SlideShare a Scribd company logo

Internet Week 2018: 1.1.1.0/24 A report from the (anycast) trenches

APNIC
APNIC

APNIC Senior R&D Scientist George Michaelson and Yoshinobu Matzusaki present on the operational trends accompanying worldwide deployment of public DNS service 1.1.1.1 at Internet Week 2018 in Tokyo, Japan from 27 to 30 November 2018.

Internet
1 of 55
Download to read offline
1.1.1.0/24 A report from the (anycast) trenches ggm@apnic.net With thanks to {martin,olafur}@cloudflare.com
Overview • Background “we knew this was coming” • Final /8 process • Tainted blocks testing: AARNet and Google • Failed APNIC policy attempt: reserved to labs • The cloudflare proposal • How is it going (cloudflare material) • Where to from here?
We were going to run out in 2006 We definitely changed pace People got a bit keen PANIC ? The dregs …. Address policy Probably bought 10 years. We didn’t succeed In using the 10 years To deploy IPv6. Address policy in five lines (and one curve)
We knew this was coming.. • BGP the movie • Rundown prediction models from APNIC & others • 2008-2010 emerging final /8 policy proposals in all RIR. • Forseeable sometime between 2010 and 2012, we’d need to plan for end of supply in IPv4 from IANA • “Awkward” /8 assignments: Leo Vegoda (IANA) September 2007 • Mentions 1.0.0.0/8 5.0.0.0/8 and 42.0.0.0/8 (APNIC got 1 and 42. Ripe got 5) • https://www.cisco.com/c/en/us/about/press/internet-protocol-journal/back-issues/table- contents-37/103-awkward.html • https://www.icann.org/news/blog/selecting-which-8-to-allocate-to-an-rir • Avoid pain for AfriNIC and LacNIC: give them preferential access to untainted blocks • Random assignment of tainted blocks to APNIC, ARIN & RIPE NCC (otherwise in line with address policy, rundown planning)
Lets talk about 1.0.0.0/8 specifically • 1.0.0.0/8 (1/8) reserved by IANA, since 1981. • used unofficially as example addresses, default configuration parameters or pseudo-private address space. • 1.1.1.0/24 is used by Intel bladecenters internally for communication with its blades. • Used by MacDonalds for free WiFi, Swisshotels and others, in documentation for configuration examples of products • And see later for what CloudFlare have uncovered for continuing uses • Status changed in IANA from ”reserved” to “unallocated” in 2008 • Predictions about runout were within foreseeable timeframe
1.0.0.0/8 Assigned to APNIC January 2010 • Tested by APNIC across 2010 with a range of partners • RIPE NCC announcing more specifics • see 50 mbit/second, floods IX links • https://labs.ripe.net/Members/franz/content-pollution-18 • MERIT peak burst 860 Mbps • Audio data, traffic levels unlike other tested netblocks in the ‘awkward’ set • https://www.merit.edu/wp-content/uploads/2018/01/1.0.0.08.pdf • Google/YouTube • traffic levels of around 150 Mbps mainly comprising UDP (cannot easily be constrained) 80Mbps in 1.1.0.0/16 • Peaks over 800Mbps • AARNet • Five sub-ranges identified for hold-back: • 1.0.0.0/24 10+ Mbps • 1.1.1.0/24 80+ Mbps • 1.2.3.0/24 10+ Mbps • 1.4.0.0/24 10+ Mbps • 1.10.10.0/24 3+ Mbps • http://www.potaroo.net/studies/1slash8/1slash8.pdf
Final /8 policy implications • IANA exhausted its IPv4 free pool (3 February 2011) • From apnic’s web pages: • https://www.apnic.net/community/ipv4-exhaustion/graphical-information/ On 15 April 2011, the APNIC pool reached the last /8 of available IPv4 addresses, triggering the Final /8 policy. : : Quarantined blocks will be released to the Available pool when their routability and usability problems are minimized. • Pre-exhaustion testing implemented by labs, 2009-2011 • Tainted ranges identified and held back • Too much traffic inbound, to make acceptable for routine distribution
What to do with 1.1.1.0/24 and 1.0.0.0/24 • Many competing requests: CNNIC, Microsoft • Rejected at OPM on the floor (or failed to reach consensus on the ML) • 26 January 2014 Labs (GIH) proposes retain for research • 30 April 2014 endorsed by APNIC EC. • 7 May 2014 implemented as policy. Blocks marked in WHOIS to Labs. • Labs holds the block, continues assessments with Google, AARNet. • Provide strong signal of “background traffic” levels. Remain infeasibly tainted for routine use • Enter Cloudflare..
August 2017 request from Cloudflare • Cloudflare contacted us asking to enter a research relationship with these ranges • Can they explore sinking this load in their global anycast, and offering public DNS? • No implied right to assignment • Blocks remain in the control of Labs, under address policy • Future/continuing use has to be understood to be bound by address policy • Strong privacy drivers for service (from Cloudflare) • No sharing of endpoint IP, queried domains, No data taken from core DNS system • Simple APIs for bulk data information: volumes, origin-AS type information • March 2018, Registry records updated, LOA published • April 1 2018 Cloudflare announce services in BGP
Cloudflare slides
DNS resolver, 1.1.1.1, is served by Cloudflare’s Global Anycast Network. Announced April 1st 2018 Our mission: to help build a better Internet. We use 1.1.1.1 and 1.0.0.1 (easy to remember) for our resolver. Addresses provided to Cloudflare by APNIC for both joint research and this service. We focused on privacy! We knew we would spend a lot of time cleaning up the global Internet to make 1.1.1.1 work! https://blog.cloudflare.com/announcing-1111/ https://blog.cloudflare.com/dns-resolver-1-1-1-1/
APNIC Labs and Cloudflare APNIC is allocated 1.0.0.0/8 by IANA in January 2010 https://blog.apnic.net/2018/04/02/apnic-labs-enters-into-a-research-agreement-with-cloudflare/
151+ Data centers globally The Cloudflare network (DNS, DDoS, CDN, WAF, more) 151+ DNS resolver locations 151+ DNS authoritative locations
1.1.1.1 design goals
DNS and privacy! DNS itself is a 35-year-old protocol (and it's showing its age). It was never designed with privacy or security in mind. DNS inherently is unencrypted so it leaks data to anyone who's monitoring your network connection. We focused on privacy: ● Query Minimization RFC7816 ● Aggressive negative answers RFC8198 ● No Client Subnet on queries ● DNS-over-TLS (Transport Layer Security) RFC7858 ● DNS-over-HTTPS protocol DoH (draft-ietf-doh-dns-over-https) In 2014, we decided to enable https encryption for free for all our customers (we doubled the size of the encrypted web). In 2017, we made DDoS mitigation free & unmetered across all our plans.
● DNS is chatty, very chatty! ● Resolver can reduce the information leaked to intermediary DNS servers ○ The root, TLDs, and secondary zones ● Resolver only sends just enough of the name for the authority to tell the resolver where to ask the next question. DNS Query Minimization QNAME contains too much information. . COM CLOUDFLARE.COM RESOLVER www.cloudflare.co mwww.cloudflare.co mwww.cloudflare.co m . COM CLOUDFLARE.COM RESOLVER com cloudflare www With Query Minimization:
DNS Aggressive Negative Answer ● Fewer lookups to authorities (in particular the root zone) ● Use the existing resolvers negative cache ○ Negative (or non-existent) information kept around for a period of time ● For zones signed with DNSSEC with the NSEC records in cache: ○ Resolver can figure out if the requested name does NOT exist without doing any further queries ○ If you type wwwwwww dot something and then wwww dot something, the second query could well be answered with a very quick “no” (NXDOMAIN in the DNS world) ● Aggressive negative caching works only with DNSSEC signed zones, which includes both the root and ~1,400 out of 1,544 TLDs QNAME contains too much information.
Client Subnet == Bad privacy Client Subnet: RFC7871/Experimental ● Used for traffic engineering when queries come from open resolvers or large resolver clusters ○ addr/netmask ⇒ fine grain “location” /24 commonly used ○ Bad for resolvers as it kills cache hit ratio ○ Resolver cache implementations got more complex ● Suggestions to use it to track devices behind a NAT Not using ECS degrades performance in some cases Fine grain steering vs course steering Where should traffic steering actually happen? ● DNS ● Applications via referrals ? What is acceptable scope for NetMask ? CS option frequently included on all queries ⇒ Massive data leak How to find the right balance?
TLS (Transport Layer Security) is the basis of https encryption. ● DNS-over-TLS (RFC7858) is simply a DNS request(s) wrapped by TLS. ● DNS-over-HTTPS (draft-ietf-doh-dns-over-http) is DNS queries via an HTTPS request. ** Resolver, 1.1.1.1 now provides both - at scale! ● Mozilla Trusted Recursive Resolver ○ Cloudflare listed DNS-over-TLS / DNS-over-HTTPS DNSSEC ensures integrity of data between resolver and authoritative server, it doesn’t protect privacy of that data! Specifically, DNSSEC doesn’t protect the privacy of the “last mile”. ** https://hacks.mozilla.org/2018/05/a-cartoon-intro-to-dns-over-https/ https://daniel.haxx.se/blog/2018/06/03/inside-firefoxs-doh-engine/
● We don’t store client IP addresses never, ever! ● We only use query names for things that improve DNS resolver performance. ● After obfuscation, APNIC research gets access to data (under our joint agreement). ● Cloudflare never stores any information in logs that identifies end user. ○ All log records are deleted within 24 hours. ● We will continue to abide by our privacy policy and ensure that no user data is sold to advertisers or used to target consumers. Data Policy All log records deleted within 24 hours
DNS resolver addresses
IPv4 & IPv6 1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001
1.1.1.1 polluted space A major hardware vendor Polluted for many many years
Sadly, user “Samsonite801” will never be able to use 1.1.1.1 DNS resolver! 1.1.1.1 polluted space Hard to explain “assigned” vs “private” https://www.linuxquestions.org/questions/linux-networking-3/why-doesn%27t-everyone-use-1-1-1-x-or-1-1-x-x-or- 1-x-x-x-addresses-in-their-lans-4175563056/
1.1.1.1 polluted space (the edge) Many CPE routers use 1.1.1.1 for captive portals or configuration screens ● Pace (Arris) 5268 ● D-Link DMG-6661 ● Technicolor C2100T ● Calix GigaCenter ---- fixed 2018/Jun/12 thanks to a USER ● Nomadix (model(s) unknown) ● Xerox Phaser MFP Deployed in the millions globally Millions of CPE boxes globally
1.1.1.1 polluted space (backbones) Many backbones seem to have 1.1.1.1 backholed or used - for no real reason We committed to fixing this by using our measurements to track down, contact and correct these inconsistencies. Here’s a partial list of successfully cleaned backbones! ● Airtel, BHTelecom, Beirut-IX, Comcast, Fastweb, ITC, Kazakhtelecom, LG Telecom, Level(3), Liquid Telecom, MTN, Omantel, Rostelecom, SFR, SKBB, Sonatel, STC, Tata, Telecom Italia, Telenor, Telus, Turk Telekom, Turkcell, Voo, XS4ALL, Ziggo ● Many more ... Thank you backbones. You have helped the Internet improve. Why do backbones use this route? Good question!
● 1.1.1.1 (1.1.1.0/30) was in use internally within Sonatel ○ This isn’t unusual - (see previous slides) ○ Prevents end-users from accessing resolver at 1.1.1.1 ○ However, 1.0.0.1 is available - hence resolver always worked ● This is repeated in many countries and telcos 1.1.1.1 fixed in Senegal Fixed! Fixing 1.1.1.1, one network at a time!
● Thanks to the RIPE Atlas probes and thousands of tests ○ Tested ISPs globally for access to 1.1.1.1 (and 1.0.0.1) ○ Sent many emails to many NOCs ** Measuring availability RIPE Atlas to the rescue! Null-routes CPE installed in ISP … Suddenly an open FTP server ** https://blog.cloudflare.com/fixing-reachability-to-1-1-1-1-globally/
1.0.0.0/24 & 1.1.1.0/24 background noise
1.1.1.0/24 routing history 10+ Gbps of noise! RIPE, Merit https://labs.ripe.net/Members/franz/content-pollution-18 - Franz Schwarzinger http://www.potaroo.net/studies/1slash8/1slash8.html - Geoff Huston Google, YouTube AS13335 Cloudflare
1.1.1.0/24 background traffic 10+ Gbps of noise! 1.0.0.0/24 gets about 1% ● Previous studies: ○ 2010: Greater than 100 Mbps on 1.1.1.0/24 ○ 2014: 100 Mbps → 1 Gbps on 1.0.0.0/8 ** ● Cloudflare routing: ○ 2018: 8 Gbps → 13 Gbps (with 1 Gbps solely on 1.1.1.1) ** https://conference.apnic.net/data/37/2014-02-27-prop-109_1393397866.pdf - Geoff Huston
1.1.1.0/24 background traffic 10+ Gbps of noise! ● TCP traffic (mostly HTTP proxy, services). ○ Ports 80, 443, 8000, 8080, 8090, 8765 ● UDP traffic (some DNS, syslogs). ○ Ports 53, 514, 8000, 80, 8090 ● TP-Link DNS 1.0.0.19 ** ** https://serverfault.com/questions/365613/ tp-link-routers-send-dns-queries-to-1-0-0-19-what-is-that/365630
1.1.1.0/24 background traffic 10+ Gbps of noise! ● Traffic source ○ Mostly China ○ US ○ countries in Asia ○ some Europe
1.1.1.0/24 bursts and patterns 10+ Gbps of noise! ● Two increases: ○ 5 Gbps → 8 Gbps between 16:00 → 17:15 UTC ○ 8 Gbps → 12.5 Gbps between 17:15 → 23:00 UTC ○ Mostly on 1.1.1.7, 1.1.1.8, 1.1.1.9, and 1.1.1.10 ■ Destination port 80 ■ Increase from China ■ No particular difference on source IP/net ● Short bursts: ○ Only on 1.1.1.1 between 01:00 → 02:00 UTC for a few minutes ○ 1 Gbps → 10 Gbps ○ UDP traffic source port 123 (NTP) and port 11211 (memcached) ■ Misconfigured network devices?
1.1.1.0/24 bursts and patterns 10+ Gbps of noise! ● Also DHCP spikes from Macau ○ Bursts to 40 Mbps ● How many packets per second on UDP 53 (before launching)
1.1.1.0/24 what changed? 10+ Gbps of noise! ● Presentation from 10 years ago at NANOG49 ** ○ “iperf traffic to 1.2.3.4 is roughly 10 Mbps of traffic from less than a 100 unique sources” ● 2018: we still see iperf traffic (port 5000/5001) ○ Around 10-20 times the traffic ** https://www.nanog.org/meetings/nanog49/presentations/Monday/karir-1slash8.pdf Merit, APNIC, University of Michigan We estimate legitimate traffic to be around 7-13%
1.0.0.0/24, 1.1.1.0/24 traffic 10+ Gbps of noise! 1.1.1.1 @ ~ 600 Mbps 1.0.0.1 @ ~ 70 Mbps 1.1.1.0/24 noise somewhat down 1.0.0.0/24 noise significantly down 1.1.1.1resolver traffic! Alltrafficto 1.1.1.0/24 1.0.0.1 resolver traffic!
1.0.0.0/24, 1.1.1.0/24 traffic 1.1.1.0/24 noise 1.1.1.1 traffic! 1.1.1.7 1.1.1.8 1.1.1.9 1.1.1.10 traffic!
Routing
Traffic goes where ? Measured from Ripe Atlas probes Old Tunnels never die Date 1.0.0.1 1.1.1.1 Test # Mar/28 8.3% 14.7% 4.8% 16.7% May/16 0.4% 3.0% 0.2% 3.4% Jun/21 1.2% 4.2% 1.5% 5.0% Not all go to same location Reachability issues persist
Measuring availability (via pings) Resolver reachability Green - All working Red = 1.1.1.1 fails Pink = 1.0.0.1 fails Purple = both fail Early August/2018 Hilbert curves are cool!
Captive Portals are the worst MIT Guest network at 22/6/2018 10:14
Adoption
Adoption of 1.1.1.1 has been great! NOERRORNXDOMAIN SERVFAIL NOTIMP Announcement
About route leaks
1.1.1.0/24 leaks happen ● The heavy use of 1.1.1.1 in networks (running BGP) trigger route leaks ● Cloudflare has a signed RPKI ROA for both 1.0.0.0/24 & 1.1.1.0/24 ○ RPKI signed - but doesn’t (yet) stop route leaks ● The 29 May 2018 leak was ~60 seconds in length ○ It lasted longer on twitter ● This must stop; not just for this route, but on all routes! Prefix: 1.1.1.0/24 Country code: AU Origin AS: 13335 Origin AS Name: Cloudflare Inc RPKI status: ROA validation successful Route leaks need to stop!
Speed
Speed (prefill) We prefill all caches based on popular domains in a region ● Why: To improve perceived speed and availability ● Popular domains should always be cached ● What is popular? rsdns- writer QS rsdns- poller Alexa 1M Umbrella 1M Majestic 1M Resolve r Resolve r
Speed (backend multicast) Multicasted cache data across machines within the same data center ● Why: Cache hit ratio goes down with the network size ● Cache hit ratio is everything ● Basically a pub-sub ● Consistent latency Resolve r Resolve r Resolve r Resolve r Resolve r Resolve r
Speed https://blog.thousandeyes.com/ranking-performance-public-dns-providers-2018/ https://www.dnsperf.com/#!dns-resolvers
Speed (in APNIC region) DNSPerf measurements
Summary
Summary ● Easy to remember IP addresses ● Support for DOH (DNS over HTTPS) and DNS over TLS ● Cleaning up routing and CPE devices ● Did I mention it’s fast? Setting up the resolver: https://1.1.1.1/
Where to from here? • The blocks are clearly still very tainted • Cloudflare continue to sink huge amounts of unrequested, unquenchable traffic • Remediation is more than theoretically possible, but its not free • Labour costs to help ISPs • Those code dependencies embedded in systems in the CPE.. • We’re talking two /24. Impact on overall IPv4 availability is low • Public DNS services are now quite popular • Google pDNS • IBM/PCH 9.9.9.9 “cleanfeed” • CloudFlare 1.1.1.1 has high adoption rate • Continuance with renewal unless clear policy drivers dictate otherwise • APNIC Labs does not propose a change at this time
Questions?

Recommended

Internet Week 2018: APNIC Reverse DNS service outage report: May 2018
Internet Week 2018: APNIC Reverse DNS service outage report: May 2018Internet Week 2018: APNIC Reverse DNS service outage report: May 2018
Internet Week 2018: APNIC Reverse DNS service outage report: May 2018
APNIC
 
Rolling the Root Zone DNSSEC Key Signing Key
Rolling the Root Zone DNSSEC Key Signing KeyRolling the Root Zone DNSSEC Key Signing Key
Rolling the Root Zone DNSSEC Key Signing Key
APNIC
 
Testing Rolling Roots
Testing Rolling RootsTesting Rolling Roots
Testing Rolling Roots
APNIC
 
Thoughts about DNS for DDoS
Thoughts about DNS for DDoSThoughts about DNS for DDoS
Thoughts about DNS for DDoS
APNIC
 
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096
APNIC
 
NANOG 74: That KSK Roll
NANOG 74: That KSK RollNANOG 74: That KSK Roll
NANOG 74: That KSK Roll
APNIC
 
Passive DNS Collection – Henry Stern, Cisco
Passive DNS Collection – Henry Stern, CiscoPassive DNS Collection – Henry Stern, Cisco
Passive DNS Collection – Henry Stern, CiscoHenry Stern
 
The New Root Zone DNSSEC KSK
The New Root Zone DNSSEC KSKThe New Root Zone DNSSEC KSK
The New Root Zone DNSSEC KSK
APNIC
 

Recommended

Internet Week 2018: APNIC Reverse DNS service outage report: May 2018
Internet Week 2018: APNIC Reverse DNS service outage report: May 2018Internet Week 2018: APNIC Reverse DNS service outage report: May 2018
Internet Week 2018: APNIC Reverse DNS service outage report: May 2018
APNIC
 
Rolling the Root Zone DNSSEC Key Signing Key
Rolling the Root Zone DNSSEC Key Signing KeyRolling the Root Zone DNSSEC Key Signing Key
Rolling the Root Zone DNSSEC Key Signing Key
APNIC
 
Testing Rolling Roots
Testing Rolling RootsTesting Rolling Roots
Testing Rolling Roots
APNIC
 
Thoughts about DNS for DDoS
Thoughts about DNS for DDoSThoughts about DNS for DDoS
Thoughts about DNS for DDoS
APNIC
 
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096
APNIC
 
NANOG 74: That KSK Roll
NANOG 74: That KSK RollNANOG 74: That KSK Roll
NANOG 74: That KSK Roll
APNIC
 
Passive DNS Collection – Henry Stern, Cisco
Passive DNS Collection – Henry Stern, CiscoPassive DNS Collection – Henry Stern, Cisco
Passive DNS Collection – Henry Stern, CiscoHenry Stern
 
The New Root Zone DNSSEC KSK
The New Root Zone DNSSEC KSKThe New Root Zone DNSSEC KSK
The New Root Zone DNSSEC KSK
APNIC
 
Passive DNS Collection -- the 'dnstap' approach, by Paul Vixie [APNIC 38 / AP...
Passive DNS Collection -- the 'dnstap' approach, by Paul Vixie [APNIC 38 / AP...Passive DNS Collection -- the 'dnstap' approach, by Paul Vixie [APNIC 38 / AP...
Passive DNS Collection -- the 'dnstap' approach, by Paul Vixie [APNIC 38 / AP...
APNIC
 
DNS-OARC 34: Measuring DNS Flag Day 2020
DNS-OARC 34: Measuring DNS Flag Day 2020DNS-OARC 34: Measuring DNS Flag Day 2020
DNS-OARC 34: Measuring DNS Flag Day 2020
APNIC
 
Network Security Best Practice (BCP38 & 140)
Network Security Best Practice (BCP38 & 140) Network Security Best Practice (BCP38 & 140)
Network Security Best Practice (BCP38 & 140)
Bangladesh Network Operators Group
 
bdNOG 7 - Re-engineering the DNS - one resolver at a time
bdNOG 7 - Re-engineering the DNS - one resolver at a timebdNOG 7 - Re-engineering the DNS - one resolver at a time
bdNOG 7 - Re-engineering the DNS - one resolver at a time
APNIC
 
Building and operating a global DNS content delivery anycast network
Building and operating a global DNS content delivery anycast networkBuilding and operating a global DNS content delivery anycast network
Building and operating a global DNS content delivery anycast network
APNIC
 
Rate Limiting with NGINX and NGINX Plus
Rate Limiting with NGINX and NGINX PlusRate Limiting with NGINX and NGINX Plus
Rate Limiting with NGINX and NGINX Plus
NGINX, Inc.
 
Route Origin Validation - A MANRS Approach
Route Origin Validation - A MANRS ApproachRoute Origin Validation - A MANRS Approach
Route Origin Validation - A MANRS Approach
Bangladesh Network Operators Group
 
Nagios Conference 2014 - Janice Singh - Real World Uses for Nagios APIs
Nagios Conference 2014 - Janice Singh - Real World Uses for Nagios APIsNagios Conference 2014 - Janice Singh - Real World Uses for Nagios APIs
Nagios Conference 2014 - Janice Singh - Real World Uses for Nagios APIs
Nagios
 
OARC 26: Who's asking
OARC 26: Who's askingOARC 26: Who's asking
OARC 26: Who's asking
APNIC
 
NZNOG 2013 - Experiments in DNSSEC
NZNOG 2013 - Experiments in DNSSECNZNOG 2013 - Experiments in DNSSEC
NZNOG 2013 - Experiments in DNSSEC
APNIC
 
DoH, DoT and ESNI
DoH, DoT and ESNIDoH, DoT and ESNI
DoH, DoT and ESNI
Jisc
 
AFRINIC DNSSEC Infrastructure and Signer Migration
AFRINIC DNSSEC Infrastructure and Signer MigrationAFRINIC DNSSEC Infrastructure and Signer Migration
AFRINIC DNSSEC Infrastructure and Signer Migration
AFRINIC
 
Delivering High Performance Websites with NGINX
Delivering High Performance Websites with NGINXDelivering High Performance Websites with NGINX
Delivering High Performance Websites with NGINX
NGINX, Inc.
 
GoSF: Decoupling Services from IP networks with NATS
GoSF: Decoupling Services from IP networks with NATSGoSF: Decoupling Services from IP networks with NATS
GoSF: Decoupling Services from IP networks with NATS
wallyqs
 
Getting Started with a DNS Firewall
Getting Started with a DNS FirewallGetting Started with a DNS Firewall
Getting Started with a DNS Firewall
APNIC
 
Campus networking
Campus networkingCampus networking
Campus networking
Jisc
 
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)
NGINX, Inc.
 
Introduction DNSSec
Introduction DNSSecIntroduction DNSSec
Introduction DNSSec
AFRINIC
 
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
APNIC
 
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOSPart 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Men and Mice
 
DNS resolver 1.1.1.1 from Cloudflare
DNS resolver 1.1.1.1 from CloudflareDNS resolver 1.1.1.1 from Cloudflare
DNS resolver 1.1.1.1 from Cloudflare
APNIC
 
RIPE 71 and IETF 94 reports webinar
RIPE 71 and IETF 94 reports webinarRIPE 71 and IETF 94 reports webinar
RIPE 71 and IETF 94 reports webinar
Men and Mice
 

More Related Content

What's hot

Passive DNS Collection -- the 'dnstap' approach, by Paul Vixie [APNIC 38 / AP...
Passive DNS Collection -- the 'dnstap' approach, by Paul Vixie [APNIC 38 / AP...Passive DNS Collection -- the 'dnstap' approach, by Paul Vixie [APNIC 38 / AP...
Passive DNS Collection -- the 'dnstap' approach, by Paul Vixie [APNIC 38 / AP...
APNIC
 
DNS-OARC 34: Measuring DNS Flag Day 2020
DNS-OARC 34: Measuring DNS Flag Day 2020DNS-OARC 34: Measuring DNS Flag Day 2020
DNS-OARC 34: Measuring DNS Flag Day 2020
APNIC
 
Network Security Best Practice (BCP38 & 140)
Network Security Best Practice (BCP38 & 140) Network Security Best Practice (BCP38 & 140)
Network Security Best Practice (BCP38 & 140)
Bangladesh Network Operators Group
 
bdNOG 7 - Re-engineering the DNS - one resolver at a time
bdNOG 7 - Re-engineering the DNS - one resolver at a timebdNOG 7 - Re-engineering the DNS - one resolver at a time
bdNOG 7 - Re-engineering the DNS - one resolver at a time
APNIC
 
Building and operating a global DNS content delivery anycast network
Building and operating a global DNS content delivery anycast networkBuilding and operating a global DNS content delivery anycast network
Building and operating a global DNS content delivery anycast network
APNIC
 
Rate Limiting with NGINX and NGINX Plus
Rate Limiting with NGINX and NGINX PlusRate Limiting with NGINX and NGINX Plus
Rate Limiting with NGINX and NGINX Plus
NGINX, Inc.
 
Route Origin Validation - A MANRS Approach
Route Origin Validation - A MANRS ApproachRoute Origin Validation - A MANRS Approach
Route Origin Validation - A MANRS Approach
Bangladesh Network Operators Group
 
Nagios Conference 2014 - Janice Singh - Real World Uses for Nagios APIs
Nagios Conference 2014 - Janice Singh - Real World Uses for Nagios APIsNagios Conference 2014 - Janice Singh - Real World Uses for Nagios APIs
Nagios Conference 2014 - Janice Singh - Real World Uses for Nagios APIs
Nagios
 
OARC 26: Who's asking
OARC 26: Who's askingOARC 26: Who's asking
OARC 26: Who's asking
APNIC
 
NZNOG 2013 - Experiments in DNSSEC
NZNOG 2013 - Experiments in DNSSECNZNOG 2013 - Experiments in DNSSEC
NZNOG 2013 - Experiments in DNSSEC
APNIC
 
DoH, DoT and ESNI
DoH, DoT and ESNIDoH, DoT and ESNI
DoH, DoT and ESNI
Jisc
 
AFRINIC DNSSEC Infrastructure and Signer Migration
AFRINIC DNSSEC Infrastructure and Signer MigrationAFRINIC DNSSEC Infrastructure and Signer Migration
AFRINIC DNSSEC Infrastructure and Signer Migration
AFRINIC
 
Delivering High Performance Websites with NGINX
Delivering High Performance Websites with NGINXDelivering High Performance Websites with NGINX
Delivering High Performance Websites with NGINX
NGINX, Inc.
 
GoSF: Decoupling Services from IP networks with NATS
GoSF: Decoupling Services from IP networks with NATSGoSF: Decoupling Services from IP networks with NATS
GoSF: Decoupling Services from IP networks with NATS
wallyqs
 
Getting Started with a DNS Firewall
Getting Started with a DNS FirewallGetting Started with a DNS Firewall
Getting Started with a DNS Firewall
APNIC
 
Campus networking
Campus networkingCampus networking
Campus networking
Jisc
 
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)
NGINX, Inc.
 
Introduction DNSSec
Introduction DNSSecIntroduction DNSSec
Introduction DNSSec
AFRINIC
 
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
APNIC
 
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOSPart 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Men and Mice
 

What's hot (20)

Passive DNS Collection -- the 'dnstap' approach, by Paul Vixie [APNIC 38 / AP...
Passive DNS Collection -- the 'dnstap' approach, by Paul Vixie [APNIC 38 / AP...Passive DNS Collection -- the 'dnstap' approach, by Paul Vixie [APNIC 38 / AP...
Passive DNS Collection -- the 'dnstap' approach, by Paul Vixie [APNIC 38 / AP...
 
DNS-OARC 34: Measuring DNS Flag Day 2020
DNS-OARC 34: Measuring DNS Flag Day 2020DNS-OARC 34: Measuring DNS Flag Day 2020
DNS-OARC 34: Measuring DNS Flag Day 2020
 
Network Security Best Practice (BCP38 & 140)
Network Security Best Practice (BCP38 & 140) Network Security Best Practice (BCP38 & 140)
Network Security Best Practice (BCP38 & 140)
 
bdNOG 7 - Re-engineering the DNS - one resolver at a time
bdNOG 7 - Re-engineering the DNS - one resolver at a timebdNOG 7 - Re-engineering the DNS - one resolver at a time
bdNOG 7 - Re-engineering the DNS - one resolver at a time
 
Building and operating a global DNS content delivery anycast network
Building and operating a global DNS content delivery anycast networkBuilding and operating a global DNS content delivery anycast network
Building and operating a global DNS content delivery anycast network
 
Rate Limiting with NGINX and NGINX Plus
Rate Limiting with NGINX and NGINX PlusRate Limiting with NGINX and NGINX Plus
Rate Limiting with NGINX and NGINX Plus
 
Route Origin Validation - A MANRS Approach
Route Origin Validation - A MANRS ApproachRoute Origin Validation - A MANRS Approach
Route Origin Validation - A MANRS Approach
 
Nagios Conference 2014 - Janice Singh - Real World Uses for Nagios APIs
Nagios Conference 2014 - Janice Singh - Real World Uses for Nagios APIsNagios Conference 2014 - Janice Singh - Real World Uses for Nagios APIs
Nagios Conference 2014 - Janice Singh - Real World Uses for Nagios APIs
 
OARC 26: Who's asking
OARC 26: Who's askingOARC 26: Who's asking
OARC 26: Who's asking
 
NZNOG 2013 - Experiments in DNSSEC
NZNOG 2013 - Experiments in DNSSECNZNOG 2013 - Experiments in DNSSEC
NZNOG 2013 - Experiments in DNSSEC
 
DoH, DoT and ESNI
DoH, DoT and ESNIDoH, DoT and ESNI
DoH, DoT and ESNI
 
AFRINIC DNSSEC Infrastructure and Signer Migration
AFRINIC DNSSEC Infrastructure and Signer MigrationAFRINIC DNSSEC Infrastructure and Signer Migration
AFRINIC DNSSEC Infrastructure and Signer Migration
 
Delivering High Performance Websites with NGINX
Delivering High Performance Websites with NGINXDelivering High Performance Websites with NGINX
Delivering High Performance Websites with NGINX
 
GoSF: Decoupling Services from IP networks with NATS
GoSF: Decoupling Services from IP networks with NATSGoSF: Decoupling Services from IP networks with NATS
GoSF: Decoupling Services from IP networks with NATS
 
Getting Started with a DNS Firewall
Getting Started with a DNS FirewallGetting Started with a DNS Firewall
Getting Started with a DNS Firewall
 
Campus networking
Campus networkingCampus networking
Campus networking
 
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)
 
Introduction DNSSec
Introduction DNSSecIntroduction DNSSec
Introduction DNSSec
 
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
 
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOSPart 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
 

Similar to Internet Week 2018: 1.1.1.0/24 A report from the (anycast) trenches

DNS resolver 1.1.1.1 from Cloudflare
DNS resolver 1.1.1.1 from CloudflareDNS resolver 1.1.1.1 from Cloudflare
DNS resolver 1.1.1.1 from Cloudflare
APNIC
 
RIPE 71 and IETF 94 reports webinar
RIPE 71 and IETF 94 reports webinarRIPE 71 and IETF 94 reports webinar
RIPE 71 and IETF 94 reports webinar
Men and Mice
 
How to send DNS over anything encrypted
How to send DNS over anything encryptedHow to send DNS over anything encrypted
How to send DNS over anything encrypted
Men and Mice
 
Hadoop Meetup Jan 2019 - Overview of Ozone
Hadoop Meetup Jan 2019 - Overview of OzoneHadoop Meetup Jan 2019 - Overview of Ozone
Hadoop Meetup Jan 2019 - Overview of Ozone
Erik Krogen
 
Encrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPSEncrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPS
Alex Mayrhofer
 
DNS как линия защиты/DNS as a Defense Vector
DNS как линия защиты/DNS as a Defense VectorDNS как линия защиты/DNS as a Defense Vector
DNS как линия защиты/DNS as a Defense Vector
Positive Hack Days
 
Understanding i pv6 2
Understanding i pv6 2Understanding i pv6 2
Understanding i pv6 2srmanjuskp
 
APNIC Update
APNIC Update APNIC Update
APNIC Update
APNIC
 
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
APNIC
 
ION Sri Lanka - DANE: The Future of TLS
ION Sri Lanka - DANE: The Future of TLSION Sri Lanka - DANE: The Future of TLS
ION Sri Lanka - DANE: The Future of TLS
Deploy360 Programme (Internet Society)
 
IBM Aspera overview
IBM Aspera overview IBM Aspera overview
IBM Aspera overview
Carlos Martin Hernandez
 
NZNOG 2020: DOH
NZNOG 2020: DOHNZNOG 2020: DOH
NZNOG 2020: DOH
APNIC
 
DNS Survival Guide
DNS Survival GuideDNS Survival Guide
DNS Survival Guide
APNIC
 
DNS Survival Guide.
DNS Survival Guide.DNS Survival Guide.
DNS Survival Guide.
Qrator Labs
 
BlackStor - World's fastest & most reliable Cloud Native Software Defined Sto...
BlackStor - World's fastest & most reliable Cloud Native Software Defined Sto...BlackStor - World's fastest & most reliable Cloud Native Software Defined Sto...
BlackStor - World's fastest & most reliable Cloud Native Software Defined Sto...
Michal Němec
 
Big data in the energy sector
Big data in the energy sectorBig data in the energy sector
Big data in the energy sector
FileCatalyst
 
DNS Measurements
DNS MeasurementsDNS Measurements
DNS Measurements
AFRINIC
 
Fb i pv6-sparchimanv1.0
Fb i pv6-sparchimanv1.0Fb i pv6-sparchimanv1.0
Fb i pv6-sparchimanv1.0
Fred Bovy
 
Yeti DNS Project
Yeti DNS ProjectYeti DNS Project
Yeti DNS Project
APNIC
 
Roadmap to Next Generation IP Networks: A Review of the Fundamentals
Roadmap to Next Generation IP Networks: A Review of the FundamentalsRoadmap to Next Generation IP Networks: A Review of the Fundamentals
Roadmap to Next Generation IP Networks: A Review of the FundamentalsNetwork Utility Force
 

Similar to Internet Week 2018: 1.1.1.0/24 A report from the (anycast) trenches (20)

DNS resolver 1.1.1.1 from Cloudflare
DNS resolver 1.1.1.1 from CloudflareDNS resolver 1.1.1.1 from Cloudflare
DNS resolver 1.1.1.1 from Cloudflare
 
RIPE 71 and IETF 94 reports webinar
RIPE 71 and IETF 94 reports webinarRIPE 71 and IETF 94 reports webinar
RIPE 71 and IETF 94 reports webinar
 
How to send DNS over anything encrypted
How to send DNS over anything encryptedHow to send DNS over anything encrypted
How to send DNS over anything encrypted
 
Hadoop Meetup Jan 2019 - Overview of Ozone
Hadoop Meetup Jan 2019 - Overview of OzoneHadoop Meetup Jan 2019 - Overview of Ozone
Hadoop Meetup Jan 2019 - Overview of Ozone
 
Encrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPSEncrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPS
 
DNS как линия защиты/DNS as a Defense Vector
DNS как линия защиты/DNS as a Defense VectorDNS как линия защиты/DNS as a Defense Vector
DNS как линия защиты/DNS as a Defense Vector
 
Understanding i pv6 2
Understanding i pv6 2Understanding i pv6 2
Understanding i pv6 2
 
APNIC Update
APNIC Update APNIC Update
APNIC Update
 
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
 
ION Sri Lanka - DANE: The Future of TLS
ION Sri Lanka - DANE: The Future of TLSION Sri Lanka - DANE: The Future of TLS
ION Sri Lanka - DANE: The Future of TLS
 
IBM Aspera overview
IBM Aspera overview IBM Aspera overview
IBM Aspera overview
 
NZNOG 2020: DOH
NZNOG 2020: DOHNZNOG 2020: DOH
NZNOG 2020: DOH
 
DNS Survival Guide
DNS Survival GuideDNS Survival Guide
DNS Survival Guide
 
DNS Survival Guide.
DNS Survival Guide.DNS Survival Guide.
DNS Survival Guide.
 
BlackStor - World's fastest & most reliable Cloud Native Software Defined Sto...
BlackStor - World's fastest & most reliable Cloud Native Software Defined Sto...BlackStor - World's fastest & most reliable Cloud Native Software Defined Sto...
BlackStor - World's fastest & most reliable Cloud Native Software Defined Sto...
 
Big data in the energy sector
Big data in the energy sectorBig data in the energy sector
Big data in the energy sector
 
DNS Measurements
DNS MeasurementsDNS Measurements
DNS Measurements
 
Fb i pv6-sparchimanv1.0
Fb i pv6-sparchimanv1.0Fb i pv6-sparchimanv1.0
Fb i pv6-sparchimanv1.0
 
Yeti DNS Project
Yeti DNS ProjectYeti DNS Project
Yeti DNS Project
 
Roadmap to Next Generation IP Networks: A Review of the Fundamentals
Roadmap to Next Generation IP Networks: A Review of the FundamentalsRoadmap to Next Generation IP Networks: A Review of the Fundamentals
Roadmap to Next Generation IP Networks: A Review of the Fundamentals
 

More from APNIC

APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC
 
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
APNIC
 
APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC
 
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
APNIC
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
APNIC
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
APNIC
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOG
APNIC
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
APNIC
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
APNIC
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
APNIC
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
APNIC
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
APNIC
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
APNIC
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff Huston
APNIC
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
APNIC
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APNIC
 

More from APNIC (20)

APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
 
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
 
APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27
 
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOG
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff Huston
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
 

Recently uploaded

1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...
JeyaPerumal1
 
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Brad Spiegel Macon GA
 
guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...
Rogerio Filho
 
Comptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guideComptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guide
GTProductions1
 
The+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptxThe+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptx
laozhuseo02
 
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
3ipehhoa
 
Internet-Security-Safeguarding-Your-Digital-World (1).pptx
Internet-Security-Safeguarding-Your-Digital-World (1).pptxInternet-Security-Safeguarding-Your-Digital-World (1).pptx
Internet-Security-Safeguarding-Your-Digital-World (1).pptx
VivekSinghShekhawat2
 
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shopHistory+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
laozhuseo02
 
This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!
nirahealhty
 
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdfJAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
Javier Lasa
 
BASIC C++ lecture NOTE C++ lecture 3.pptx
BASIC C++ lecture NOTE C++ lecture 3.pptxBASIC C++ lecture NOTE C++ lecture 3.pptx
BASIC C++ lecture NOTE C++ lecture 3.pptx
natyesu
 
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
keoku
 
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesMulti-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Sanjeev Rampal
 
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
ufdana
 
Latest trends in computer networking.pptx
Latest trends in computer networking.pptxLatest trends in computer networking.pptx
Latest trends in computer networking.pptx
JungkooksNonexistent
 
test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...
Arif0071
 
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
eutxy
 
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
3ipehhoa
 
How to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptxHow to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptx
Gal Baras
 
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
3ipehhoa
 

Recently uploaded (20)

1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...
 
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
 
guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...
 
Comptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guideComptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guide
 
The+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptxThe+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptx
 
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
 
Internet-Security-Safeguarding-Your-Digital-World (1).pptx
Internet-Security-Safeguarding-Your-Digital-World (1).pptxInternet-Security-Safeguarding-Your-Digital-World (1).pptx
Internet-Security-Safeguarding-Your-Digital-World (1).pptx
 
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shopHistory+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
 
This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!
 
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdfJAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
 
BASIC C++ lecture NOTE C++ lecture 3.pptx
BASIC C++ lecture NOTE C++ lecture 3.pptxBASIC C++ lecture NOTE C++ lecture 3.pptx
BASIC C++ lecture NOTE C++ lecture 3.pptx
 
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
 
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesMulti-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
 
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
 
Latest trends in computer networking.pptx
Latest trends in computer networking.pptxLatest trends in computer networking.pptx
Latest trends in computer networking.pptx
 
test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...
 
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
 
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
 
How to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptxHow to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptx
 
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
 

Internet Week 2018: 1.1.1.0/24 A report from the (anycast) trenches

  • 1. 1.1.1.0/24 A report from the (anycast) trenches ggm@apnic.net With thanks to {martin,olafur}@cloudflare.com
  • 2. Overview • Background “we knew this was coming” • Final /8 process • Tainted blocks testing: AARNet and Google • Failed APNIC policy attempt: reserved to labs • The cloudflare proposal • How is it going (cloudflare material) • Where to from here?
  • 3. We were going to run out in 2006 We definitely changed pace People got a bit keen PANIC ? The dregs …. Address policy Probably bought 10 years. We didn’t succeed In using the 10 years To deploy IPv6. Address policy in five lines (and one curve)
  • 4. We knew this was coming.. • BGP the movie • Rundown prediction models from APNIC & others • 2008-2010 emerging final /8 policy proposals in all RIR. • Forseeable sometime between 2010 and 2012, we’d need to plan for end of supply in IPv4 from IANA • “Awkward” /8 assignments: Leo Vegoda (IANA) September 2007 • Mentions 1.0.0.0/8 5.0.0.0/8 and 42.0.0.0/8 (APNIC got 1 and 42. Ripe got 5) • https://www.cisco.com/c/en/us/about/press/internet-protocol-journal/back-issues/table- contents-37/103-awkward.html • https://www.icann.org/news/blog/selecting-which-8-to-allocate-to-an-rir • Avoid pain for AfriNIC and LacNIC: give them preferential access to untainted blocks • Random assignment of tainted blocks to APNIC, ARIN & RIPE NCC (otherwise in line with address policy, rundown planning)
  • 5. Lets talk about 1.0.0.0/8 specifically • 1.0.0.0/8 (1/8) reserved by IANA, since 1981. • used unofficially as example addresses, default configuration parameters or pseudo-private address space. • 1.1.1.0/24 is used by Intel bladecenters internally for communication with its blades. • Used by MacDonalds for free WiFi, Swisshotels and others, in documentation for configuration examples of products • And see later for what CloudFlare have uncovered for continuing uses • Status changed in IANA from ”reserved” to “unallocated” in 2008 • Predictions about runout were within foreseeable timeframe
  • 6. 1.0.0.0/8 Assigned to APNIC January 2010 • Tested by APNIC across 2010 with a range of partners • RIPE NCC announcing more specifics • see 50 mbit/second, floods IX links • https://labs.ripe.net/Members/franz/content-pollution-18 • MERIT peak burst 860 Mbps • Audio data, traffic levels unlike other tested netblocks in the ‘awkward’ set • https://www.merit.edu/wp-content/uploads/2018/01/1.0.0.08.pdf • Google/YouTube • traffic levels of around 150 Mbps mainly comprising UDP (cannot easily be constrained) 80Mbps in 1.1.0.0/16 • Peaks over 800Mbps • AARNet • Five sub-ranges identified for hold-back: • 1.0.0.0/24 10+ Mbps • 1.1.1.0/24 80+ Mbps • 1.2.3.0/24 10+ Mbps • 1.4.0.0/24 10+ Mbps • 1.10.10.0/24 3+ Mbps • http://www.potaroo.net/studies/1slash8/1slash8.pdf
  • 7. Final /8 policy implications • IANA exhausted its IPv4 free pool (3 February 2011) • From apnic’s web pages: • https://www.apnic.net/community/ipv4-exhaustion/graphical-information/ On 15 April 2011, the APNIC pool reached the last /8 of available IPv4 addresses, triggering the Final /8 policy. : : Quarantined blocks will be released to the Available pool when their routability and usability problems are minimized. • Pre-exhaustion testing implemented by labs, 2009-2011 • Tainted ranges identified and held back • Too much traffic inbound, to make acceptable for routine distribution
  • 8. What to do with 1.1.1.0/24 and 1.0.0.0/24 • Many competing requests: CNNIC, Microsoft • Rejected at OPM on the floor (or failed to reach consensus on the ML) • 26 January 2014 Labs (GIH) proposes retain for research • 30 April 2014 endorsed by APNIC EC. • 7 May 2014 implemented as policy. Blocks marked in WHOIS to Labs. • Labs holds the block, continues assessments with Google, AARNet. • Provide strong signal of “background traffic” levels. Remain infeasibly tainted for routine use • Enter Cloudflare..
  • 9. August 2017 request from Cloudflare • Cloudflare contacted us asking to enter a research relationship with these ranges • Can they explore sinking this load in their global anycast, and offering public DNS? • No implied right to assignment • Blocks remain in the control of Labs, under address policy • Future/continuing use has to be understood to be bound by address policy • Strong privacy drivers for service (from Cloudflare) • No sharing of endpoint IP, queried domains, No data taken from core DNS system • Simple APIs for bulk data information: volumes, origin-AS type information • March 2018, Registry records updated, LOA published • April 1 2018 Cloudflare announce services in BGP
  • 11. DNS resolver, 1.1.1.1, is served by Cloudflare’s Global Anycast Network. Announced April 1st 2018 Our mission: to help build a better Internet. We use 1.1.1.1 and 1.0.0.1 (easy to remember) for our resolver. Addresses provided to Cloudflare by APNIC for both joint research and this service. We focused on privacy! We knew we would spend a lot of time cleaning up the global Internet to make 1.1.1.1 work! https://blog.cloudflare.com/announcing-1111/ https://blog.cloudflare.com/dns-resolver-1-1-1-1/
  • 12. APNIC Labs and Cloudflare APNIC is allocated 1.0.0.0/8 by IANA in January 2010 https://blog.apnic.net/2018/04/02/apnic-labs-enters-into-a-research-agreement-with-cloudflare/
  • 13. 151+ Data centers globally The Cloudflare network (DNS, DDoS, CDN, WAF, more) 151+ DNS resolver locations 151+ DNS authoritative locations
  • 15. DNS and privacy! DNS itself is a 35-year-old protocol (and it's showing its age). It was never designed with privacy or security in mind. DNS inherently is unencrypted so it leaks data to anyone who's monitoring your network connection. We focused on privacy: ● Query Minimization RFC7816 ● Aggressive negative answers RFC8198 ● No Client Subnet on queries ● DNS-over-TLS (Transport Layer Security) RFC7858 ● DNS-over-HTTPS protocol DoH (draft-ietf-doh-dns-over-https) In 2014, we decided to enable https encryption for free for all our customers (we doubled the size of the encrypted web). In 2017, we made DDoS mitigation free & unmetered across all our plans.
  • 16. ● DNS is chatty, very chatty! ● Resolver can reduce the information leaked to intermediary DNS servers ○ The root, TLDs, and secondary zones ● Resolver only sends just enough of the name for the authority to tell the resolver where to ask the next question. DNS Query Minimization QNAME contains too much information. . COM CLOUDFLARE.COM RESOLVER www.cloudflare.co mwww.cloudflare.co mwww.cloudflare.co m . COM CLOUDFLARE.COM RESOLVER com cloudflare www With Query Minimization:
  • 17. DNS Aggressive Negative Answer ● Fewer lookups to authorities (in particular the root zone) ● Use the existing resolvers negative cache ○ Negative (or non-existent) information kept around for a period of time ● For zones signed with DNSSEC with the NSEC records in cache: ○ Resolver can figure out if the requested name does NOT exist without doing any further queries ○ If you type wwwwwww dot something and then wwww dot something, the second query could well be answered with a very quick “no” (NXDOMAIN in the DNS world) ● Aggressive negative caching works only with DNSSEC signed zones, which includes both the root and ~1,400 out of 1,544 TLDs QNAME contains too much information.
  • 18. Client Subnet == Bad privacy Client Subnet: RFC7871/Experimental ● Used for traffic engineering when queries come from open resolvers or large resolver clusters ○ addr/netmask ⇒ fine grain “location” /24 commonly used ○ Bad for resolvers as it kills cache hit ratio ○ Resolver cache implementations got more complex ● Suggestions to use it to track devices behind a NAT Not using ECS degrades performance in some cases Fine grain steering vs course steering Where should traffic steering actually happen? ● DNS ● Applications via referrals ? What is acceptable scope for NetMask ? CS option frequently included on all queries ⇒ Massive data leak How to find the right balance?
  • 19. TLS (Transport Layer Security) is the basis of https encryption. ● DNS-over-TLS (RFC7858) is simply a DNS request(s) wrapped by TLS. ● DNS-over-HTTPS (draft-ietf-doh-dns-over-http) is DNS queries via an HTTPS request. ** Resolver, 1.1.1.1 now provides both - at scale! ● Mozilla Trusted Recursive Resolver ○ Cloudflare listed DNS-over-TLS / DNS-over-HTTPS DNSSEC ensures integrity of data between resolver and authoritative server, it doesn’t protect privacy of that data! Specifically, DNSSEC doesn’t protect the privacy of the “last mile”. ** https://hacks.mozilla.org/2018/05/a-cartoon-intro-to-dns-over-https/ https://daniel.haxx.se/blog/2018/06/03/inside-firefoxs-doh-engine/
  • 20. ● We don’t store client IP addresses never, ever! ● We only use query names for things that improve DNS resolver performance. ● After obfuscation, APNIC research gets access to data (under our joint agreement). ● Cloudflare never stores any information in logs that identifies end user. ○ All log records are deleted within 24 hours. ● We will continue to abide by our privacy policy and ensure that no user data is sold to advertisers or used to target consumers. Data Policy All log records deleted within 24 hours
  • 23. 1.1.1.1 polluted space A major hardware vendor Polluted for many many years
  • 24. Sadly, user “Samsonite801” will never be able to use 1.1.1.1 DNS resolver! 1.1.1.1 polluted space Hard to explain “assigned” vs “private” https://www.linuxquestions.org/questions/linux-networking-3/why-doesn%27t-everyone-use-1-1-1-x-or-1-1-x-x-or- 1-x-x-x-addresses-in-their-lans-4175563056/
  • 25. 1.1.1.1 polluted space (the edge) Many CPE routers use 1.1.1.1 for captive portals or configuration screens ● Pace (Arris) 5268 ● D-Link DMG-6661 ● Technicolor C2100T ● Calix GigaCenter ---- fixed 2018/Jun/12 thanks to a USER ● Nomadix (model(s) unknown) ● Xerox Phaser MFP Deployed in the millions globally Millions of CPE boxes globally
  • 26. 1.1.1.1 polluted space (backbones) Many backbones seem to have 1.1.1.1 backholed or used - for no real reason We committed to fixing this by using our measurements to track down, contact and correct these inconsistencies. Here’s a partial list of successfully cleaned backbones! ● Airtel, BHTelecom, Beirut-IX, Comcast, Fastweb, ITC, Kazakhtelecom, LG Telecom, Level(3), Liquid Telecom, MTN, Omantel, Rostelecom, SFR, SKBB, Sonatel, STC, Tata, Telecom Italia, Telenor, Telus, Turk Telekom, Turkcell, Voo, XS4ALL, Ziggo ● Many more ... Thank you backbones. You have helped the Internet improve. Why do backbones use this route? Good question!
  • 27. ● 1.1.1.1 (1.1.1.0/30) was in use internally within Sonatel ○ This isn’t unusual - (see previous slides) ○ Prevents end-users from accessing resolver at 1.1.1.1 ○ However, 1.0.0.1 is available - hence resolver always worked ● This is repeated in many countries and telcos 1.1.1.1 fixed in Senegal Fixed! Fixing 1.1.1.1, one network at a time!
  • 28. ● Thanks to the RIPE Atlas probes and thousands of tests ○ Tested ISPs globally for access to 1.1.1.1 (and 1.0.0.1) ○ Sent many emails to many NOCs ** Measuring availability RIPE Atlas to the rescue! Null-routes CPE installed in ISP … Suddenly an open FTP server ** https://blog.cloudflare.com/fixing-reachability-to-1-1-1-1-globally/
  • 29. 1.0.0.0/24 & 1.1.1.0/24 background noise
  • 30. 1.1.1.0/24 routing history 10+ Gbps of noise! RIPE, Merit https://labs.ripe.net/Members/franz/content-pollution-18 - Franz Schwarzinger http://www.potaroo.net/studies/1slash8/1slash8.html - Geoff Huston Google, YouTube AS13335 Cloudflare
  • 31. 1.1.1.0/24 background traffic 10+ Gbps of noise! 1.0.0.0/24 gets about 1% ● Previous studies: ○ 2010: Greater than 100 Mbps on 1.1.1.0/24 ○ 2014: 100 Mbps → 1 Gbps on 1.0.0.0/8 ** ● Cloudflare routing: ○ 2018: 8 Gbps → 13 Gbps (with 1 Gbps solely on 1.1.1.1) ** https://conference.apnic.net/data/37/2014-02-27-prop-109_1393397866.pdf - Geoff Huston
  • 32. 1.1.1.0/24 background traffic 10+ Gbps of noise! ● TCP traffic (mostly HTTP proxy, services). ○ Ports 80, 443, 8000, 8080, 8090, 8765 ● UDP traffic (some DNS, syslogs). ○ Ports 53, 514, 8000, 80, 8090 ● TP-Link DNS 1.0.0.19 ** ** https://serverfault.com/questions/365613/ tp-link-routers-send-dns-queries-to-1-0-0-19-what-is-that/365630
  • 33. 1.1.1.0/24 background traffic 10+ Gbps of noise! ● Traffic source ○ Mostly China ○ US ○ countries in Asia ○ some Europe
  • 34. 1.1.1.0/24 bursts and patterns 10+ Gbps of noise! ● Two increases: ○ 5 Gbps → 8 Gbps between 16:00 → 17:15 UTC ○ 8 Gbps → 12.5 Gbps between 17:15 → 23:00 UTC ○ Mostly on 1.1.1.7, 1.1.1.8, 1.1.1.9, and 1.1.1.10 ■ Destination port 80 ■ Increase from China ■ No particular difference on source IP/net ● Short bursts: ○ Only on 1.1.1.1 between 01:00 → 02:00 UTC for a few minutes ○ 1 Gbps → 10 Gbps ○ UDP traffic source port 123 (NTP) and port 11211 (memcached) ■ Misconfigured network devices?
  • 35. 1.1.1.0/24 bursts and patterns 10+ Gbps of noise! ● Also DHCP spikes from Macau ○ Bursts to 40 Mbps ● How many packets per second on UDP 53 (before launching)
  • 36. 1.1.1.0/24 what changed? 10+ Gbps of noise! ● Presentation from 10 years ago at NANOG49 ** ○ “iperf traffic to 1.2.3.4 is roughly 10 Mbps of traffic from less than a 100 unique sources” ● 2018: we still see iperf traffic (port 5000/5001) ○ Around 10-20 times the traffic ** https://www.nanog.org/meetings/nanog49/presentations/Monday/karir-1slash8.pdf Merit, APNIC, University of Michigan We estimate legitimate traffic to be around 7-13%
  • 37. 1.0.0.0/24, 1.1.1.0/24 traffic 10+ Gbps of noise! 1.1.1.1 @ ~ 600 Mbps 1.0.0.1 @ ~ 70 Mbps 1.1.1.0/24 noise somewhat down 1.0.0.0/24 noise significantly down 1.1.1.1resolver traffic! Alltrafficto 1.1.1.0/24 1.0.0.1 resolver traffic!
  • 38. 1.0.0.0/24, 1.1.1.0/24 traffic 1.1.1.0/24 noise 1.1.1.1 traffic! 1.1.1.7 1.1.1.8 1.1.1.9 1.1.1.10 traffic!
  • 40. Traffic goes where ? Measured from Ripe Atlas probes Old Tunnels never die Date 1.0.0.1 1.1.1.1 Test # Mar/28 8.3% 14.7% 4.8% 16.7% May/16 0.4% 3.0% 0.2% 3.4% Jun/21 1.2% 4.2% 1.5% 5.0% Not all go to same location Reachability issues persist
  • 41. Measuring availability (via pings) Resolver reachability Green - All working Red = 1.1.1.1 fails Pink = 1.0.0.1 fails Purple = both fail Early August/2018 Hilbert curves are cool!
  • 42. Captive Portals are the worst MIT Guest network at 22/6/2018 10:14
  • 44. Adoption of 1.1.1.1 has been great! NOERRORNXDOMAIN SERVFAIL NOTIMP Announcement
  • 46. 1.1.1.0/24 leaks happen ● The heavy use of 1.1.1.1 in networks (running BGP) trigger route leaks ● Cloudflare has a signed RPKI ROA for both 1.0.0.0/24 & 1.1.1.0/24 ○ RPKI signed - but doesn’t (yet) stop route leaks ● The 29 May 2018 leak was ~60 seconds in length ○ It lasted longer on twitter ● This must stop; not just for this route, but on all routes! Prefix: 1.1.1.0/24 Country code: AU Origin AS: 13335 Origin AS Name: Cloudflare Inc RPKI status: ROA validation successful Route leaks need to stop!
  • 47. Speed
  • 48. Speed (prefill) We prefill all caches based on popular domains in a region ● Why: To improve perceived speed and availability ● Popular domains should always be cached ● What is popular? rsdns- writer QS rsdns- poller Alexa 1M Umbrella 1M Majestic 1M Resolve r Resolve r
  • 49. Speed (backend multicast) Multicasted cache data across machines within the same data center ● Why: Cache hit ratio goes down with the network size ● Cache hit ratio is everything ● Basically a pub-sub ● Consistent latency Resolve r Resolve r Resolve r Resolve r Resolve r Resolve r
  • 51. Speed (in APNIC region) DNSPerf measurements
  • 53. Summary ● Easy to remember IP addresses ● Support for DOH (DNS over HTTPS) and DNS over TLS ● Cleaning up routing and CPE devices ● Did I mention it’s fast? Setting up the resolver: https://1.1.1.1/
  • 54. Where to from here? • The blocks are clearly still very tainted • Cloudflare continue to sink huge amounts of unrequested, unquenchable traffic • Remediation is more than theoretically possible, but its not free • Labour costs to help ISPs • Those code dependencies embedded in systems in the CPE.. • We’re talking two /24. Impact on overall IPv4 availability is low • Public DNS services are now quite popular • Google pDNS • IBM/PCH 9.9.9.9 “cleanfeed” • CloudFlare 1.1.1.1 has high adoption rate • Continuance with renewal unless clear policy drivers dictate otherwise • APNIC Labs does not propose a change at this time