrypted DNS session might go a long way along the path to DNS privacy • But a poor choice of recursive resolver will probably compromise your privacy more than just doing nothing!
  • 49. #apricot2019 2019 47 My current DNS Config I use DNS over HTTPS – I have configured Cloudflare’s Cloudflared * to listen of localhost:53 – I have set up my local /etc/resolv.conf to contain 127.0.0.1 – All my DNS queries leave my laptop in an HTTPS port 443 stream towards 1.1.1.1 * https://developers.cloudflare.com/1.1.1.1/dns-over-https/cloudflared-proxy/