SlideShare a Scribd company logo

NANOG 84: DNS Openness

APNIC
APNIC

APNIC Chief Scientist Geoff Huston presents on whether the Internet is truly open at NANOG 84, held from 14 to 16 February 2022 in Austin, Texas.

Internet
1 of 60
Download to read offline
DNS “Openness” Geoff Huston AM APNIC Labs
Openness? When speaking about openness, we do not mean open in a competitive sense, but rather open as in everyone can access the service: “Can users access and distribute information and content, use and provide applications and services, and use terminal equipment of their choice, irrespective of the user’s or provider’s location or the location, origin or destination of the information, content, application or service?” 2
But that was the entire POINT of the DNS! The DNS was engineered to deliver the same answer to the same query, irrespective of the querier • The answer did not depend on who was asking, where they were asking from, what platform they were using to generate the query, the resolvers they used to handle the query • The answer did not depend on the origin of the information used to form the response, the platform used to serve this information, nor the location of information servers 3
Openness? When speaking about openness, we do not mean open in a competitive sense, but rather open as in everyone can access the service:: “Can users access and distribute information and content, use and provide applications and services, and use terminal equipment of their choice, irrespective of the user’s or provider’s location or the location, origin or destination of the information, content, application or service?” The answer is ”Yes!” 4
Really? • Is that really true? Do we all see the same DNS? • Really? 5
Really? • Is that really true? Do we all see the same DNS? • Really? 6 No!
DNS: Not Fully Open! Why not? • Government regulatory requirements to block the “correct” resolution of certain DNS names • It happens in China, UK, America, Australia, India, Russia, Syria, Iran, Vietnam, France, Turkey,….. • Its VERY widespread, for all kinds of national motives 7
DNS: Not Fully Open! Why not? • Government regulatory requirements to block the “correct” resolution of certain DNS names • Occasional ISP desires to monetise the DNS • NXDOMAIN substitution to direct traffic from named destinations or services that do not exist to other destinations or services of their choosing 8
DNS: Not Fully Open! Why not? • Government regulatory requirements to block the “correct” resolution of certain DNS names • Occasional ISP desires to monetise the DNS • Threat mitigation where the DNS names associated with malware are blocked • Such as Quad9 threat intelligence informed DNS resolution 9
Is this a ”problem”? Generally not: • Nation states have a sovereign right to make such rules and bind their citizens to such rules • Threat mitigation is typically regarded as a Good Thing rather than an incursion against the utility of a single DNS 10
Is this a ”problem”? It’s a problem when it gets used as a lever in a different fight • Such as the Australian rule to force Australian ISPs to block the DNS resolution of “thepiratebay.org” • It only pushes determined users to alternate name resolution strategies and ultimately is a comprehensive waste of everyone’s time! But even this is a relative sideshow to the larger DNS 11
Another interpretation of “Openness”? When speaking about openness we might not mean open in a sense of consistency across providers and across client transactions, but rather: Is the DNS an “open” system? 12 This is an echo of the 1980’s move by this industry to embrace “open” technology, as in Open Systems Interconnect (OSI) for networking, open computer architectures, open operating systems. “Open” is being used here in the sense that it is intentionally positioned as the opposite of a vendor-proprietary “Closed” technology.
Is the DNS “Open”? Yes! • The DNS name resolution protocol is openly specified without any IPR encumbrance • Fully functional implementations of the DNS protocol are available as open source • DNS name servers are configured as open “promiscuous” responders and will provide the same response to a query irrespective of the identity of the querier • DNS information is openly available • There is some subtle qualification here in that the collection of a zone file may not be openly available, but the individual records in a zone can be queried • DNS queries and responses are “open” 13
Is the DNS “Open”? Yes! • The DNS name resolution protocol is openly specified without any IPR encumbrance • Fully functional implementations of the DNS protocol are available as open source • DNS name servers are configured as open “promiscuous” responders and will provide the same response to a query irrespective of the identity of the querier • DNS information is openly available • There is some subtle qualification here in that the collection of a zone file may not be openly available, but the individual records in a zone can be queried • DNS queries and responses are “open” 14 Which is a massive problem!
When “openness” is a weakness The DNS is used by everyone and everything • Because pretty much everything you do on the net starts with a call to the DNS • If we could see your stream of DNS queries in real time we could easily assemble a detailed profile of you and your interests and activities - as it happens! • If we could edit your DNS responses we could make services disappear from your Internet! 15
https://xkcd.com/1361/ 16
Lets look into this further The DNS is mapping system which takes human-use labels that name services and maps these labels to IP addresses 17
Lets look into this further The DNS is mapping system which takes human-use labels that name services and maps these labels to IP addresses 18 1. Connect to www.google.com DNS: What’s an IP address for www.google.com? DNS System 142.250.204.4 2. Send a TCP SYN packet to destination 142.250.204.4
What’s in that DNS “cloud”? 19 DNS System queries responses
The Hidden parts of “Open” • For an open technology the infrastructure and process of name resolution in the DNS is incredibly opaque • Once queries are passed to the DNS resolution infrastructure they are impossible to trace. Each element does not simply forward a query, but casts an entirely new query using its own identity • There is no query tracing and no clear way to probe into the DNS infrastructure • There could be query chains circling in the DNS infrastructure in a hidden loop and no one would be any the wiser! • It is challenging to gauge the level of hidden interdependency in the DNS, nor the level of ongoing centralisation of infrastructure functions in the DNS 20
The Hidden parts of “Open” • For an open technology the infrastructure and process of name resolution in the DNS is incredibly opaque • Once queries are passed to the DNS resolution infrastructure they are impossible to trace. Each element does not simply forward a query, but casts an entirely new query using its own identity • There is no query tracing and no clear way to probe into the DNS infrastructure • There could be query chains circling in the DNS infrastructure in a hidden loop and no one would be any the wiser! • It is challenging to gauge the level of hidden interdependency in the DNS, nor the level of ongoing centralisation of infrastructure functions in the DNS 21 The fact that the DNS works at all is amazing. The fact that it works at speed and volume is a modern miracle!
But all that is still not all of “the DNS” • The DNS is more than its mapping role, and more than its infrastructure elements of resolvers and servers • So what is the DNS? 22
What is “the DNS”? Multiple Choice – tick all that apply: qA name space: A collection of word-strings that are organised into a hierarchy of labels qA distributed name registration framework that assigns a unique “license to use” to human-centric word-strings to entities (for money) qA distributed database that maps human-centric word-strings into IP addresses qA protocol used by DNS protocol speakers to “resolve” a word-string into a defined attribute (usually an IP address) qA signalling medium that is universally supported across all of the Internet 23
Orchestration of the DNS • If the DNS is a set of functions and a set of various actors in this space then how are their individual actions orchestrated to provide a cohesive outcome? • How can client use the functions of “the DNS” if there is no one orchestrating all these elements of the name infrastructure? • Why does all this work in a completely deregulated space? • The answers lie in Markets and Market Signalling 24
What are DNS “Markets”? The DNS is not a single market – it is a highly devolved framework and there are a number of discrete markets that are at best loosely coupled Some of these markets are: • The market for new “top level” labels (gTLDs) operated by ICANN. This market is open to ICANN-qualified registry operators. A registry has an exclusive license to operate a TLD. • The market for “registrars”, who act as retailers of DNS names and deal with clients (registrants) and register the client’s DNS names into the appropriate registry • The market for clients to register a DNS name with a registry • The market for DNS name certification, which is a third party that attests that an entity has control of a domain name • The market for DNS name resolution where users direct their queries to a resolver and the resolver provides DNS “answers” • The market for hosting authoritative name services, where “bigger is better” has driven a highly aggregated market • The market for DNS query logs 25
Maybe it’s more than markets • Perhaps this is best viewed as a collection of market needs, or requirements • Some are well established • Some are emergent requirements • Perhaps the question could be rephrased as one that asks to what extent are conventional open markets a good fit for these various DNS requirements • And to what extent these market-based mechanisms are failing to respond to these needs? 26
So, what should we talk about? If we want to talk about the DNS as a deregulated activity orchestrated through the operation of open markets then there are a few more things to bear in mind: • The DNS is not a single market place, or even a collection of inter-dependent and tightly coupled market place • The DNS is constructed of many elements, some of which appear to behave as tightly regulated markets, some of which are openly competitive markets, some of which are comprehensive market failures! 27
So, what should we talk about? Maybe we should think of the DNS using a number of themes to give some focus to this consideration of market effectiveness 28
Current DNS Themes There are so many themes in the DNS, and here are just a few: • DNS as a control element • DNS and privacy • DNS and trust • DNS and name space fragmentation • DNS as a rendezvous tool • DNS as a collection of markets • DNS and market aggregation • DNS and abuse and cyber attacks • DNS as an economic failure • DNS as the last remaining definition of a coherent Internet 29
This is now a very big agenda • Far bigger than we have time for here! • So I’ll just take a couple of themes and develop them further 30
I. The Open Market for Trust 31
DNS and Trust Can you trust what you learn from the DNS? 32
DNS and Trust Can you trust what you learn from the DNS? NO! 33
DNS and Trust Can you trust what you learn from the DNS? NO! • DNS responses can be altered in various ways that are challenging to detect • We know how to improve this situation by using digital cryptography to protect the integrity, accuracy and currency of DNS responses • But does this capability for an improvement in the trust of the DNS correlate to a visible consumer preference? • Is security in the DNS a market failure? 34
DNSSEC • A framework to attach digital signatures to DNS responses that attest to the accuracy and currency of the DNS response • The method of attachment does not alter the behaviour of the DNS protocol, nor does it require any changes to DNS servers • A procedure for clients to follow to validate the DNS response through the processing of this digital signature Changes: • Zone management – add DNSSEC digital signature records through ”zone signing” • Registry management – add DS records alongside NS records for delegated zones • Client behaviour – perform additional DNS queries to perform digital signature validation 35
Is DNSSEC being used? You might think that a change to the DNS that improved the trust in the DNS would prove to be highly popular in the DNS space • DNS name “owners” would like their name to be trustworthy • DNS users would like the names they use to be “genuine” and trustable So every part of the DNS would want to use DNSSEC! Right? Let’s see if this requirement has been translated by the DNS service market into a service offering by looking at the current metrics of the use of DNSSEC 36
Is DNSSEC being used? 37 Who validates DNS responses?
Is DNSSEC being used? 38 Who validates DNS responses?
Is DNSSEC being used? 39 Validation Rate of Signed DNS responses 2014 2016 2018 2020 28% of users are behind DNSSEC- validating resolvers who will not resolve a badly signed DNS name
Quarter Full, or Three Quarters Empty?? 40 Validation Rate of Signed DNS responses 2014 2016 2018 2020 Three quarters of the Internet’s user base can’t or won’t check if a DNS response is genuine
Problems with DNSSEC 41 • Large DNS responses cause robustness issues for DNS • Getting large responses through the network has reliability issues with UDP packet fragmentation and timing issues with signalled cut-over to TCP • The validator has to perform a full backtrace query sequence to assemble the full DNSSEC signature chain • So the problem is that DNSSEC validation may entail a sequence of queries where each of the responses may require encounter UDP fragmentation packet loss All this adds to the time to resolve a signed name And nobody is tolerant of delays in today’s Internet
Some More Problems with DNSSEC 42 • Cryptographically “stronger” keys tend to be bigger keys over time, so the issue of cramming more data into DNS transactions is not going away! • The stub-to-recursive hop is generally not using validation, so the user ends up trusting the validating recursive resolver in any case The current DNSSEC framework represents a lot of effort for only a a tiny marginal gain
DNSSEC is a Market Failure! • Users don’t pay for queries • Users have no leverage with recursive resolvers in terms of expressing their preference for authenticity in DNS responses • Users don’t have a choice in what they query for • Users have no ability to express a preference for only using domain names that are signed • The benefits of a signed DNS zone and validating resolvers are indirect • Cost and benefit are totally mis-aligned in this space! 43
DNS Trust is a Market Failure! • If it wasn’t for the lead taken by Google and their adoption of DNSSEC validation in their Public DNS Service then its likely that DNSSEC would still be a complete failure • And only was possible because of the significant level of market share in the use of Google’s Public DNS Service • So perhaps we should look at the market for DNS resolvers to see if others are taking up this lead 44
II. The Open Market for DNS Resolution 45
Who Resolves My Names? 46 My ISP Google Same country, different network (likely to still be my ISP) Everyone else
Who Resolves My Names? If this is a market then it appears to be highly skewed: • Google has a market share of just under 30% of all users • The next largest open resolvers are Cloudflare (4%), OpenDNS (2%) and Quad9 (0.5%) • Everything else is just the default of the local ISP performing the name resolution service for their customers Why has this happened? How has Google succeeded and other open DNS resolver services appear to struggle to get significant adoption by clients? 47
The DNS Name Resolution Economy • In the public Internet, end clients don’t normally pay directly for DNS name resolution services • Which implies that outside of the domain of the local ISP, DNS resolvers are essentially unfunded by the resolver’s clients • And efforts to monetise the DNS with various forms of funded misdirection (such as NXDOMAIN substitution) are generally viewed with extreme disfavour • Open Resolver efforts run the risk of success-disaster • The more they are used, the greater the funding problem to run them at scale • The greater the funding problem the greater the temptation to monetise the DNS resolver function in more subtle ways 48
Google is Special • Search is a critical asset for GOOGLE • Search drives eyeballs and profiles • Eyeballs and profiles drive advertising • Advertising drives revenue • If we could use the DNS as a defacto search engine then Google has a problem • But that’s what is happening when DNS resolvers don’t pass back NXDOMAIN but instead pass back a reference to a search engine, or even better use a search engine to pass back the resolution response that a hidden search engine result obtained when it processed the queried DNS name • So it’s in Google’s interests to have a fast, accurate and unaltered DNS resolution service • And Google’s real target market for this service is not individual users, but ISPs • Because the real threat model for Google is NXDOMAIN substitution and other forms of DNS response manipulation by ISPs as a local revenue source • No other Open DNS resolver service shares Google’s motivation 49
III. Open Market Fragmentation 50
The DNS Name Resolution Economy • The default option is that the ISP funds and operate the recursive DNS service, funded by the ISP’s client base >70% of all end clients use their ISPs’ DNS resolvers • However the fact that it works today does not mean that you can double the input costs and expect it to just keep on working tomorrow • For ISPs the DNS is a cost department, not a revenue source • We should expect strong resistance from ISPs to increase their costs in DNS service provision 51
The resistance to change in the DNS • The quality of an ISP’s DNS service does not appear to be a significant competitive discriminatory factor in the consumer market • So the ISP does not generally devote many resources to tuning their DNS infrastructure for high performance, resiliency and innovation • Most users don’t change their platform settings from the defaults and CPE based service provisioning in the wired networks and direct provisioning in mobile networks will persist • So current innovations such as improved DNS privacy (DNS over TLS, DNS over HTTPS) are looking like being another mainstream market failure in the DNS space 52
The resistance to change in the DNS • The quality of an ISP’s DNS service does not appear to be a significant competitive discriminatory factor in the consumer market • So the ISP does not generally devote many resources to tuning their DNS infrastructure for high performance, resiliency and innovation • Most users don’t change their platform settings from the defaults and CPE based service provisioning in the wired networks and direct provisioning in mobile networks will persist • So current innovations such as improved DNS privacy (DNS over TLS, DNS over HTTPS) are looking like being another mainstream market failure in the DNS space 53 But maybe this is not the full story …
Fragmenting the DNS • Is appears more likely that applications who want to tailor their DNS use to adopt a more private profile will hive off to use DNS over HTTPS to an application-selected DNS service, while the platform itself will continue to use libraries that will default to DNS over UDP to the ISP-provided recursive DNS resolver • That way the application ecosystem can fund its own DNS privacy infrastructure and avoid waiting for everyone else to make the necessary infrastructure and service investments before they can adopt DNS privacy themselves • The prospect of application-specific naming services is a very real prospect in this scenario 54
Fragmenting the DNS • Is appears more likely that applications who want to tailor their DNS use to adopt a more private profile will hive off to use DNS over HTTPS to an application-selected DNS service, while the platform itself will continue to use libraries that will default to DNS over UDP to the ISP-provided recursive DNS resolver • That way the application ecosystem can fund its own DNS privacy infrastructure and avoid waiting for everyone else to make the necessary infrastructure and service investments before they can adopt DNS privacy themselves • The prospect of application-specific naming services is a very real prospect in this scenario Those parts of the Internet space with sufficient motivation and resources will simply stop waiting for everyone else to move. They will just do what they feel they need to do! 55
All the Money is in Content • And this means that applications are driving the Internet market these days • Applications are increasingly drawing in platform and infrastructure services directly into the application • QUIC • DNS over HTTPS • That way they avoid paying the costs of upgrading legacy infrastructure and waiting for platform upgrades • And applications no longer have to sustain a single name space, or even sustain uniform protocol interoperability • Apart from UDP! • So they just won’t pay 56
It’s life Jim, but not as we know it!* • The overall progression here is an evolution from network-centric services to platform-centric services to today’s world of application- centric services • It’s clear that the DNS is being swept up in this shift, and the DNS is changing in almost every respect • The future prospects of a single unified coherent name space as embodied in the DNS, as we currently know it, for the entire internet service domain are looking pretty poor right now! * With apologies to the Trekkies! 57
Is the DNS “Open”? • Yes, today, its sort of open 58 Although the cracks are clearly evident with the use of various DNS customizations to tailor each DNS response to the querier, the interest in lifting the DNS into the application space as an application service and not a common infrastructure, the strong levels of centralisation and the destruction of open competition in this space, the continuing erosion of trust and the strong commercial impetus to use the DNS as a profiling tool in the surveillance economy.
Will it continue to be “open”? • Probably not! 59 It’s just getting too hard to keep it together and keep it open and the market-based pressures continue to tear the DNS apart and haul it away from a unified open space into a set of close and opaque markets with a fragmented name space. And the common benefit of a single, cohesive open name space for the Internet looks like being a victim of the Tragedy of the Commons
Picture Credit: Fred Davis, Flickr, Creative COMMONS: Attribution-NonCommercial-NoDerivs 2.0 Generic (CC BY-NC-ND 2.0) https://bit.ly/31qpYGA 60

Recommended

PacNOG 29: Routing security is more than RPKI
PacNOG 29: Routing security is more than RPKIPacNOG 29: Routing security is more than RPKI
PacNOG 29: Routing security is more than RPKI
APNIC
 
DNS Openness
DNS OpennessDNS Openness
DNS Openness
APNIC
 
DNS & DNSSEC
DNS & DNSSECDNS & DNSSEC
DNS & DNSSEC
APNIC
 
Experience Using RIR Whois
Experience Using RIR WhoisExperience Using RIR Whois
Experience Using RIR Whois
APNIC
 
Rolling the Root Zone DNSSEC Key Signing Key
Rolling the Root Zone DNSSEC Key Signing KeyRolling the Root Zone DNSSEC Key Signing Key
Rolling the Root Zone DNSSEC Key Signing Key
APNIC
 
IETF 112: Internet centrality and its impact on routing
IETF 112: Internet centrality and its impact on routingIETF 112: Internet centrality and its impact on routing
IETF 112: Internet centrality and its impact on routing
APNIC
 
BSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet RoutingBSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet Routing
APNIC
 
IPv6 and the DNS, RIPE 73
IPv6 and the DNS, RIPE 73IPv6 and the DNS, RIPE 73
IPv6 and the DNS, RIPE 73
APNIC
 

Recommended

PacNOG 29: Routing security is more than RPKI
PacNOG 29: Routing security is more than RPKIPacNOG 29: Routing security is more than RPKI
PacNOG 29: Routing security is more than RPKI
APNIC
 
DNS Openness
DNS OpennessDNS Openness
DNS Openness
APNIC
 
DNS & DNSSEC
DNS & DNSSECDNS & DNSSEC
DNS & DNSSEC
APNIC
 
Experience Using RIR Whois
Experience Using RIR WhoisExperience Using RIR Whois
Experience Using RIR Whois
APNIC
 
Rolling the Root Zone DNSSEC Key Signing Key
Rolling the Root Zone DNSSEC Key Signing KeyRolling the Root Zone DNSSEC Key Signing Key
Rolling the Root Zone DNSSEC Key Signing Key
APNIC
 
IETF 112: Internet centrality and its impact on routing
IETF 112: Internet centrality and its impact on routingIETF 112: Internet centrality and its impact on routing
IETF 112: Internet centrality and its impact on routing
APNIC
 
BSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet RoutingBSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet Routing
APNIC
 
IPv6 and the DNS, RIPE 73
IPv6 and the DNS, RIPE 73IPv6 and the DNS, RIPE 73
IPv6 and the DNS, RIPE 73
APNIC
 
Testing Rolling Roots
Testing Rolling RootsTesting Rolling Roots
Testing Rolling Roots
APNIC
 
VNIX-NOG 2021: IPv6 Deployment Update
VNIX-NOG 2021: IPv6 Deployment UpdateVNIX-NOG 2021: IPv6 Deployment Update
VNIX-NOG 2021: IPv6 Deployment Update
APNIC
 
Measuring the end user
Measuring the end userMeasuring the end user
Measuring the end user
APNIC
 
HKNOG 1.0 - DDoS attacks in an IPv6 World
HKNOG 1.0 - DDoS attacks in an IPv6 WorldHKNOG 1.0 - DDoS attacks in an IPv6 World
HKNOG 1.0 - DDoS attacks in an IPv6 World
Tom Paseka
 
28th TWNIC OPM and TWNOG 2017: Security best practices for network operators
28th TWNIC OPM and TWNOG 2017: Security best practices for network operators28th TWNIC OPM and TWNOG 2017: Security best practices for network operators
28th TWNIC OPM and TWNOG 2017: Security best practices for network operators
APNIC
 
DDosMon A Global DDoS Monitoring Project
DDosMon A Global DDoS Monitoring ProjectDDosMon A Global DDoS Monitoring Project
DDosMon A Global DDoS Monitoring Project
APNIC
 
NetFlow Best Practices - Tips and Tricks to Get the Most Out of Your Network ...
NetFlow Best Practices - Tips and Tricks to Get the Most Out of Your Network ...NetFlow Best Practices - Tips and Tricks to Get the Most Out of Your Network ...
NetFlow Best Practices - Tips and Tricks to Get the Most Out of Your Network ...
SolarWinds
 
Community tools to fight against DDoS, SANOG 27
Community tools to fight against DDoS, SANOG 27Community tools to fight against DDoS, SANOG 27
Community tools to fight against DDoS, SANOG 27
APNIC
 
DDOS Mitigation Experience from IP ServerOne by CL Lee
DDOS Mitigation Experience from IP ServerOne by CL LeeDDOS Mitigation Experience from IP ServerOne by CL Lee
DDOS Mitigation Experience from IP ServerOne by CL Lee
MyNOG
 
Broadband India Forum Session on IPv6: The Post-IPocalypse Internet
Broadband India Forum Session on IPv6: The Post-IPocalypse InternetBroadband India Forum Session on IPv6: The Post-IPocalypse Internet
Broadband India Forum Session on IPv6: The Post-IPocalypse Internet
APNIC
 
Network State Awareness & Troubleshooting
Network State Awareness & TroubleshootingNetwork State Awareness & Troubleshooting
Network State Awareness & Troubleshooting
APNIC
 
Traffic Insight Using Netflow and Deepfield Systems
Traffic Insight Using Netflow and Deepfield SystemsTraffic Insight Using Netflow and Deepfield Systems
Traffic Insight Using Netflow and Deepfield Systems
MyNOG
 
Network Security and Visibility through NetFlow
Network Security and Visibility through NetFlowNetwork Security and Visibility through NetFlow
Network Security and Visibility through NetFlow
Lancope, Inc.
 
APNIC Hackathon CDN Ranking
APNIC Hackathon CDN Ranking APNIC Hackathon CDN Ranking
APNIC Hackathon CDN Ranking
Siena Perry
 
Campus networking
Campus networkingCampus networking
Campus networking
Jisc
 
Honeypots and Security
Honeypots and SecurityHoneypots and Security
Honeypots and Security
APNIC
 
RPKI Tutorial
RPKI Tutorial RPKI Tutorial
RPKI Tutorial
Bangladesh Network Operators Group
 
Building and operating a global DNS content delivery anycast network
Building and operating a global DNS content delivery anycast networkBuilding and operating a global DNS content delivery anycast network
Building and operating a global DNS content delivery anycast network
APNIC
 
NetFlow Auditor Anomaly Detection Plus Forensics February 2010 08
NetFlow Auditor Anomaly Detection Plus Forensics February 2010 08NetFlow Auditor Anomaly Detection Plus Forensics February 2010 08
NetFlow Auditor Anomaly Detection Plus Forensics February 2010 08
NetFlowAuditor
 
NetFlow Deep Dive: NetFlow Tips and Tricks to get the Most Out of Your Networ...
NetFlow Deep Dive: NetFlow Tips and Tricks to get the Most Out of Your Networ...NetFlow Deep Dive: NetFlow Tips and Tricks to get the Most Out of Your Networ...
NetFlow Deep Dive: NetFlow Tips and Tricks to get the Most Out of Your Networ...
SolarWinds
 
DNS in IR: Collection, Analysis and Response
DNS in IR: Collection, Analysis and ResponseDNS in IR: Collection, Analysis and Response
DNS in IR: Collection, Analysis and Response
pm123008
 
NZNOG 2020: DOH
NZNOG 2020: DOHNZNOG 2020: DOH
NZNOG 2020: DOH
APNIC
 

More Related Content

What's hot

Testing Rolling Roots
Testing Rolling RootsTesting Rolling Roots
Testing Rolling Roots
APNIC
 
VNIX-NOG 2021: IPv6 Deployment Update
VNIX-NOG 2021: IPv6 Deployment UpdateVNIX-NOG 2021: IPv6 Deployment Update
VNIX-NOG 2021: IPv6 Deployment Update
APNIC
 
Measuring the end user
Measuring the end userMeasuring the end user
Measuring the end user
APNIC
 
HKNOG 1.0 - DDoS attacks in an IPv6 World
HKNOG 1.0 - DDoS attacks in an IPv6 WorldHKNOG 1.0 - DDoS attacks in an IPv6 World
HKNOG 1.0 - DDoS attacks in an IPv6 World
Tom Paseka
 
28th TWNIC OPM and TWNOG 2017: Security best practices for network operators
28th TWNIC OPM and TWNOG 2017: Security best practices for network operators28th TWNIC OPM and TWNOG 2017: Security best practices for network operators
28th TWNIC OPM and TWNOG 2017: Security best practices for network operators
APNIC
 
DDosMon A Global DDoS Monitoring Project
DDosMon A Global DDoS Monitoring ProjectDDosMon A Global DDoS Monitoring Project
DDosMon A Global DDoS Monitoring Project
APNIC
 
NetFlow Best Practices - Tips and Tricks to Get the Most Out of Your Network ...
NetFlow Best Practices - Tips and Tricks to Get the Most Out of Your Network ...NetFlow Best Practices - Tips and Tricks to Get the Most Out of Your Network ...
NetFlow Best Practices - Tips and Tricks to Get the Most Out of Your Network ...
SolarWinds
 
Community tools to fight against DDoS, SANOG 27
Community tools to fight against DDoS, SANOG 27Community tools to fight against DDoS, SANOG 27
Community tools to fight against DDoS, SANOG 27
APNIC
 
DDOS Mitigation Experience from IP ServerOne by CL Lee
DDOS Mitigation Experience from IP ServerOne by CL LeeDDOS Mitigation Experience from IP ServerOne by CL Lee
DDOS Mitigation Experience from IP ServerOne by CL Lee
MyNOG
 
Broadband India Forum Session on IPv6: The Post-IPocalypse Internet
Broadband India Forum Session on IPv6: The Post-IPocalypse InternetBroadband India Forum Session on IPv6: The Post-IPocalypse Internet
Broadband India Forum Session on IPv6: The Post-IPocalypse Internet
APNIC
 
Network State Awareness & Troubleshooting
Network State Awareness & TroubleshootingNetwork State Awareness & Troubleshooting
Network State Awareness & Troubleshooting
APNIC
 
Traffic Insight Using Netflow and Deepfield Systems
Traffic Insight Using Netflow and Deepfield SystemsTraffic Insight Using Netflow and Deepfield Systems
Traffic Insight Using Netflow and Deepfield Systems
MyNOG
 
Network Security and Visibility through NetFlow
Network Security and Visibility through NetFlowNetwork Security and Visibility through NetFlow
Network Security and Visibility through NetFlow
Lancope, Inc.
 
APNIC Hackathon CDN Ranking
APNIC Hackathon CDN Ranking APNIC Hackathon CDN Ranking
APNIC Hackathon CDN Ranking
Siena Perry
 
Campus networking
Campus networkingCampus networking
Campus networking
Jisc
 
Honeypots and Security
Honeypots and SecurityHoneypots and Security
Honeypots and Security
APNIC
 
RPKI Tutorial
RPKI Tutorial RPKI Tutorial
RPKI Tutorial
Bangladesh Network Operators Group
 
Building and operating a global DNS content delivery anycast network
Building and operating a global DNS content delivery anycast networkBuilding and operating a global DNS content delivery anycast network
Building and operating a global DNS content delivery anycast network
APNIC
 
NetFlow Auditor Anomaly Detection Plus Forensics February 2010 08
NetFlow Auditor Anomaly Detection Plus Forensics February 2010 08NetFlow Auditor Anomaly Detection Plus Forensics February 2010 08
NetFlow Auditor Anomaly Detection Plus Forensics February 2010 08
NetFlowAuditor
 
NetFlow Deep Dive: NetFlow Tips and Tricks to get the Most Out of Your Networ...
NetFlow Deep Dive: NetFlow Tips and Tricks to get the Most Out of Your Networ...NetFlow Deep Dive: NetFlow Tips and Tricks to get the Most Out of Your Networ...
NetFlow Deep Dive: NetFlow Tips and Tricks to get the Most Out of Your Networ...
SolarWinds
 

What's hot (20)

Testing Rolling Roots
Testing Rolling RootsTesting Rolling Roots
Testing Rolling Roots
 
VNIX-NOG 2021: IPv6 Deployment Update
VNIX-NOG 2021: IPv6 Deployment UpdateVNIX-NOG 2021: IPv6 Deployment Update
VNIX-NOG 2021: IPv6 Deployment Update
 
Measuring the end user
Measuring the end userMeasuring the end user
Measuring the end user
 
HKNOG 1.0 - DDoS attacks in an IPv6 World
HKNOG 1.0 - DDoS attacks in an IPv6 WorldHKNOG 1.0 - DDoS attacks in an IPv6 World
HKNOG 1.0 - DDoS attacks in an IPv6 World
 
28th TWNIC OPM and TWNOG 2017: Security best practices for network operators
28th TWNIC OPM and TWNOG 2017: Security best practices for network operators28th TWNIC OPM and TWNOG 2017: Security best practices for network operators
28th TWNIC OPM and TWNOG 2017: Security best practices for network operators
 
DDosMon A Global DDoS Monitoring Project
DDosMon A Global DDoS Monitoring ProjectDDosMon A Global DDoS Monitoring Project
DDosMon A Global DDoS Monitoring Project
 
NetFlow Best Practices - Tips and Tricks to Get the Most Out of Your Network ...
NetFlow Best Practices - Tips and Tricks to Get the Most Out of Your Network ...NetFlow Best Practices - Tips and Tricks to Get the Most Out of Your Network ...
NetFlow Best Practices - Tips and Tricks to Get the Most Out of Your Network ...
 
Community tools to fight against DDoS, SANOG 27
Community tools to fight against DDoS, SANOG 27Community tools to fight against DDoS, SANOG 27
Community tools to fight against DDoS, SANOG 27
 
DDOS Mitigation Experience from IP ServerOne by CL Lee
DDOS Mitigation Experience from IP ServerOne by CL LeeDDOS Mitigation Experience from IP ServerOne by CL Lee
DDOS Mitigation Experience from IP ServerOne by CL Lee
 
Broadband India Forum Session on IPv6: The Post-IPocalypse Internet
Broadband India Forum Session on IPv6: The Post-IPocalypse InternetBroadband India Forum Session on IPv6: The Post-IPocalypse Internet
Broadband India Forum Session on IPv6: The Post-IPocalypse Internet
 
Network State Awareness & Troubleshooting
Network State Awareness & TroubleshootingNetwork State Awareness & Troubleshooting
Network State Awareness & Troubleshooting
 
Traffic Insight Using Netflow and Deepfield Systems
Traffic Insight Using Netflow and Deepfield SystemsTraffic Insight Using Netflow and Deepfield Systems
Traffic Insight Using Netflow and Deepfield Systems
 
Network Security and Visibility through NetFlow
Network Security and Visibility through NetFlowNetwork Security and Visibility through NetFlow
Network Security and Visibility through NetFlow
 
APNIC Hackathon CDN Ranking
APNIC Hackathon CDN Ranking APNIC Hackathon CDN Ranking
APNIC Hackathon CDN Ranking
 
Campus networking
Campus networkingCampus networking
Campus networking
 
Honeypots and Security
Honeypots and SecurityHoneypots and Security
Honeypots and Security
 
RPKI Tutorial
RPKI Tutorial RPKI Tutorial
RPKI Tutorial
 
Building and operating a global DNS content delivery anycast network
Building and operating a global DNS content delivery anycast networkBuilding and operating a global DNS content delivery anycast network
Building and operating a global DNS content delivery anycast network
 
NetFlow Auditor Anomaly Detection Plus Forensics February 2010 08
NetFlow Auditor Anomaly Detection Plus Forensics February 2010 08NetFlow Auditor Anomaly Detection Plus Forensics February 2010 08
NetFlow Auditor Anomaly Detection Plus Forensics February 2010 08
 
NetFlow Deep Dive: NetFlow Tips and Tricks to get the Most Out of Your Networ...
NetFlow Deep Dive: NetFlow Tips and Tricks to get the Most Out of Your Networ...NetFlow Deep Dive: NetFlow Tips and Tricks to get the Most Out of Your Networ...
NetFlow Deep Dive: NetFlow Tips and Tricks to get the Most Out of Your Networ...
 

Similar to NANOG 84: DNS Openness

DNS in IR: Collection, Analysis and Response
DNS in IR: Collection, Analysis and ResponseDNS in IR: Collection, Analysis and Response
DNS in IR: Collection, Analysis and Response
pm123008
 
NZNOG 2020: DOH
NZNOG 2020: DOHNZNOG 2020: DOH
NZNOG 2020: DOH
APNIC
 
RIPE 82: DNS Evolution
RIPE 82: DNS EvolutionRIPE 82: DNS Evolution
RIPE 82: DNS Evolution
APNIC
 
How DNS works and How to secure it: An Introduction
How DNS works and How to secure it: An IntroductionHow DNS works and How to secure it: An Introduction
How DNS works and How to secure it: An Introduction
yasithbagya1
 
Introduction DNSSec
Introduction DNSSecIntroduction DNSSec
Introduction DNSSec
AFRINIC
 
THOTCON - The War over your DNS Queries
THOTCON - The War over your DNS QueriesTHOTCON - The War over your DNS Queries
THOTCON - The War over your DNS Queries
John Bambenek
 
NANOG 82: DNS Evolution
NANOG 82: DNS EvolutionNANOG 82: DNS Evolution
NANOG 82: DNS Evolution
APNIC
 
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
APNIC
 
Measuring the centralization of DNS resolution' presentation by Geoff Huston...
Measuring the centralization of DNS resolution' presentation by Geoff Huston...Measuring the centralization of DNS resolution' presentation by Geoff Huston...
Measuring the centralization of DNS resolution' presentation by Geoff Huston...
APNIC
 
Resolver concentration presentation for OARC 40 by Joao Damas and Geoff Huston
Resolver concentration presentation for OARC 40 by Joao Damas and Geoff HustonResolver concentration presentation for OARC 40 by Joao Damas and Geoff Huston
Resolver concentration presentation for OARC 40 by Joao Damas and Geoff Huston
APNIC
 
DNS-OARC 38: The resolvers we use
DNS-OARC 38: The resolvers we useDNS-OARC 38: The resolvers we use
DNS-OARC 38: The resolvers we use
APNIC
 
IGF 2023: DNS Privacy
IGF 2023: DNS PrivacyIGF 2023: DNS Privacy
IGF 2023: DNS Privacy
APNIC
 
DNS privacy
DNS privacyDNS privacy
DNS privacy
APNIC
 
mnNOG 1: DNS privacy over DOH
mnNOG 1: DNS privacy over DOHmnNOG 1: DNS privacy over DOH
mnNOG 1: DNS privacy over DOH
APNIC
 
What Is DNS ?
What Is DNS ?What Is DNS ?
What Is DNS ?
GTCSYS
 
Re-Engineering the DNS – One Resolver at a Time
Re-Engineering the DNS – One Resolver at a Time Re-Engineering the DNS – One Resolver at a Time
Re-Engineering the DNS – One Resolver at a Time
Bangladesh Network Operators Group
 
Session 4.1 Roy Arends
Session 4.1 Roy ArendsSession 4.1 Roy Arends
Session 4.1 Roy Arends
Commonwealth Telecommunications Organisation
 
bdNOG 7 - Re-engineering the DNS - one resolver at a time
bdNOG 7 - Re-engineering the DNS - one resolver at a timebdNOG 7 - Re-engineering the DNS - one resolver at a time
bdNOG 7 - Re-engineering the DNS - one resolver at a time
APNIC
 
Domain Name System
Domain Name SystemDomain Name System
Domain Name System
WhoisXML API
 
Grey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache PoisoningGrey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache Poisoning
Christopher Grayson
 

Similar to NANOG 84: DNS Openness (20)

DNS in IR: Collection, Analysis and Response
DNS in IR: Collection, Analysis and ResponseDNS in IR: Collection, Analysis and Response
DNS in IR: Collection, Analysis and Response
 
NZNOG 2020: DOH
NZNOG 2020: DOHNZNOG 2020: DOH
NZNOG 2020: DOH
 
RIPE 82: DNS Evolution
RIPE 82: DNS EvolutionRIPE 82: DNS Evolution
RIPE 82: DNS Evolution
 
How DNS works and How to secure it: An Introduction
How DNS works and How to secure it: An IntroductionHow DNS works and How to secure it: An Introduction
How DNS works and How to secure it: An Introduction
 
Introduction DNSSec
Introduction DNSSecIntroduction DNSSec
Introduction DNSSec
 
THOTCON - The War over your DNS Queries
THOTCON - The War over your DNS QueriesTHOTCON - The War over your DNS Queries
THOTCON - The War over your DNS Queries
 
NANOG 82: DNS Evolution
NANOG 82: DNS EvolutionNANOG 82: DNS Evolution
NANOG 82: DNS Evolution
 
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
 
Measuring the centralization of DNS resolution' presentation by Geoff Huston...
Measuring the centralization of DNS resolution' presentation by Geoff Huston...Measuring the centralization of DNS resolution' presentation by Geoff Huston...
Measuring the centralization of DNS resolution' presentation by Geoff Huston...
 
Resolver concentration presentation for OARC 40 by Joao Damas and Geoff Huston
Resolver concentration presentation for OARC 40 by Joao Damas and Geoff HustonResolver concentration presentation for OARC 40 by Joao Damas and Geoff Huston
Resolver concentration presentation for OARC 40 by Joao Damas and Geoff Huston
 
DNS-OARC 38: The resolvers we use
DNS-OARC 38: The resolvers we useDNS-OARC 38: The resolvers we use
DNS-OARC 38: The resolvers we use
 
IGF 2023: DNS Privacy
IGF 2023: DNS PrivacyIGF 2023: DNS Privacy
IGF 2023: DNS Privacy
 
DNS privacy
DNS privacyDNS privacy
DNS privacy
 
mnNOG 1: DNS privacy over DOH
mnNOG 1: DNS privacy over DOHmnNOG 1: DNS privacy over DOH
mnNOG 1: DNS privacy over DOH
 
What Is DNS ?
What Is DNS ?What Is DNS ?
What Is DNS ?
 
Re-Engineering the DNS – One Resolver at a Time
Re-Engineering the DNS – One Resolver at a Time Re-Engineering the DNS – One Resolver at a Time
Re-Engineering the DNS – One Resolver at a Time
 
Session 4.1 Roy Arends
Session 4.1 Roy ArendsSession 4.1 Roy Arends
Session 4.1 Roy Arends
 
bdNOG 7 - Re-engineering the DNS - one resolver at a time
bdNOG 7 - Re-engineering the DNS - one resolver at a timebdNOG 7 - Re-engineering the DNS - one resolver at a time
bdNOG 7 - Re-engineering the DNS - one resolver at a time
 
Domain Name System
Domain Name SystemDomain Name System
Domain Name System
 
Grey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache PoisoningGrey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache Poisoning
 

More from APNIC

IPv6: Unlocking the Potential, presented by Paul Wilson at CommunicAsia 2024
IPv6: Unlocking the Potential, presented by Paul Wilson at CommunicAsia 2024IPv6: Unlocking the Potential, presented by Paul Wilson at CommunicAsia 2024
IPv6: Unlocking the Potential, presented by Paul Wilson at CommunicAsia 2024
APNIC
 
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
APNIC
 
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
APNIC
 
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC
 
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
APNIC
 
APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC
 
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
APNIC
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
APNIC
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
APNIC
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOG
APNIC
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
APNIC
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
APNIC
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
APNIC
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
APNIC
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
APNIC
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
APNIC
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC
 

More from APNIC (20)

IPv6: Unlocking the Potential, presented by Paul Wilson at CommunicAsia 2024
IPv6: Unlocking the Potential, presented by Paul Wilson at CommunicAsia 2024IPv6: Unlocking the Potential, presented by Paul Wilson at CommunicAsia 2024
IPv6: Unlocking the Potential, presented by Paul Wilson at CommunicAsia 2024
 
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
 
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
 
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
 
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
 
APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27
 
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOG
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
 

Recently uploaded

10 Conversion Rate Optimization (CRO) Techniques to Boost Your Website’s Perf...
10 Conversion Rate Optimization (CRO) Techniques to Boost Your Website’s Perf...10 Conversion Rate Optimization (CRO) Techniques to Boost Your Website’s Perf...
10 Conversion Rate Optimization (CRO) Techniques to Boost Your Website’s Perf...
Web Inspire
 
Bangalore Call Girls 9079923931 With -Cuties' Hot Call Girls
Bangalore Call Girls 9079923931 With -Cuties' Hot Call GirlsBangalore Call Girls 9079923931 With -Cuties' Hot Call Girls
Bangalore Call Girls 9079923931 With -Cuties' Hot Call Girls
narwatsonia7
 
Decentralized Justice in Gaming and Esports
Decentralized Justice in Gaming and EsportsDecentralized Justice in Gaming and Esports
Decentralized Justice in Gaming and Esports
Federico Ast
 
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
dtagbe
 
Unlimited Short Call Girls Navi Mumbai ✅ 9967824496 FULL CASH PAYMENT
Unlimited Short Call Girls Navi Mumbai ✅ 9967824496 FULL CASH PAYMENTUnlimited Short Call Girls Navi Mumbai ✅ 9967824496 FULL CASH PAYMENT
Unlimited Short Call Girls Navi Mumbai ✅ 9967824496 FULL CASH PAYMENT
rajesh344555
 
Network Security and Cyber Laws (Complete Notes) for B.Tech/BCA/BSc. IT
Network Security and Cyber Laws (Complete Notes) for B.Tech/BCA/BSc. ITNetwork Security and Cyber Laws (Complete Notes) for B.Tech/BCA/BSc. IT
Network Security and Cyber Laws (Complete Notes) for B.Tech/BCA/BSc. IT
Sarthak Sobti
 
Unlimited Short Call Girls Mumbai ✅ 9833363713 FULL CASH PAYMENT
Unlimited Short Call Girls Mumbai ✅ 9833363713 FULL CASH PAYMENTUnlimited Short Call Girls Mumbai ✅ 9833363713 FULL CASH PAYMENT
Unlimited Short Call Girls Mumbai ✅ 9833363713 FULL CASH PAYMENT
rajesh344555
 
DocSplit Subsequent Implementation Activation.pptx
DocSplit Subsequent Implementation Activation.pptxDocSplit Subsequent Implementation Activation.pptx
DocSplit Subsequent Implementation Activation.pptx
AmitTuteja9
 
KubeCon & CloudNative Con 2024 Artificial Intelligent
KubeCon & CloudNative Con 2024 Artificial IntelligentKubeCon & CloudNative Con 2024 Artificial Intelligent
KubeCon & CloudNative Con 2024 Artificial Intelligent
Emre Gündoğdu
 
Bengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal BrandingBengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal Branding
Tarandeep Singh
 
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
thezot
 
cyber crime.pptx..........................
cyber crime.pptx..........................cyber crime.pptx..........................
cyber crime.pptx..........................
GNAMBIKARAO
 
EASY TUTORIAL OF HOW TO USE CiCi AI BY: FEBLESS HERNANE
EASY TUTORIAL OF HOW TO USE CiCi AI BY: FEBLESS HERNANE EASY TUTORIAL OF HOW TO USE CiCi AI BY: FEBLESS HERNANE
EASY TUTORIAL OF HOW TO USE CiCi AI BY: FEBLESS HERNANE
Febless Hernane
 

Recently uploaded (13)

10 Conversion Rate Optimization (CRO) Techniques to Boost Your Website’s Perf...
10 Conversion Rate Optimization (CRO) Techniques to Boost Your Website’s Perf...10 Conversion Rate Optimization (CRO) Techniques to Boost Your Website’s Perf...
10 Conversion Rate Optimization (CRO) Techniques to Boost Your Website’s Perf...
 
Bangalore Call Girls 9079923931 With -Cuties' Hot Call Girls
Bangalore Call Girls 9079923931 With -Cuties' Hot Call GirlsBangalore Call Girls 9079923931 With -Cuties' Hot Call Girls
Bangalore Call Girls 9079923931 With -Cuties' Hot Call Girls
 
Decentralized Justice in Gaming and Esports
Decentralized Justice in Gaming and EsportsDecentralized Justice in Gaming and Esports
Decentralized Justice in Gaming and Esports
 
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
 
Unlimited Short Call Girls Navi Mumbai ✅ 9967824496 FULL CASH PAYMENT
Unlimited Short Call Girls Navi Mumbai ✅ 9967824496 FULL CASH PAYMENTUnlimited Short Call Girls Navi Mumbai ✅ 9967824496 FULL CASH PAYMENT
Unlimited Short Call Girls Navi Mumbai ✅ 9967824496 FULL CASH PAYMENT
 
Network Security and Cyber Laws (Complete Notes) for B.Tech/BCA/BSc. IT
Network Security and Cyber Laws (Complete Notes) for B.Tech/BCA/BSc. ITNetwork Security and Cyber Laws (Complete Notes) for B.Tech/BCA/BSc. IT
Network Security and Cyber Laws (Complete Notes) for B.Tech/BCA/BSc. IT
 
Unlimited Short Call Girls Mumbai ✅ 9833363713 FULL CASH PAYMENT
Unlimited Short Call Girls Mumbai ✅ 9833363713 FULL CASH PAYMENTUnlimited Short Call Girls Mumbai ✅ 9833363713 FULL CASH PAYMENT
Unlimited Short Call Girls Mumbai ✅ 9833363713 FULL CASH PAYMENT
 
DocSplit Subsequent Implementation Activation.pptx
DocSplit Subsequent Implementation Activation.pptxDocSplit Subsequent Implementation Activation.pptx
DocSplit Subsequent Implementation Activation.pptx
 
KubeCon & CloudNative Con 2024 Artificial Intelligent
KubeCon & CloudNative Con 2024 Artificial IntelligentKubeCon & CloudNative Con 2024 Artificial Intelligent
KubeCon & CloudNative Con 2024 Artificial Intelligent
 
Bengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal BrandingBengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal Branding
 
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
 
cyber crime.pptx..........................
cyber crime.pptx..........................cyber crime.pptx..........................
cyber crime.pptx..........................
 
EASY TUTORIAL OF HOW TO USE CiCi AI BY: FEBLESS HERNANE
EASY TUTORIAL OF HOW TO USE CiCi AI BY: FEBLESS HERNANE EASY TUTORIAL OF HOW TO USE CiCi AI BY: FEBLESS HERNANE
EASY TUTORIAL OF HOW TO USE CiCi AI BY: FEBLESS HERNANE
 

NANOG 84: DNS Openness

  • 2. Openness? When speaking about openness, we do not mean open in a competitive sense, but rather open as in everyone can access the service: “Can users access and distribute information and content, use and provide applications and services, and use terminal equipment of their choice, irrespective of the user’s or provider’s location or the location, origin or destination of the information, content, application or service?” 2
  • 3. But that was the entire POINT of the DNS! The DNS was engineered to deliver the same answer to the same query, irrespective of the querier • The answer did not depend on who was asking, where they were asking from, what platform they were using to generate the query, the resolvers they used to handle the query • The answer did not depend on the origin of the information used to form the response, the platform used to serve this information, nor the location of information servers 3
  • 4. Openness? When speaking about openness, we do not mean open in a competitive sense, but rather open as in everyone can access the service:: “Can users access and distribute information and content, use and provide applications and services, and use terminal equipment of their choice, irrespective of the user’s or provider’s location or the location, origin or destination of the information, content, application or service?” The answer is ”Yes!” 4
  • 5. Really? • Is that really true? Do we all see the same DNS? • Really? 5
  • 6. Really? • Is that really true? Do we all see the same DNS? • Really? 6 No!
  • 7. DNS: Not Fully Open! Why not? • Government regulatory requirements to block the “correct” resolution of certain DNS names • It happens in China, UK, America, Australia, India, Russia, Syria, Iran, Vietnam, France, Turkey,….. • Its VERY widespread, for all kinds of national motives 7
  • 8. DNS: Not Fully Open! Why not? • Government regulatory requirements to block the “correct” resolution of certain DNS names • Occasional ISP desires to monetise the DNS • NXDOMAIN substitution to direct traffic from named destinations or services that do not exist to other destinations or services of their choosing 8
  • 9. DNS: Not Fully Open! Why not? • Government regulatory requirements to block the “correct” resolution of certain DNS names • Occasional ISP desires to monetise the DNS • Threat mitigation where the DNS names associated with malware are blocked • Such as Quad9 threat intelligence informed DNS resolution 9
  • 10. Is this a ”problem”? Generally not: • Nation states have a sovereign right to make such rules and bind their citizens to such rules • Threat mitigation is typically regarded as a Good Thing rather than an incursion against the utility of a single DNS 10
  • 11. Is this a ”problem”? It’s a problem when it gets used as a lever in a different fight • Such as the Australian rule to force Australian ISPs to block the DNS resolution of “thepiratebay.org” • It only pushes determined users to alternate name resolution strategies and ultimately is a comprehensive waste of everyone’s time! But even this is a relative sideshow to the larger DNS 11
  • 12. Another interpretation of “Openness”? When speaking about openness we might not mean open in a sense of consistency across providers and across client transactions, but rather: Is the DNS an “open” system? 12 This is an echo of the 1980’s move by this industry to embrace “open” technology, as in Open Systems Interconnect (OSI) for networking, open computer architectures, open operating systems. “Open” is being used here in the sense that it is intentionally positioned as the opposite of a vendor-proprietary “Closed” technology.
  • 13. Is the DNS “Open”? Yes! • The DNS name resolution protocol is openly specified without any IPR encumbrance • Fully functional implementations of the DNS protocol are available as open source • DNS name servers are configured as open “promiscuous” responders and will provide the same response to a query irrespective of the identity of the querier • DNS information is openly available • There is some subtle qualification here in that the collection of a zone file may not be openly available, but the individual records in a zone can be queried • DNS queries and responses are “open” 13
  • 14. Is the DNS “Open”? Yes! • The DNS name resolution protocol is openly specified without any IPR encumbrance • Fully functional implementations of the DNS protocol are available as open source • DNS name servers are configured as open “promiscuous” responders and will provide the same response to a query irrespective of the identity of the querier • DNS information is openly available • There is some subtle qualification here in that the collection of a zone file may not be openly available, but the individual records in a zone can be queried • DNS queries and responses are “open” 14 Which is a massive problem!
  • 15. When “openness” is a weakness The DNS is used by everyone and everything • Because pretty much everything you do on the net starts with a call to the DNS • If we could see your stream of DNS queries in real time we could easily assemble a detailed profile of you and your interests and activities - as it happens! • If we could edit your DNS responses we could make services disappear from your Internet! 15
  • 17. Lets look into this further The DNS is mapping system which takes human-use labels that name services and maps these labels to IP addresses 17
  • 18. Lets look into this further The DNS is mapping system which takes human-use labels that name services and maps these labels to IP addresses 18 1. Connect to www.google.com DNS: What’s an IP address for www.google.com? DNS System 142.250.204.4 2. Send a TCP SYN packet to destination 142.250.204.4
  • 19. What’s in that DNS “cloud”? 19 DNS System queries responses
  • 20. The Hidden parts of “Open” • For an open technology the infrastructure and process of name resolution in the DNS is incredibly opaque • Once queries are passed to the DNS resolution infrastructure they are impossible to trace. Each element does not simply forward a query, but casts an entirely new query using its own identity • There is no query tracing and no clear way to probe into the DNS infrastructure • There could be query chains circling in the DNS infrastructure in a hidden loop and no one would be any the wiser! • It is challenging to gauge the level of hidden interdependency in the DNS, nor the level of ongoing centralisation of infrastructure functions in the DNS 20
  • 21. The Hidden parts of “Open” • For an open technology the infrastructure and process of name resolution in the DNS is incredibly opaque • Once queries are passed to the DNS resolution infrastructure they are impossible to trace. Each element does not simply forward a query, but casts an entirely new query using its own identity • There is no query tracing and no clear way to probe into the DNS infrastructure • There could be query chains circling in the DNS infrastructure in a hidden loop and no one would be any the wiser! • It is challenging to gauge the level of hidden interdependency in the DNS, nor the level of ongoing centralisation of infrastructure functions in the DNS 21 The fact that the DNS works at all is amazing. The fact that it works at speed and volume is a modern miracle!
  • 22. But all that is still not all of “the DNS” • The DNS is more than its mapping role, and more than its infrastructure elements of resolvers and servers • So what is the DNS? 22
  • 23. What is “the DNS”? Multiple Choice – tick all that apply: qA name space: A collection of word-strings that are organised into a hierarchy of labels qA distributed name registration framework that assigns a unique “license to use” to human-centric word-strings to entities (for money) qA distributed database that maps human-centric word-strings into IP addresses qA protocol used by DNS protocol speakers to “resolve” a word-string into a defined attribute (usually an IP address) qA signalling medium that is universally supported across all of the Internet 23
  • 24. Orchestration of the DNS • If the DNS is a set of functions and a set of various actors in this space then how are their individual actions orchestrated to provide a cohesive outcome? • How can client use the functions of “the DNS” if there is no one orchestrating all these elements of the name infrastructure? • Why does all this work in a completely deregulated space? • The answers lie in Markets and Market Signalling 24
  • 25. What are DNS “Markets”? The DNS is not a single market – it is a highly devolved framework and there are a number of discrete markets that are at best loosely coupled Some of these markets are: • The market for new “top level” labels (gTLDs) operated by ICANN. This market is open to ICANN-qualified registry operators. A registry has an exclusive license to operate a TLD. • The market for “registrars”, who act as retailers of DNS names and deal with clients (registrants) and register the client’s DNS names into the appropriate registry • The market for clients to register a DNS name with a registry • The market for DNS name certification, which is a third party that attests that an entity has control of a domain name • The market for DNS name resolution where users direct their queries to a resolver and the resolver provides DNS “answers” • The market for hosting authoritative name services, where “bigger is better” has driven a highly aggregated market • The market for DNS query logs 25
  • 26. Maybe it’s more than markets • Perhaps this is best viewed as a collection of market needs, or requirements • Some are well established • Some are emergent requirements • Perhaps the question could be rephrased as one that asks to what extent are conventional open markets a good fit for these various DNS requirements • And to what extent these market-based mechanisms are failing to respond to these needs? 26
  • 27. So, what should we talk about? If we want to talk about the DNS as a deregulated activity orchestrated through the operation of open markets then there are a few more things to bear in mind: • The DNS is not a single market place, or even a collection of inter-dependent and tightly coupled market place • The DNS is constructed of many elements, some of which appear to behave as tightly regulated markets, some of which are openly competitive markets, some of which are comprehensive market failures! 27
  • 28. So, what should we talk about? Maybe we should think of the DNS using a number of themes to give some focus to this consideration of market effectiveness 28
  • 29. Current DNS Themes There are so many themes in the DNS, and here are just a few: • DNS as a control element • DNS and privacy • DNS and trust • DNS and name space fragmentation • DNS as a rendezvous tool • DNS as a collection of markets • DNS and market aggregation • DNS and abuse and cyber attacks • DNS as an economic failure • DNS as the last remaining definition of a coherent Internet 29
  • 30. This is now a very big agenda • Far bigger than we have time for here! • So I’ll just take a couple of themes and develop them further 30
  • 31. I. The Open Market for Trust 31
  • 32. DNS and Trust Can you trust what you learn from the DNS? 32
  • 33. DNS and Trust Can you trust what you learn from the DNS? NO! 33
  • 34. DNS and Trust Can you trust what you learn from the DNS? NO! • DNS responses can be altered in various ways that are challenging to detect • We know how to improve this situation by using digital cryptography to protect the integrity, accuracy and currency of DNS responses • But does this capability for an improvement in the trust of the DNS correlate to a visible consumer preference? • Is security in the DNS a market failure? 34
  • 35. DNSSEC • A framework to attach digital signatures to DNS responses that attest to the accuracy and currency of the DNS response • The method of attachment does not alter the behaviour of the DNS protocol, nor does it require any changes to DNS servers • A procedure for clients to follow to validate the DNS response through the processing of this digital signature Changes: • Zone management – add DNSSEC digital signature records through ”zone signing” • Registry management – add DS records alongside NS records for delegated zones • Client behaviour – perform additional DNS queries to perform digital signature validation 35
  • 36. Is DNSSEC being used? You might think that a change to the DNS that improved the trust in the DNS would prove to be highly popular in the DNS space • DNS name “owners” would like their name to be trustworthy • DNS users would like the names they use to be “genuine” and trustable So every part of the DNS would want to use DNSSEC! Right? Let’s see if this requirement has been translated by the DNS service market into a service offering by looking at the current metrics of the use of DNSSEC 36
  • 37. Is DNSSEC being used? 37 Who validates DNS responses?
  • 38. Is DNSSEC being used? 38 Who validates DNS responses?
  • 39. Is DNSSEC being used? 39 Validation Rate of Signed DNS responses 2014 2016 2018 2020 28% of users are behind DNSSEC- validating resolvers who will not resolve a badly signed DNS name
  • 40. Quarter Full, or Three Quarters Empty?? 40 Validation Rate of Signed DNS responses 2014 2016 2018 2020 Three quarters of the Internet’s user base can’t or won’t check if a DNS response is genuine
  • 41. Problems with DNSSEC 41 • Large DNS responses cause robustness issues for DNS • Getting large responses through the network has reliability issues with UDP packet fragmentation and timing issues with signalled cut-over to TCP • The validator has to perform a full backtrace query sequence to assemble the full DNSSEC signature chain • So the problem is that DNSSEC validation may entail a sequence of queries where each of the responses may require encounter UDP fragmentation packet loss All this adds to the time to resolve a signed name And nobody is tolerant of delays in today’s Internet
  • 42. Some More Problems with DNSSEC 42 • Cryptographically “stronger” keys tend to be bigger keys over time, so the issue of cramming more data into DNS transactions is not going away! • The stub-to-recursive hop is generally not using validation, so the user ends up trusting the validating recursive resolver in any case The current DNSSEC framework represents a lot of effort for only a a tiny marginal gain
  • 43. DNSSEC is a Market Failure! • Users don’t pay for queries • Users have no leverage with recursive resolvers in terms of expressing their preference for authenticity in DNS responses • Users don’t have a choice in what they query for • Users have no ability to express a preference for only using domain names that are signed • The benefits of a signed DNS zone and validating resolvers are indirect • Cost and benefit are totally mis-aligned in this space! 43
  • 44. DNS Trust is a Market Failure! • If it wasn’t for the lead taken by Google and their adoption of DNSSEC validation in their Public DNS Service then its likely that DNSSEC would still be a complete failure • And only was possible because of the significant level of market share in the use of Google’s Public DNS Service • So perhaps we should look at the market for DNS resolvers to see if others are taking up this lead 44
  • 45. II. The Open Market for DNS Resolution 45
  • 46. Who Resolves My Names? 46 My ISP Google Same country, different network (likely to still be my ISP) Everyone else
  • 47. Who Resolves My Names? If this is a market then it appears to be highly skewed: • Google has a market share of just under 30% of all users • The next largest open resolvers are Cloudflare (4%), OpenDNS (2%) and Quad9 (0.5%) • Everything else is just the default of the local ISP performing the name resolution service for their customers Why has this happened? How has Google succeeded and other open DNS resolver services appear to struggle to get significant adoption by clients? 47
  • 48. The DNS Name Resolution Economy • In the public Internet, end clients don’t normally pay directly for DNS name resolution services • Which implies that outside of the domain of the local ISP, DNS resolvers are essentially unfunded by the resolver’s clients • And efforts to monetise the DNS with various forms of funded misdirection (such as NXDOMAIN substitution) are generally viewed with extreme disfavour • Open Resolver efforts run the risk of success-disaster • The more they are used, the greater the funding problem to run them at scale • The greater the funding problem the greater the temptation to monetise the DNS resolver function in more subtle ways 48
  • 49. Google is Special • Search is a critical asset for GOOGLE • Search drives eyeballs and profiles • Eyeballs and profiles drive advertising • Advertising drives revenue • If we could use the DNS as a defacto search engine then Google has a problem • But that’s what is happening when DNS resolvers don’t pass back NXDOMAIN but instead pass back a reference to a search engine, or even better use a search engine to pass back the resolution response that a hidden search engine result obtained when it processed the queried DNS name • So it’s in Google’s interests to have a fast, accurate and unaltered DNS resolution service • And Google’s real target market for this service is not individual users, but ISPs • Because the real threat model for Google is NXDOMAIN substitution and other forms of DNS response manipulation by ISPs as a local revenue source • No other Open DNS resolver service shares Google’s motivation 49
  • 50. III. Open Market Fragmentation 50
  • 51. The DNS Name Resolution Economy • The default option is that the ISP funds and operate the recursive DNS service, funded by the ISP’s client base >70% of all end clients use their ISPs’ DNS resolvers • However the fact that it works today does not mean that you can double the input costs and expect it to just keep on working tomorrow • For ISPs the DNS is a cost department, not a revenue source • We should expect strong resistance from ISPs to increase their costs in DNS service provision 51
  • 52. The resistance to change in the DNS • The quality of an ISP’s DNS service does not appear to be a significant competitive discriminatory factor in the consumer market • So the ISP does not generally devote many resources to tuning their DNS infrastructure for high performance, resiliency and innovation • Most users don’t change their platform settings from the defaults and CPE based service provisioning in the wired networks and direct provisioning in mobile networks will persist • So current innovations such as improved DNS privacy (DNS over TLS, DNS over HTTPS) are looking like being another mainstream market failure in the DNS space 52
  • 53. The resistance to change in the DNS • The quality of an ISP’s DNS service does not appear to be a significant competitive discriminatory factor in the consumer market • So the ISP does not generally devote many resources to tuning their DNS infrastructure for high performance, resiliency and innovation • Most users don’t change their platform settings from the defaults and CPE based service provisioning in the wired networks and direct provisioning in mobile networks will persist • So current innovations such as improved DNS privacy (DNS over TLS, DNS over HTTPS) are looking like being another mainstream market failure in the DNS space 53 But maybe this is not the full story …
  • 54. Fragmenting the DNS • Is appears more likely that applications who want to tailor their DNS use to adopt a more private profile will hive off to use DNS over HTTPS to an application-selected DNS service, while the platform itself will continue to use libraries that will default to DNS over UDP to the ISP-provided recursive DNS resolver • That way the application ecosystem can fund its own DNS privacy infrastructure and avoid waiting for everyone else to make the necessary infrastructure and service investments before they can adopt DNS privacy themselves • The prospect of application-specific naming services is a very real prospect in this scenario 54
  • 55. Fragmenting the DNS • Is appears more likely that applications who want to tailor their DNS use to adopt a more private profile will hive off to use DNS over HTTPS to an application-selected DNS service, while the platform itself will continue to use libraries that will default to DNS over UDP to the ISP-provided recursive DNS resolver • That way the application ecosystem can fund its own DNS privacy infrastructure and avoid waiting for everyone else to make the necessary infrastructure and service investments before they can adopt DNS privacy themselves • The prospect of application-specific naming services is a very real prospect in this scenario Those parts of the Internet space with sufficient motivation and resources will simply stop waiting for everyone else to move. They will just do what they feel they need to do! 55
  • 56. All the Money is in Content • And this means that applications are driving the Internet market these days • Applications are increasingly drawing in platform and infrastructure services directly into the application • QUIC • DNS over HTTPS • That way they avoid paying the costs of upgrading legacy infrastructure and waiting for platform upgrades • And applications no longer have to sustain a single name space, or even sustain uniform protocol interoperability • Apart from UDP! • So they just won’t pay 56
  • 57. It’s life Jim, but not as we know it!* • The overall progression here is an evolution from network-centric services to platform-centric services to today’s world of application- centric services • It’s clear that the DNS is being swept up in this shift, and the DNS is changing in almost every respect • The future prospects of a single unified coherent name space as embodied in the DNS, as we currently know it, for the entire internet service domain are looking pretty poor right now! * With apologies to the Trekkies! 57
  • 58. Is the DNS “Open”? • Yes, today, its sort of open 58 Although the cracks are clearly evident with the use of various DNS customizations to tailor each DNS response to the querier, the interest in lifting the DNS into the application space as an application service and not a common infrastructure, the strong levels of centralisation and the destruction of open competition in this space, the continuing erosion of trust and the strong commercial impetus to use the DNS as a profiling tool in the surveillance economy.
  • 59. Will it continue to be “open”? • Probably not! 59 It’s just getting too hard to keep it together and keep it open and the market-based pressures continue to tear the DNS apart and haul it away from a unified open space into a set of close and opaque markets with a fragmented name space. And the common benefit of a single, cohesive open name space for the Internet looks like being a victim of the Tragedy of the Commons
  • 60. Picture Credit: Fred Davis, Flickr, Creative COMMONS: Attribution-NonCommercial-NoDerivs 2.0 Generic (CC BY-NC-ND 2.0) https://bit.ly/31qpYGA 60