SlideShare a Scribd company logo

Presentation on 'The Path to Resolverless DNS' by Geoff Huston

APNIC
APNIC

Presentation on 'The Path to Resolverless DNS' by Geoff Huston for OARC 39 and 47th CENTR technical workshop, held in Belgrade on 22 and 23 October 2022

Internet
1 of 30
Download to read offline
The Path to Resolverless DNS Geoff Huston AM Chief Scientist, APNIC
DNS System Architecture Authoritative Servers Recursive Resolver Stub Resolver Cache Application
DNS System Architecture Authoritative Servers Recursive Resolver Stub Resolver Cache Application ISP Client Internet
Issues • Speed – the DNS can be exceptionally slow, and the interaction with resolver caches makes resolution unpredictable • Filtering – the DNS is a convenient control point for content management • MetaData collection – the DNS is a real time window on user behaviour • This can be performed at the recursive resolver, or by a third party on the path between the stub resolver and the recursive resolver • Search – NXDOMAIN rewriting into active search
Background • Browser vendors were simplifying the UI and combined the navigation and search input boxes to a single input pane • This resulted in a significant level of cross leakage between DNS and Search • Some DNS resolver operators saw an opportunity to gather revenue by re- directing NXDOMAIN to search • Google responded quickly with a large scale open DNS service that provided absolute integrity of responses, and supported DNSSEC validation to back this up • Google’s DNS service rapidly gathered momentum, particularly in the enterprise sector
DNS System Architecture Authoritative Servers Open Recursive Resolver Stub Resolver Cache Application ISP Client Internet Internet !!
Use of Resolvers in the Internet 66% of users direct their DNS queries to the ISP-operated recursive resolvers 17% of users direct their DNS queries to in-country DNS resolvers 17% of users direct their DNS queries to Google’s DNS service https://stats.labs.apnic.net/rvrs
But… • DNS queries use unencrypted UDP by default • Which itself is a huge DOS issue • Combining this with a transit across the public Internet between the stub and open recursive resolver exposes further issues: • The potential for third party monitoring, interception and substitution • Loss of locational accuracy if the DNS is used to perform content steering for CDNs
DNS Privacy The response to the issues of DNS over UDP has been the development of DNS stub-to-recursive connections over encrypted transport sessions • DNS over TLS (DoT) uses DNS over TCP over a persistent TLS session • DNS over QUIC (DoQ) uses DNS over an encrypted QUIC transport session over UDP • DNS over HTTPS (DoH) uses DNS over HTTP/3 (over QUIC) where supported, and DNS over HTTP/2 (over TLS) otherwise
DoT/DoQ/DoH properties • The stub resolver can authenticate the recursive resolver server identity • Which mitigates various forms of session interception • Session encryption • Which mitigates various forms of payload tampering • No Head of Line Blocking (in DNS over HTTPS/3, and DoQ) • No UDP fragmentation and TCP failover issues • Long-held stub/recursive sessions and TCPFO can amortise the encryption and session overheads over many queries • Which means it’s not much different to UDP in terms of per query overheads
DOH/DOT Use Query Data from Cloudflare’s 1.1.1.1 open resolver 75% of queries use UDP 19% of queries use DOH 5% of queries use DOT
Why DoH in particular? • DoH is simply DNS queries and responses packaged with an HTTP header, so why bother? Why not just use DoT or DoQ? One view: Paul Vixie, DNS Wars: Episode IV, NANOG 85, 2019
Why DoH? • Maybe its more than a political project: • Because DoH sits alongside all other HTTPS traffic on TCP port 443 (HTTP/2) and UDP port 443 (HTTP/3) and is harder for network level isolation of DNS traffic • Because generic HTTP caching controls can be used to enable or disable the use of HTTP caching • Because HTTP/2 and HTTP/3 includes support for reordering, parallelism, priority and header compression • Because applications need not use the local stub DNS resolver and can direct DoH queries to a recursive resolver of its own choice • Because HTTP/2 and HTTP/3 includes “Server Push”
“Server Push”? • RFC 7540: Hypertext Transfer Protocol Version 2 (HTTP/2) 8.2. Server Push HTTP/2 allows a server to pre-emptively send (or "push") responses (along with corresponding "promised" requests) to a client in association with a previous client-initiated request. This can be useful when the server knows the client will need to have those responses available in order to fully process the response to the original request.
But in DoH this means… 8.2. Server Push HTTP/2 allows a server to pre-emptively send (or "push") responses (along with corresponding "promised" requests) to a client in association with a previous client-initiated request. This can be useful when the server knows the client will need to have those responses available in order to fully process the response to the original request. DNS DNS DNS
What about HTTP/3? • Yes – draft-ietf-quic-http 4.4. Server Push Server push is an interaction mode that permits a server to push a request-response exchange to a client in anticipation of the client making the indicated request. This trades off network usage against a potential latency gain. HTTP/3 server push is similar to what is described in Section 8.2 of [HTTP2], but uses different mechanisms. Each server push is assigned a unique Push ID by the server. The Push ID is used to refer to the push in various contexts throughout the lifetime of the HTTP/3 connection.
Which means… • When a server sends a response to an HTTP request it can also push unrequested DNS responses • This allows the user application to use these DNS resolution outcomes immediately and bypass DNS resolution delays • It’s faster • The user is not making these resolution queries, and is not generating meta data within the DNS • It has privacy benefits
For Example: Potential Server Push DNS objects
But … • How do you know that the server is pushing the “truth” when it provides these DNS answers? • The secure transport means that tampering is challenging, but the user should still validate these responses (assuming that they are DNSSEC- signed in the DNS) • Which would mean that the user still has to chase down the DNSSEC validation chain, and most of the the original speedup advantages are lost • Or maybe not… • The server could also push the collection of DNSSEC validation responses to the client • The server could also repackage these responses into a RFC 7901 EDNS0 Chain Response, attached to the original response
DNSSEC-Validated DNS data • DNSSEC validation provides the user with assurance that the data is: • Authentic • Current • Complete (for each RRType) • If that’s the case then why does it matter how the stub learned the data? • It could be a DNS query / response transaction • It could be via a server push over DoH • DNSSEC validation is providing the assurance that the data is usable
What if the pushed DNS response is unsigned? • Er, um, er… • It’s probably best to discard it! • You have no idea how the server obtained the DNS data in the first place • You don’t know how current the data is • You really don’t know if the server is trying to deceive you • And you have no idea who you are implicitly trusting if you use the data
What can we say about Resolverless DNS? • It gives HTTP-based applications and services far more control over the quality of the user experience • It allows the server to pre-provision the client with DNS data that is likely to be useful in the context of the application • It allows the client side application to perform rapid DNSSEC validation without relying on stub resolver capabilities and settings • It can replace UDP-based timers, query retries, fragmentation and TCP switching with server-to-client provision • It operates over a secured connection with an authenticated server • It does not leak metadata through DNS query streams • As long as the DNS data is DNSSEC-signed
What about unsigned DNS data? • Forget it! • Resolverless DNS responses of unsigned DNS data just opens up more potential vulnerabilities with little in the way of reasonable mitigation
Where is this leading? The changing economics of the Internet • The shift to advertiser-funded content and service has sucked the revenue base from access and common infrastructure • Internet infrastructure is a commodity-based activity which resists innovation • The incentives to innovate lie in the application and service layers • Infrastructure is under continued pressure to achieve further efficiencies and there is a consequent pressure to scale up and centralise The DNS is caught up in this, and innovation in the DNS is extremely challenging to get adoption these days Does Resolverless DNS have a chance?
Is there a role for Resolverless DNS? Perhaps… • But I would suggest it necessarily assumes DNSSEC • Which, at present, is a tough assumption • Because few zones are signed • Because DNSSEC signatures tend to create larger responses, which is a problem in UDP DNS • Because advanced zone signing a zone is infeasible for very large zones • And signing on the fly can be fragile • In summary, few zones are DNSSEC are signed is because its unreliable and expensive and the benefits do not seem to offset against the additional risks • And few resolvers validate • Because it takes time • And stresses out UDP DNS
What about RFC 7901? • What is a pushed DNS response was framed as if the client had set the EDNS0 CHAIN option with the root zone as the closest trust point? • That way the client is provided with the DNS response and the chain of signatures that permit the client to perform local validation of the response in a single pushed DNS object • And if the zone is unsigned - then no DNS response is pushed
Why is this interesting? • The DNS is: • A massive time penalty • A significant privacy leak • A consistent source of failure • Resolverless DNS won’t fix all the DNS all at once • But it can hand a significant amount of control over application and service quality back to these HTTPS-based applications and services • And it’s a whole lot faster! • And is hides the client from the DNS resolution infrastructure • And for those reasons it’s a very interesting step in the possible evolution of the DNS
Why is this interesting? We have spent a huge amount of effort over the last decade trying to make the Internet faster: • We’ve been deploying CDNs to replicate content and services and bring them closer to users • We’ve been deploying non-blocking transport protocols (such as QUIC) to exploit parallelism • We’ve been tuning TCP and network behaviour to create more efficient and faster network transactions • We’ve been packing more information in the DNS to make service startup faster (SVC and HTTPS records) And much of this innovation is happening at the application levels of the protocol stack where there is ample money and an impatient agenda, avoiding incurring any further dependencies on the lower layers of common infrastructure where there is neither money nor impatience!
DIscuss!

Recommended

RIPE 82: DNS Evolution
RIPE 82: DNS EvolutionRIPE 82: DNS Evolution
RIPE 82: DNS Evolution
APNIC
 
NANOG 82: DNS Evolution
NANOG 82: DNS EvolutionNANOG 82: DNS Evolution
NANOG 82: DNS Evolution
APNIC
 
RIPE 86: DNSSEC — Yes or No?
RIPE 86: DNSSEC — Yes or No?RIPE 86: DNSSEC — Yes or No?
RIPE 86: DNSSEC — Yes or No?
APNIC
 
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
APNIC
 
NZNOG 2020: DOH
NZNOG 2020: DOHNZNOG 2020: DOH
NZNOG 2020: DOH
APNIC
 
IGF 2023: DNS Privacy
IGF 2023: DNS PrivacyIGF 2023: DNS Privacy
IGF 2023: DNS Privacy
APNIC
 
Domain Name System and Dynamic Host Configuration Protocol.pptx
Domain Name System and Dynamic Host Configuration Protocol.pptxDomain Name System and Dynamic Host Configuration Protocol.pptx
Domain Name System and Dynamic Host Configuration Protocol.pptx
UsmanAhmed269749
 
DNS
DNSDNS
DNS
HogrGoran
 

Recommended

RIPE 82: DNS Evolution
RIPE 82: DNS EvolutionRIPE 82: DNS Evolution
RIPE 82: DNS Evolution
APNIC
 
NANOG 82: DNS Evolution
NANOG 82: DNS EvolutionNANOG 82: DNS Evolution
NANOG 82: DNS Evolution
APNIC
 
RIPE 86: DNSSEC — Yes or No?
RIPE 86: DNSSEC — Yes or No?RIPE 86: DNSSEC — Yes or No?
RIPE 86: DNSSEC — Yes or No?
APNIC
 
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
APNIC
 
NZNOG 2020: DOH
NZNOG 2020: DOHNZNOG 2020: DOH
NZNOG 2020: DOH
APNIC
 
IGF 2023: DNS Privacy
IGF 2023: DNS PrivacyIGF 2023: DNS Privacy
IGF 2023: DNS Privacy
APNIC
 
Domain Name System and Dynamic Host Configuration Protocol.pptx
Domain Name System and Dynamic Host Configuration Protocol.pptxDomain Name System and Dynamic Host Configuration Protocol.pptx
Domain Name System and Dynamic Host Configuration Protocol.pptx
UsmanAhmed269749
 
DNS
DNSDNS
DNS
HogrGoran
 
Introduction DNSSec
Introduction DNSSecIntroduction DNSSec
Introduction DNSSec
AFRINIC
 
Session 4.1 Roy Arends
Session 4.1 Roy ArendsSession 4.1 Roy Arends
Session 4.1 Roy ArendsCommonwealth Telecommunications Organisation
 
Understanding DNS Security
Understanding DNS SecurityUnderstanding DNS Security
Understanding DNS Security
Nihal Pasham, CISSP
 
Domain name system
Domain name systemDomain name system
Domain name system
mahakant sharma
 
Network latency - measurement and improvement
Network latency - measurement and improvementNetwork latency - measurement and improvement
Network latency - measurement and improvement
Matt Willsher
 
What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]
What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]
What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]
APNIC
 
How DNS works and How to secure it: An Introduction
How DNS works and How to secure it: An IntroductionHow DNS works and How to secure it: An Introduction
How DNS works and How to secure it: An Introduction
yasithbagya1
 
NZNOG 2013 - Experiments in DNSSEC
NZNOG 2013 - Experiments in DNSSECNZNOG 2013 - Experiments in DNSSEC
NZNOG 2013 - Experiments in DNSSEC
APNIC
 
23rd PITA AGM and Conference: DNS Security - A holistic view
23rd PITA AGM and Conference: DNS Security - A holistic view 23rd PITA AGM and Conference: DNS Security - A holistic view
23rd PITA AGM and Conference: DNS Security - A holistic view
APNIC
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
APNIC
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
Sam Bowne
 
DNS Openness
DNS OpennessDNS Openness
DNS Openness
APNIC
 
Local DNS with pfSense 2.4 - pfSense Hangout April 2018
Local DNS with pfSense 2.4 - pfSense Hangout April 2018Local DNS with pfSense 2.4 - pfSense Hangout April 2018
Local DNS with pfSense 2.4 - pfSense Hangout April 2018
Netgate
 
2 technical-dns-workshop-day1
2 technical-dns-workshop-day12 technical-dns-workshop-day1
2 technical-dns-workshop-day1
DNS Entrepreneurship Center
 
Private DNS Infrastructure Support in Hybrid Scenarios
Private DNS Infrastructure Support in Hybrid ScenariosPrivate DNS Infrastructure Support in Hybrid Scenarios
Private DNS Infrastructure Support in Hybrid Scenarios
Daniel Toomey
 
Private DNS Infrastructure Support in Hybrid Scenarios
Private DNS Infrastructure Support in Hybrid ScenariosPrivate DNS Infrastructure Support in Hybrid Scenarios
Private DNS Infrastructure Support in Hybrid Scenarios
Daniel Toomey
 
Data Retrieval over DNS in SQL Injection Attacks
Data Retrieval over DNS in SQL Injection AttacksData Retrieval over DNS in SQL Injection Attacks
Data Retrieval over DNS in SQL Injection Attacks
Miroslav Stampar
 
Demystifying SharePoint Infrastructure – for NON-IT People
Demystifying SharePoint Infrastructure – for NON-IT People Demystifying SharePoint Infrastructure – for NON-IT People
Demystifying SharePoint Infrastructure – for NON-IT People
SPC Adriatics
 
8 technical-dns-workshop-day4
8 technical-dns-workshop-day48 technical-dns-workshop-day4
8 technical-dns-workshop-day4
DNS Entrepreneurship Center
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
Sam Bowne
 
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC
 
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
APNIC
 

More Related Content

Similar to Presentation on 'The Path to Resolverless DNS' by Geoff Huston

Introduction DNSSec
Introduction DNSSecIntroduction DNSSec
Introduction DNSSec
AFRINIC
 
Understanding DNS Security
Understanding DNS SecurityUnderstanding DNS Security
Understanding DNS Security
Nihal Pasham, CISSP
 
Domain name system
Domain name systemDomain name system
Domain name system
mahakant sharma
 
Network latency - measurement and improvement
Network latency - measurement and improvementNetwork latency - measurement and improvement
Network latency - measurement and improvement
Matt Willsher
 
What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]
What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]
What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]
APNIC
 
How DNS works and How to secure it: An Introduction
How DNS works and How to secure it: An IntroductionHow DNS works and How to secure it: An Introduction
How DNS works and How to secure it: An Introduction
yasithbagya1
 
NZNOG 2013 - Experiments in DNSSEC
NZNOG 2013 - Experiments in DNSSECNZNOG 2013 - Experiments in DNSSEC
NZNOG 2013 - Experiments in DNSSEC
APNIC
 
23rd PITA AGM and Conference: DNS Security - A holistic view
23rd PITA AGM and Conference: DNS Security - A holistic view 23rd PITA AGM and Conference: DNS Security - A holistic view
23rd PITA AGM and Conference: DNS Security - A holistic view
APNIC
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
APNIC
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
Sam Bowne
 
DNS Openness
DNS OpennessDNS Openness
DNS Openness
APNIC
 
Local DNS with pfSense 2.4 - pfSense Hangout April 2018
Local DNS with pfSense 2.4 - pfSense Hangout April 2018Local DNS with pfSense 2.4 - pfSense Hangout April 2018
Local DNS with pfSense 2.4 - pfSense Hangout April 2018
Netgate
 
2 technical-dns-workshop-day1
2 technical-dns-workshop-day12 technical-dns-workshop-day1
2 technical-dns-workshop-day1
DNS Entrepreneurship Center
 
Private DNS Infrastructure Support in Hybrid Scenarios
Private DNS Infrastructure Support in Hybrid ScenariosPrivate DNS Infrastructure Support in Hybrid Scenarios
Private DNS Infrastructure Support in Hybrid Scenarios
Daniel Toomey
 
Private DNS Infrastructure Support in Hybrid Scenarios
Private DNS Infrastructure Support in Hybrid ScenariosPrivate DNS Infrastructure Support in Hybrid Scenarios
Private DNS Infrastructure Support in Hybrid Scenarios
Daniel Toomey
 
Data Retrieval over DNS in SQL Injection Attacks
Data Retrieval over DNS in SQL Injection AttacksData Retrieval over DNS in SQL Injection Attacks
Data Retrieval over DNS in SQL Injection Attacks
Miroslav Stampar
 
Demystifying SharePoint Infrastructure – for NON-IT People
Demystifying SharePoint Infrastructure – for NON-IT People Demystifying SharePoint Infrastructure – for NON-IT People
Demystifying SharePoint Infrastructure – for NON-IT People
SPC Adriatics
 
8 technical-dns-workshop-day4
8 technical-dns-workshop-day48 technical-dns-workshop-day4
8 technical-dns-workshop-day4
DNS Entrepreneurship Center
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
Sam Bowne
 

Similar to Presentation on 'The Path to Resolverless DNS' by Geoff Huston (20)

Introduction DNSSec
Introduction DNSSecIntroduction DNSSec
Introduction DNSSec
 
Session 4.1 Roy Arends
Session 4.1 Roy ArendsSession 4.1 Roy Arends
Session 4.1 Roy Arends
 
Understanding DNS Security
Understanding DNS SecurityUnderstanding DNS Security
Understanding DNS Security
 
Domain name system
Domain name systemDomain name system
Domain name system
 
Network latency - measurement and improvement
Network latency - measurement and improvementNetwork latency - measurement and improvement
Network latency - measurement and improvement
 
What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]
What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]
What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]
 
How DNS works and How to secure it: An Introduction
How DNS works and How to secure it: An IntroductionHow DNS works and How to secure it: An Introduction
How DNS works and How to secure it: An Introduction
 
NZNOG 2013 - Experiments in DNSSEC
NZNOG 2013 - Experiments in DNSSECNZNOG 2013 - Experiments in DNSSEC
NZNOG 2013 - Experiments in DNSSEC
 
23rd PITA AGM and Conference: DNS Security - A holistic view
23rd PITA AGM and Conference: DNS Security - A holistic view 23rd PITA AGM and Conference: DNS Security - A holistic view
23rd PITA AGM and Conference: DNS Security - A holistic view
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
 
DNS Openness
DNS OpennessDNS Openness
DNS Openness
 
Local DNS with pfSense 2.4 - pfSense Hangout April 2018
Local DNS with pfSense 2.4 - pfSense Hangout April 2018Local DNS with pfSense 2.4 - pfSense Hangout April 2018
Local DNS with pfSense 2.4 - pfSense Hangout April 2018
 
2 technical-dns-workshop-day1
2 technical-dns-workshop-day12 technical-dns-workshop-day1
2 technical-dns-workshop-day1
 
Private DNS Infrastructure Support in Hybrid Scenarios
Private DNS Infrastructure Support in Hybrid ScenariosPrivate DNS Infrastructure Support in Hybrid Scenarios
Private DNS Infrastructure Support in Hybrid Scenarios
 
Private DNS Infrastructure Support in Hybrid Scenarios
Private DNS Infrastructure Support in Hybrid ScenariosPrivate DNS Infrastructure Support in Hybrid Scenarios
Private DNS Infrastructure Support in Hybrid Scenarios
 
Data Retrieval over DNS in SQL Injection Attacks
Data Retrieval over DNS in SQL Injection AttacksData Retrieval over DNS in SQL Injection Attacks
Data Retrieval over DNS in SQL Injection Attacks
 
Demystifying SharePoint Infrastructure – for NON-IT People
Demystifying SharePoint Infrastructure – for NON-IT People Demystifying SharePoint Infrastructure – for NON-IT People
Demystifying SharePoint Infrastructure – for NON-IT People
 
8 technical-dns-workshop-day4
8 technical-dns-workshop-day48 technical-dns-workshop-day4
8 technical-dns-workshop-day4
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
 

More from APNIC

APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC
 
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
APNIC
 
APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC
 
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
APNIC
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
APNIC
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
APNIC
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOG
APNIC
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
APNIC
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
APNIC
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
APNIC
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
APNIC
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
APNIC
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
APNIC
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff Huston
APNIC
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APNIC
 
Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6
APNIC
 

More from APNIC (20)

APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
 
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
 
APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27
 
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOG
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff Huston
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
 
Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6
 

Recently uploaded

Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
CIOWomenMagazine
 
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
keoku
 
1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...
JeyaPerumal1
 
guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...
Rogerio Filho
 
test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...
Arif0071
 
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
ufdana
 
Italy Agriculture Equipment Market Outlook to 2027
Italy Agriculture Equipment Market Outlook to 2027Italy Agriculture Equipment Market Outlook to 2027
Italy Agriculture Equipment Market Outlook to 2027
harveenkaur52
 
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdfJAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
Javier Lasa
 
Comptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guideComptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guide
GTProductions1
 
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
3ipehhoa
 
Search Result Showing My Post is Now Buried
Search Result Showing My Post is Now BuriedSearch Result Showing My Post is Now Buried
Search Result Showing My Post is Now Buried
Trish Parr
 
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfMeet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Florence Consulting
 
2.Cellular Networks_The final stage of connectivity is achieved by segmenting...
2.Cellular Networks_The final stage of connectivity is achieved by segmenting...2.Cellular Networks_The final stage of connectivity is achieved by segmenting...
2.Cellular Networks_The final stage of connectivity is achieved by segmenting...
JeyaPerumal1
 
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
3ipehhoa
 
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
cuobya
 
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
zoowe
 
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
vmemo1
 
How to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptxHow to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptx
Gal Baras
 
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Brad Spiegel Macon GA
 
7 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 20247 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 2024
Danica Gill
 

Recently uploaded (20)

Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
 
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
 
1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...
 
guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...
 
test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...
 
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
 
Italy Agriculture Equipment Market Outlook to 2027
Italy Agriculture Equipment Market Outlook to 2027Italy Agriculture Equipment Market Outlook to 2027
Italy Agriculture Equipment Market Outlook to 2027
 
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdfJAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
 
Comptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guideComptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guide
 
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
 
Search Result Showing My Post is Now Buried
Search Result Showing My Post is Now BuriedSearch Result Showing My Post is Now Buried
Search Result Showing My Post is Now Buried
 
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfMeet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
 
2.Cellular Networks_The final stage of connectivity is achieved by segmenting...
2.Cellular Networks_The final stage of connectivity is achieved by segmenting...2.Cellular Networks_The final stage of connectivity is achieved by segmenting...
2.Cellular Networks_The final stage of connectivity is achieved by segmenting...
 
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
 
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
 
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
 
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
 
How to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptxHow to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptx
 
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
 
7 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 20247 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 2024
 

Presentation on 'The Path to Resolverless DNS' by Geoff Huston

  • 1. The Path to Resolverless DNS Geoff Huston AM Chief Scientist, APNIC
  • 2. DNS System Architecture Authoritative Servers Recursive Resolver Stub Resolver Cache Application
  • 3. DNS System Architecture Authoritative Servers Recursive Resolver Stub Resolver Cache Application ISP Client Internet
  • 4. Issues • Speed – the DNS can be exceptionally slow, and the interaction with resolver caches makes resolution unpredictable • Filtering – the DNS is a convenient control point for content management • MetaData collection – the DNS is a real time window on user behaviour • This can be performed at the recursive resolver, or by a third party on the path between the stub resolver and the recursive resolver • Search – NXDOMAIN rewriting into active search
  • 5.
  • 6. Background • Browser vendors were simplifying the UI and combined the navigation and search input boxes to a single input pane • This resulted in a significant level of cross leakage between DNS and Search • Some DNS resolver operators saw an opportunity to gather revenue by re- directing NXDOMAIN to search • Google responded quickly with a large scale open DNS service that provided absolute integrity of responses, and supported DNSSEC validation to back this up • Google’s DNS service rapidly gathered momentum, particularly in the enterprise sector
  • 7. DNS System Architecture Authoritative Servers Open Recursive Resolver Stub Resolver Cache Application ISP Client Internet Internet !!
  • 8. Use of Resolvers in the Internet 66% of users direct their DNS queries to the ISP-operated recursive resolvers 17% of users direct their DNS queries to in-country DNS resolvers 17% of users direct their DNS queries to Google’s DNS service https://stats.labs.apnic.net/rvrs
  • 9. But… • DNS queries use unencrypted UDP by default • Which itself is a huge DOS issue • Combining this with a transit across the public Internet between the stub and open recursive resolver exposes further issues: • The potential for third party monitoring, interception and substitution • Loss of locational accuracy if the DNS is used to perform content steering for CDNs
  • 10. DNS Privacy The response to the issues of DNS over UDP has been the development of DNS stub-to-recursive connections over encrypted transport sessions • DNS over TLS (DoT) uses DNS over TCP over a persistent TLS session • DNS over QUIC (DoQ) uses DNS over an encrypted QUIC transport session over UDP • DNS over HTTPS (DoH) uses DNS over HTTP/3 (over QUIC) where supported, and DNS over HTTP/2 (over TLS) otherwise
  • 11. DoT/DoQ/DoH properties • The stub resolver can authenticate the recursive resolver server identity • Which mitigates various forms of session interception • Session encryption • Which mitigates various forms of payload tampering • No Head of Line Blocking (in DNS over HTTPS/3, and DoQ) • No UDP fragmentation and TCP failover issues • Long-held stub/recursive sessions and TCPFO can amortise the encryption and session overheads over many queries • Which means it’s not much different to UDP in terms of per query overheads
  • 12. DOH/DOT Use Query Data from Cloudflare’s 1.1.1.1 open resolver 75% of queries use UDP 19% of queries use DOH 5% of queries use DOT
  • 13. Why DoH in particular? • DoH is simply DNS queries and responses packaged with an HTTP header, so why bother? Why not just use DoT or DoQ? One view: Paul Vixie, DNS Wars: Episode IV, NANOG 85, 2019
  • 14. Why DoH? • Maybe its more than a political project: • Because DoH sits alongside all other HTTPS traffic on TCP port 443 (HTTP/2) and UDP port 443 (HTTP/3) and is harder for network level isolation of DNS traffic • Because generic HTTP caching controls can be used to enable or disable the use of HTTP caching • Because HTTP/2 and HTTP/3 includes support for reordering, parallelism, priority and header compression • Because applications need not use the local stub DNS resolver and can direct DoH queries to a recursive resolver of its own choice • Because HTTP/2 and HTTP/3 includes “Server Push”
  • 15. “Server Push”? • RFC 7540: Hypertext Transfer Protocol Version 2 (HTTP/2) 8.2. Server Push HTTP/2 allows a server to pre-emptively send (or "push") responses (along with corresponding "promised" requests) to a client in association with a previous client-initiated request. This can be useful when the server knows the client will need to have those responses available in order to fully process the response to the original request.
  • 16. But in DoH this means… 8.2. Server Push HTTP/2 allows a server to pre-emptively send (or "push") responses (along with corresponding "promised" requests) to a client in association with a previous client-initiated request. This can be useful when the server knows the client will need to have those responses available in order to fully process the response to the original request. DNS DNS DNS
  • 17. What about HTTP/3? • Yes – draft-ietf-quic-http 4.4. Server Push Server push is an interaction mode that permits a server to push a request-response exchange to a client in anticipation of the client making the indicated request. This trades off network usage against a potential latency gain. HTTP/3 server push is similar to what is described in Section 8.2 of [HTTP2], but uses different mechanisms. Each server push is assigned a unique Push ID by the server. The Push ID is used to refer to the push in various contexts throughout the lifetime of the HTTP/3 connection.
  • 18. Which means… • When a server sends a response to an HTTP request it can also push unrequested DNS responses • This allows the user application to use these DNS resolution outcomes immediately and bypass DNS resolution delays • It’s faster • The user is not making these resolution queries, and is not generating meta data within the DNS • It has privacy benefits
  • 19. For Example: Potential Server Push DNS objects
  • 20. But … • How do you know that the server is pushing the “truth” when it provides these DNS answers? • The secure transport means that tampering is challenging, but the user should still validate these responses (assuming that they are DNSSEC- signed in the DNS) • Which would mean that the user still has to chase down the DNSSEC validation chain, and most of the the original speedup advantages are lost • Or maybe not… • The server could also push the collection of DNSSEC validation responses to the client • The server could also repackage these responses into a RFC 7901 EDNS0 Chain Response, attached to the original response
  • 21. DNSSEC-Validated DNS data • DNSSEC validation provides the user with assurance that the data is: • Authentic • Current • Complete (for each RRType) • If that’s the case then why does it matter how the stub learned the data? • It could be a DNS query / response transaction • It could be via a server push over DoH • DNSSEC validation is providing the assurance that the data is usable
  • 22. What if the pushed DNS response is unsigned? • Er, um, er… • It’s probably best to discard it! • You have no idea how the server obtained the DNS data in the first place • You don’t know how current the data is • You really don’t know if the server is trying to deceive you • And you have no idea who you are implicitly trusting if you use the data
  • 23. What can we say about Resolverless DNS? • It gives HTTP-based applications and services far more control over the quality of the user experience • It allows the server to pre-provision the client with DNS data that is likely to be useful in the context of the application • It allows the client side application to perform rapid DNSSEC validation without relying on stub resolver capabilities and settings • It can replace UDP-based timers, query retries, fragmentation and TCP switching with server-to-client provision • It operates over a secured connection with an authenticated server • It does not leak metadata through DNS query streams • As long as the DNS data is DNSSEC-signed
  • 24. What about unsigned DNS data? • Forget it! • Resolverless DNS responses of unsigned DNS data just opens up more potential vulnerabilities with little in the way of reasonable mitigation
  • 25. Where is this leading? The changing economics of the Internet • The shift to advertiser-funded content and service has sucked the revenue base from access and common infrastructure • Internet infrastructure is a commodity-based activity which resists innovation • The incentives to innovate lie in the application and service layers • Infrastructure is under continued pressure to achieve further efficiencies and there is a consequent pressure to scale up and centralise The DNS is caught up in this, and innovation in the DNS is extremely challenging to get adoption these days Does Resolverless DNS have a chance?
  • 26. Is there a role for Resolverless DNS? Perhaps… • But I would suggest it necessarily assumes DNSSEC • Which, at present, is a tough assumption • Because few zones are signed • Because DNSSEC signatures tend to create larger responses, which is a problem in UDP DNS • Because advanced zone signing a zone is infeasible for very large zones • And signing on the fly can be fragile • In summary, few zones are DNSSEC are signed is because its unreliable and expensive and the benefits do not seem to offset against the additional risks • And few resolvers validate • Because it takes time • And stresses out UDP DNS
  • 27. What about RFC 7901? • What is a pushed DNS response was framed as if the client had set the EDNS0 CHAIN option with the root zone as the closest trust point? • That way the client is provided with the DNS response and the chain of signatures that permit the client to perform local validation of the response in a single pushed DNS object • And if the zone is unsigned - then no DNS response is pushed
  • 28. Why is this interesting? • The DNS is: • A massive time penalty • A significant privacy leak • A consistent source of failure • Resolverless DNS won’t fix all the DNS all at once • But it can hand a significant amount of control over application and service quality back to these HTTPS-based applications and services • And it’s a whole lot faster! • And is hides the client from the DNS resolution infrastructure • And for those reasons it’s a very interesting step in the possible evolution of the DNS
  • 29. Why is this interesting? We have spent a huge amount of effort over the last decade trying to make the Internet faster: • We’ve been deploying CDNs to replicate content and services and bring them closer to users • We’ve been deploying non-blocking transport protocols (such as QUIC) to exploit parallelism • We’ve been tuning TCP and network behaviour to create more efficient and faster network transactions • We’ve been packing more information in the DNS to make service startup faster (SVC and HTTPS records) And much of this innovation is happening at the application levels of the protocol stack where there is ample money and an impatient agenda, avoiding incurring any further dependencies on the lower layers of common infrastructure where there is neither money nor impatience!