DNSThought - indico.dns-oarc.net...Willem Toorop DNSThought @OARC29 10/39 Measurements for all...

39

Transcript of DNSThought - indico.dns-oarc.net...Willem Toorop DNSThought @OARC29 10/39 Measurements for all...

Page 1: DNSThought - indico.dns-oarc.net...Willem Toorop DNSThought @OARC29 10/39 Measurements for all probes every hour Thank you Emile Aben! ♥️ query msm ID ..ripe-hackathon6.nlnetlabs.nl
Page 2: DNSThought - indico.dns-oarc.net...Willem Toorop DNSThought @OARC29 10/39 Measurements for all probes every hour Thank you Emile Aben! ♥️ query msm ID ..ripe-hackathon6.nlnetlabs.nl

53DNSThought

Everything you ever wanted to knowabout caching resolvers but were afraid to ask

Willem Toorop

13 October 2018Amsterdam

29

Page 3: DNSThought - indico.dns-oarc.net...Willem Toorop DNSThought @OARC29 10/39 Measurements for all probes every hour Thank you Emile Aben! ♥️ query msm ID ..ripe-hackathon6.nlnetlabs.nl

Willem Toorop

DNSThought @OARC29 3/39

Pariticpants:Andrea Barberio, Petros Gigis, Jerry Lundström, Teemu Rytilahti, Willem Toorop

Goal:Provide insight into caching resolver capabilities

mailto:[email protected]?subject=About%20DNSThought
Page 4: DNSThought - indico.dns-oarc.net...Willem Toorop DNSThought @OARC29 10/39 Measurements for all probes every hour Thank you Emile Aben! ♥️ query msm ID ..ripe-hackathon6.nlnetlabs.nl

Willem Toorop

DNSThought @OARC29 4/39

Capabilities & propertiesBasic : IPv6, TCP, TCP over IPv6Security: DNSSEC validation, Algorithm support,

TA’s Root KSK Sentinel, NXdomain rewritePrivacy : Qname minimization, EDNS Client Subnet

mailto:[email protected]?subject=About%20DNSThought
Page 5: DNSThought - indico.dns-oarc.net...Willem Toorop DNSThought @OARC29 10/39 Measurements for all probes every hour Thank you Emile Aben! ♥️ query msm ID ..ripe-hackathon6.nlnetlabs.nl

Willem Toorop

DNSThought @OARC29 5/39

Some msms need just a zoneIPv6, DNSSEC validation, NXdomain rewriting

Some need authoritative perspectiveTCP, Qname minimization, EDNS Client subnet

dnsthoughtd

mailto:[email protected]?subject=About%20DNSThought
https://github.com/DNS-OARC/ripe-hackathon-dns-caching/tree/master/dnsthoughtd
Page 6: DNSThought - indico.dns-oarc.net...Willem Toorop DNSThought @OARC29 10/39 Measurements for all probes every hour Thank you Emile Aben! ♥️ query msm ID ..ripe-hackathon6.nlnetlabs.nl

Willem Toorop

DNSThought @OARC29 6/39

dnsthoughtd

mailto:[email protected]?subject=About%20DNSThought
Page 7: DNSThought - indico.dns-oarc.net...Willem Toorop DNSThought @OARC29 10/39 Measurements for all probes every hour Thank you Emile Aben! ♥️ query msm ID ..ripe-hackathon6.nlnetlabs.nl

Willem Toorop

DNSThought @OARC29 7/39

Host Network

The RIPE Atlas perspective

NLnet LabsInternet

Host NetworkResolver

Public Resolver53

dnsthoughtd

mailto:[email protected]?subject=About%20DNSThought
Page 8: DNSThought - indico.dns-oarc.net...Willem Toorop DNSThought @OARC29 10/39 Measurements for all probes every hour Thank you Emile Aben! ♥️ query msm ID ..ripe-hackathon6.nlnetlabs.nl

Willem Toorop

DNSThought @OARC29 8/39

The RIPE Atlas perspective

ProbeASN

ResolverASN

AuthoritativeASN

Internal X = X

Forwarding X X Z

X Y Z

External X Z Z

mailto:[email protected]?subject=About%20DNSThought
Page 9: DNSThought - indico.dns-oarc.net...Willem Toorop DNSThought @OARC29 10/39 Measurements for all probes every hour Thank you Emile Aben! ♥️ query msm ID ..ripe-hackathon6.nlnetlabs.nl

Willem Toorop

DNSThought @OARC29 9/39

Qname minimization

mailto:[email protected]?subject=About%20DNSThought
Page 10: DNSThought - indico.dns-oarc.net...Willem Toorop DNSThought @OARC29 10/39 Measurements for all probes every hour Thank you Emile Aben! ♥️ query msm ID ..ripe-hackathon6.nlnetlabs.nl

Willem Toorop

DNSThought @OARC29 10/39

Measurements for all probes every hour

Thank you Emile Aben! ♥️

query msm ID<prb_id>.<time>.ripe-hackathon6.nlnetlabs.nl AAAA 8310366

<prb_id>.<time>.tc.ripe-hackathon4.nlnetlabs.nl A 8310360

<prb_id>.<time>.tc.ripe-hackathon6.nlnetlabs.nl AAAA 8310364

qnamemintest.internet.nl TXT 8310250

nxdomain.ripe-hackathon2.nlnetlabs.nl A 8311777

whoami.akamai.net A 8310245

o-o.myaddr.l.google.com TXT 8310237

secure.ripe-hackathon2.nlnetlabs.nl A 8311760

bogus.ripe-hackathon2.nlnetlabs.nl A 8311763

mailto:[email protected]?subject=About%20DNSThought
https://atlas.ripe.net/measurements/8310366/
Page 11: DNSThought - indico.dns-oarc.net...Willem Toorop DNSThought @OARC29 10/39 Measurements for all probes every hour Thank you Emile Aben! ♥️ query msm ID ..ripe-hackathon6.nlnetlabs.nl

Willem Toorop

DNSThought @OARC29 11/39

mailto:[email protected]?subject=About%20DNSThought
Page 12: DNSThought - indico.dns-oarc.net...Willem Toorop DNSThought @OARC29 10/39 Measurements for all probes every hour Thank you Emile Aben! ♥️ query msm ID ..ripe-hackathon6.nlnetlabs.nl

Willem Toorop

DNSThought @OARC29 12/39

Root Canary Project

● Participation with Roland van Rijswijk - Deij● Measurements started 20 June 2017

mailto:[email protected]?subject=About%20DNSThought
Page 13: DNSThought - indico.dns-oarc.net...Willem Toorop DNSThought @OARC29 10/39 Measurements for all probes every hour Thank you Emile Aben! ♥️ query msm ID ..ripe-hackathon6.nlnetlabs.nl

Willem Toorop

DNSThought @OARC29 13/39

More measurements● Moritz Muller joined too● Root KSK Sentinel msms

since 19 July 2018 query msm ID

root-key-sentinel-not-ta-19036.d2a8n3.rootcanary.net A 15283670

root-key-sentinel-not-ta-20326.d2a8n3.rootcanary.net A 15283671

With validating resolvers we have three situations: 1. Key 20326 has not been picked up (yet) 2. Key 20326 is a valid TA, and key 19036 is still a valid TA 3. Key 20326 is a valid TA, and key 19036 is removedFor these situations (1, 2,3), measurements for: - (not-ta-19036 is-ta-20326) results in 1: (S S), 2: (S A), 3: (A A) - ( is-ta-19036 is-ta-20326) results in 1: (A S), 2: (A A), 3: (S A) - (not-ta-19036 not-ta-20326) results in 1: (S A), 2: (S S), 3: (A S) - ( is-ta-19036 not-ta-20326) results in 1: (A A), 2: (A S), 3: (S S)

mailto:[email protected]?subject=About%20DNSThought
Page 14: DNSThought - indico.dns-oarc.net...Willem Toorop DNSThought @OARC29 10/39 Measurements for all probes every hour Thank you Emile Aben! ♥️ query msm ID ..ripe-hackathon6.nlnetlabs.nl

Willem Toorop

DNSThought @OARC29 14/39

1 years of measurements½Internal, Forwarding & External

with 19082 resolvers with 10155 probeshttps://dnsthought.nlnetlabs.nl/#int_fwd_ext

mailto:[email protected]?subject=About%20DNSThought
https://dnsthought.nlnetlabs.nl/#int_fwd_ext
Page 15: DNSThought - indico.dns-oarc.net...Willem Toorop DNSThought @OARC29 10/39 Measurements for all probes every hour Thank you Emile Aben! ♥️ query msm ID ..ripe-hackathon6.nlnetlabs.nl

Willem Toorop

DNSThought @OARC29 15/39

1 years of measurements½Top 10 ASNs seen @ authoritative

with 19082 resolvershttps://dnsthought.nlnetlabs.nl/#top_auth_asns

mailto:[email protected]?subject=About%20DNSThought
https://dnsthought.nlnetlabs.nl/#top_auth_asns
Page 16: DNSThought - indico.dns-oarc.net...Willem Toorop DNSThought @OARC29 10/39 Measurements for all probes every hour Thank you Emile Aben! ♥️ query msm ID ..ripe-hackathon6.nlnetlabs.nl

Willem Toorop

DNSThought @OARC29 16/39

Internal

with 10490 resolvers with 6611 probes

have the same ASN as the probe (internal)https://dnsthought.nlnetlabs.nl/is_internal/#int_fwd_ext

mailto:[email protected]?subject=About%20DNSThought
https://dnsthought.nlnetlabs.nl/is_internal/#int_fwd_ext
https://dnsthought.nlnetlabs.nl/is_internal/#int_fwd_ext
Page 17: DNSThought - indico.dns-oarc.net...Willem Toorop DNSThought @OARC29 10/39 Measurements for all probes every hour Thank you Emile Aben! ♥️ query msm ID ..ripe-hackathon6.nlnetlabs.nl

Willem Toorop

DNSThought @OARC29 17/39

InternalTop 10 ASNs seen @ authoritative

with 10490 resolvers

have the same ASN as the probe (internal)https://dnsthought.nlnetlabs.nl/is_internal/#top_auth_asns

mailto:[email protected]?subject=About%20DNSThought
https://dnsthought.nlnetlabs.nl/is_internal/#top_auth_asns
https://dnsthought.nlnetlabs.nl/is_internal/#top_auth_asns
Page 18: DNSThought - indico.dns-oarc.net...Willem Toorop DNSThought @OARC29 10/39 Measurements for all probes every hour Thank you Emile Aben! ♥️ query msm ID ..ripe-hackathon6.nlnetlabs.nl

Willem Toorop

DNSThought @OARC29 18/39

ForwardingTop 10 ASNs seen @ authoritative

with 3351 resolvers1st April 2018

16 November ‘17PCH = Quad9

forwarding to a resolver with a different ASNhttps://dnsthought.nlnetlabs.nl/is_forwarding/#top_auth_asns

mailto:[email protected]?subject=About%20DNSThought
https://dnsthought.nlnetlabs.nl/is_forwarding/#top_auth_asns
https://dnsthought.nlnetlabs.nl/is_forwarding/#top_auth_asns
Page 19: DNSThought - indico.dns-oarc.net...Willem Toorop DNSThought @OARC29 10/39 Measurements for all probes every hour Thank you Emile Aben! ♥️ query msm ID ..ripe-hackathon6.nlnetlabs.nl

Willem Toorop

DNSThought @OARC29 19/39

ExternalTop 10 ASNs seen @ authoritative

with 4266 resolvers

have a ASN different from the probe ASNhttps://dnsthought.nlnetlabs.nl/is_external/#top_auth_asns

mailto:[email protected]?subject=About%20DNSThought
https://dnsthought.nlnetlabs.nl/is_external/#top_auth_asns
https://dnsthought.nlnetlabs.nl/is_external/#top_auth_asns
Page 20: DNSThought - indico.dns-oarc.net...Willem Toorop DNSThought @OARC29 10/39 Measurements for all probes every hour Thank you Emile Aben! ♥️ query msm ID ..ripe-hackathon6.nlnetlabs.nl

Willem Toorop

DNSThought @OARC29 20/39

Internal, Forwarding, External

Diversity

mailto:[email protected]?subject=About%20DNSThought
Page 21: DNSThought - indico.dns-oarc.net...Willem Toorop DNSThought @OARC29 10/39 Measurements for all probes every hour Thank you Emile Aben! ♥️ query msm ID ..ripe-hackathon6.nlnetlabs.nl

Willem Toorop

DNSThought @OARC29 21/39

DNSSECRSA-SHA256 support

with 19135 resolvers with 10178 probeshttps://dnsthought.nlnetlabs.nl/#rsasha256

mailto:[email protected]?subject=About%20DNSThought
https://dnsthought.nlnetlabs.nl/#rsasha256
Page 22: DNSThought - indico.dns-oarc.net...Willem Toorop DNSThought @OARC29 10/39 Measurements for all probes every hour Thank you Emile Aben! ♥️ query msm ID ..ripe-hackathon6.nlnetlabs.nl

Willem Toorop

DNSThought @OARC29 22/39

DNSSEC RSA-SHA256 support

with 9493 resolvers with 5508 probes

● 54.1% of probes has validating resolver● 16.7% of those have a non validating resolver too● So realistically only 45.1% of probes is protected

validate DNSKEY algorithm RSA-SHA256https://dnsthought.nlnetlabs.nl/can_rsasha256/#rsasha256

mailto:[email protected]?subject=About%20DNSThought
https://dnsthought.nlnetlabs.nl/can_rsasha256/#rsasha256
https://dnsthought.nlnetlabs.nl/can_rsasha256/#rsasha256
Page 23: DNSThought - indico.dns-oarc.net...Willem Toorop DNSThought @OARC29 10/39 Measurements for all probes every hour Thank you Emile Aben! ♥️ query msm ID ..ripe-hackathon6.nlnetlabs.nl

Willem Toorop

DNSThought @OARC29 23/39

DNSSECRoot Key Trust Anchor Sentinel

validate DNSKEY algorithm RSA-SHA256https://dnsthought.nlnetlabs.nl/can_rsasha256/#ta_20326

with 9493 resolvers with 5508 probes

mailto:[email protected]?subject=About%20DNSThought
https://dnsthought.nlnetlabs.nl/can_rsasha256/#ta_20326
https://dnsthought.nlnetlabs.nl/can_rsasha256/#ta_20326
Page 24: DNSThought - indico.dns-oarc.net...Willem Toorop DNSThought @OARC29 10/39 Measurements for all probes every hour Thank you Emile Aben! ♥️ query msm ID ..ripe-hackathon6.nlnetlabs.nl

Willem Toorop

DNSThought @OARC29 24/39

DNSSECRoot Key Trust Anchor Sentinel

root KSK sentinel supporthttps://dnsthought.nlnetlabs.nl/has_ta_19036/#ta_20326

with 902 resolvers with 709 probes

mailto:[email protected]?subject=About%20DNSThought
https://dnsthought.nlnetlabs.nl/has_ta_19036/#ta_20326
https://dnsthought.nlnetlabs.nl/has_ta_19036/#ta_20326
Page 25: DNSThought - indico.dns-oarc.net...Willem Toorop DNSThought @OARC29 10/39 Measurements for all probes every hour Thank you Emile Aben! ♥️ query msm ID ..ripe-hackathon6.nlnetlabs.nl

Willem Toorop

DNSThought @OARC29 25/39

DNSSECRoot Key Trust Anchor Sentinel

with 902 resolversIn 709 probes

root KSK sentinel supporthttps://dnsthought.nlnetlabs.nl/has_ta_19036/#top_resolver_asns

mailto:[email protected]?subject=About%20DNSThought
https://dnsthought.nlnetlabs.nl/has_ta_19036/#top_resolver_asns
https://dnsthought.nlnetlabs.nl/has_ta_19036/#top_resolver_asns
Page 26: DNSThought - indico.dns-oarc.net...Willem Toorop DNSThought @OARC29 10/39 Measurements for all probes every hour Thank you Emile Aben! ♥️ query msm ID ..ripe-hackathon6.nlnetlabs.nl

Willem Toorop

DNSThought @OARC29 26/39

DNSSECStrange dent in August

with 9493 resolversIn 5508 probes

validate DNSKEY algorithm RSA-SHA256https://dnsthought.nlnetlabs.nl/can_rsasha256/#top_auth_asns

mailto:[email protected]?subject=About%20DNSThought
https://dnsthought.nlnetlabs.nl/can_rsasha256/#top_auth_asns
https://dnsthought.nlnetlabs.nl/can_rsasha256/#top_auth_asns
Page 27: DNSThought - indico.dns-oarc.net...Willem Toorop DNSThought @OARC29 10/39 Measurements for all probes every hour Thank you Emile Aben! ♥️ query msm ID ..ripe-hackathon6.nlnetlabs.nl

Willem Toorop

DNSThought @OARC29 27/39

DNSSECStrange dent in August

with 897 resolvers with 650 probes

coming from AS13335https://dnsthought.nlnetlabs.nl/auth_AS13335/#rsasha256

mailto:[email protected]?subject=About%20DNSThought
https://dnsthought.nlnetlabs.nl/auth_AS13335/#rsasha256
https://dnsthought.nlnetlabs.nl/auth_AS13335/#rsasha256
Page 28: DNSThought - indico.dns-oarc.net...Willem Toorop DNSThought @OARC29 10/39 Measurements for all probes every hour Thank you Emile Aben! ♥️ query msm ID ..ripe-hackathon6.nlnetlabs.nl

Willem Toorop

DNSThought @OARC29 28/39

DNSSECStrange broken GOST DS in September

with 897 resolvers with 650 probes

coming from AS13335https://dnsthought.nlnetlabs.nl/auth_AS13335/#gost

mailto:[email protected]?subject=About%20DNSThought
https://dnsthought.nlnetlabs.nl/auth_AS13335/#gost
https://dnsthought.nlnetlabs.nl/auth_AS13335/#gost
Page 29: DNSThought - indico.dns-oarc.net...Willem Toorop DNSThought @OARC29 10/39 Measurements for all probes every hour Thank you Emile Aben! ♥️ query msm ID ..ripe-hackathon6.nlnetlabs.nl

Willem Toorop

DNSThought @OARC29 29/39

DNSSECStrange broken GOST DS in September

with 231 resolversin 185 probes

broken DS algorithm GOST validation supporthttps://dnsthought.nlnetlabs.nl/broken_gost/#top_auth_asns

mailto:[email protected]?subject=About%20DNSThought
https://dnsthought.nlnetlabs.nl/broken_gost/#top_auth_asns
https://dnsthought.nlnetlabs.nl/broken_gost/#top_auth_asns
Page 30: DNSThought - indico.dns-oarc.net...Willem Toorop DNSThought @OARC29 10/39 Measurements for all probes every hour Thank you Emile Aben! ♥️ query msm ID ..ripe-hackathon6.nlnetlabs.nl

Willem Toorop

DNSThought @OARC29 30/39

DNSSECThe two incidents side by side

with 4304 resolversin 3025 probes

validate DNSKEY algorithm ED25519https://dnsthought.nlnetlabs.nl/can_ed25519/#gost

mailto:[email protected]?subject=About%20DNSThought
https://dnsthought.nlnetlabs.nl/can_ed25519/#gost
https://dnsthought.nlnetlabs.nl/can_ed25519/#gost
Page 31: DNSThought - indico.dns-oarc.net...Willem Toorop DNSThought @OARC29 10/39 Measurements for all probes every hour Thank you Emile Aben! ♥️ query msm ID ..ripe-hackathon6.nlnetlabs.nl

Willem Toorop

DNSThought @OARC29 31/39

Privacy Send an EDNS Client Subnet option

With 4832 (25.3%) resolversin 3283 (32.3%) probes

send an EDNS Client Subnet optionhttps://dnsthought.nlnetlabs.nl/does_ecs/#top_auth_asns

mailto:[email protected]?subject=About%20DNSThought
https://dnsthought.nlnetlabs.nl/does_ecs/#top_auth_asns
https://dnsthought.nlnetlabs.nl/does_ecs/#top_auth_asns
Page 32: DNSThought - indico.dns-oarc.net...Willem Toorop DNSThought @OARC29 10/39 Measurements for all probes every hour Thank you Emile Aben! ♥️ query msm ID ..ripe-hackathon6.nlnetlabs.nl

Willem Toorop

DNSThought @OARC29 32/39

Privacy Send an EDNS Client Subnet option

With 498 resolversin 338 probes

coming from AS36692https://dnsthought.nlnetlabs.nl/auth_AS36692/#ecs_masks

mailto:[email protected]?subject=About%20DNSThought
https://dnsthought.nlnetlabs.nl/auth_AS36692/#ecs_masks
https://dnsthought.nlnetlabs.nl/auth_AS36692/#ecs_masks
Page 33: DNSThought - indico.dns-oarc.net...Willem Toorop DNSThought @OARC29 10/39 Measurements for all probes every hour Thank you Emile Aben! ♥️ query msm ID ..ripe-hackathon6.nlnetlabs.nl

Willem Toorop

DNSThought @OARC29 33/39

Privacy Send an EDNS Client Subnet option

With 4129 resolversin 2963 probes

coming from AS15169https://dnsthought.nlnetlabs.nl/auth_AS15169/#ecs_masks

mailto:[email protected]?subject=About%20DNSThought
https://dnsthought.nlnetlabs.nl/auth_AS15169/#ecs_masks
https://dnsthought.nlnetlabs.nl/auth_AS15169/#ecs_masks
Page 34: DNSThought - indico.dns-oarc.net...Willem Toorop DNSThought @OARC29 10/39 Measurements for all probes every hour Thank you Emile Aben! ♥️ query msm ID ..ripe-hackathon6.nlnetlabs.nl

Willem Toorop

DNSThought @OARC29 34/39

PrivacyQNAME Minimization

With 1624 (8.5%) resolversin 1140 (11.2%) probes

do QNAME Minimizationhttps://dnsthought.nlnetlabs.nl/does_qnamemin/#top_auth_asns

with 1140 probes

mailto:[email protected]?subject=About%20DNSThought
https://dnsthought.nlnetlabs.nl/does_qnamemin/#top_auth_asns
https://dnsthought.nlnetlabs.nl/does_qnamemin/#top_auth_asns
Page 35: DNSThought - indico.dns-oarc.net...Willem Toorop DNSThought @OARC29 10/39 Measurements for all probes every hour Thank you Emile Aben! ♥️ query msm ID ..ripe-hackathon6.nlnetlabs.nl

Willem Toorop

DNSThought @OARC29 35/39

PrivacyQNAME Minimization

with 1624 resolvers

do QNAME Minimizationhttps://dnsthought.nlnetlabs.nl/does_qnamemin/#ecs_masks

with 1140 probes

● Also zero NX domain rewriting● Also high % DNSSEC validation:

mailto:[email protected]?subject=About%20DNSThought
https://dnsthought.nlnetlabs.nl/does_qnamemin/#ecs_masks
https://dnsthought.nlnetlabs.nl/does_qnamemin/#ecs_masks
Page 36: DNSThought - indico.dns-oarc.net...Willem Toorop DNSThought @OARC29 10/39 Measurements for all probes every hour Thank you Emile Aben! ♥️ query msm ID ..ripe-hackathon6.nlnetlabs.nl

Willem Toorop

DNSThought @OARC29 36/39

Privacy/SecurityNX domain rewriting

With 279 (1.5%) resolvers

do NX domain rewritinghttps://dnsthought.nlnetlabs.nl/does_nxdomain/#int_fwd_ext

With 206 (2.0%) probes

mailto:[email protected]?subject=About%20DNSThought
https://dnsthought.nlnetlabs.nl/does_nxdomain/#int_fwd_ext
https://dnsthought.nlnetlabs.nl/does_nxdomain/#int_fwd_ext
Page 37: DNSThought - indico.dns-oarc.net...Willem Toorop DNSThought @OARC29 10/39 Measurements for all probes every hour Thank you Emile Aben! ♥️ query msm ID ..ripe-hackathon6.nlnetlabs.nl

Willem Toorop

DNSThought @OARC29 37/39

Privacy/SecurityNX domain rewriting

do NX domain rewritinghttps://dnsthought.nlnetlabs.nl/does_nxdomain/#top_auth_asns

Top 10 Probe ASNs == Top 10 Resolver ASNs == Top 10 Authoritative ASNs

mailto:[email protected]?subject=About%20DNSThought
https://dnsthought.nlnetlabs.nl/does_nxdomain/#top_auth_asns
https://dnsthought.nlnetlabs.nl/does_nxdomain/#top_auth_asns
Page 38: DNSThought - indico.dns-oarc.net...Willem Toorop DNSThought @OARC29 10/39 Measurements for all probes every hour Thank you Emile Aben! ♥️ query msm ID ..ripe-hackathon6.nlnetlabs.nl

Willem Toorop

DNSThought @OARC29 38/39

Privacy/SecurityNX domain rewriting

do NX domain rewritinghttps://dnsthought.nlnetlabs.nl/does_nxdomain/#top_nxhj_asns

with 279 resolvers with 206 probes

● Also only 4.3% DNSSEC validation:

mailto:[email protected]?subject=About%20DNSThought
https://dnsthought.nlnetlabs.nl/does_nxdomain/#top_nxhj_asns
https://dnsthought.nlnetlabs.nl/does_nxdomain/#top_nxhj_asns
Page 39: DNSThought - indico.dns-oarc.net...Willem Toorop DNSThought @OARC29 10/39 Measurements for all probes every hour Thank you Emile Aben! ♥️ query msm ID ..ripe-hackathon6.nlnetlabs.nl

Willem Toorop

DNSThought @OARC29 39/39

DNSThought● Public, though rough, interface to data available

https://dnsthought.nlnetlabs.nl/● Raw processed data available too

https://dnsthought.nlnetlabs.nl/raw● Focus on development of properties over time

Per probe properties & capabilities with RIPE Atlas Probe Tagshttps://atlas.ripe.net/docs/probe-tags/

● Lots to improve– Dynamic (zoomable) plots– IPv4 & IPv6 ECS detection– Better DS algorithm detection– Fragment dropping / Path MTU

?QuestionsSuggestions

mailto:[email protected]?subject=About%20DNSThought
https://dnsthought.nlnetlabs.nl/
https://dnsthought.nlnetlabs.nl/raw
https://atlas.ripe.net/docs/probe-tags/

Next Steps in DANE Adoption - indico.dns-oarc.net · Verisign Public Brief DNSSEC Deployment Status • DNS Root was signed in July 2010 • Top Level Domains: many are signed [1]:

Next Steps in DANE Adoption - indico.dns-oarc.net · Verisign Public Brief DNSSEC Deployment Status • DNS Root was signed in July 2010 • Top Level Domains: many are signed [1]:

DNSSEC Infrastructure Audit Framework - nlnetlabs.nl · This DNSSEC audit framework is intended to be applicable to, but not limited to, top-level type domain registry and name server

DNSSEC Infrastructure Audit Framework - nlnetlabs.nl · This DNSSEC audit framework is intended to be applicable to, but not limited to, top-level type domain registry and name server

Living on the Edge: (Re)focus DNS Efforts on the End-Points · Another possibility: DNS over TLS Validation Recursive resolver Authoritative net Authoritative. Authoritative dns-oarc.net

Living on the Edge: (Re)focus DNS Efforts on the End-Points · Another possibility: DNS over TLS Validation Recursive resolver Authoritative net Authoritative. Authoritative dns-oarc.net

DNSThought - NLnet Labs · Willem Toorop DNSThought @OARC29 9/38 Measurements for all probes every hour Thank you Emile Aben! ♥️ query msm ID ..ripe-hackathon6.nlnetlabs.nl

DNSThought - NLnet Labs · Willem Toorop DNSThought @OARC29 9/38 Measurements for all probes every hour Thank you Emile Aben! ♥️ query msm ID ..ripe-hackathon6.nlnetlabs.nl

Measuring ATR - indico.dns-oarc.net · average resolution times and the overall DNS resolution failure rate will fall ... determine if they can accept the tested behavior by observing

Measuring ATR - indico.dns-oarc.net · average resolution times and the overall DNS resolution failure rate will fall ... determine if they can accept the tested behavior by observing

Multi-path routing: Impact on BGP - nlnetlabs.nl · 2.2 Multi-path routing methods ... ducting experiments that show their behavior and impact on BGP. We focused on three multi-path

Multi-path routing: Impact on BGP - nlnetlabs.nl · 2.2 Multi-path routing methods ... ducting experiments that show their behavior and impact on BGP. We focused on three multi-path

DNSThought - DNS-OARC (Indico)...Willem Toorop DNSThought @OARC29 9/38 Measurements for all probes every hour Thank you Emile Aben! ♥️ query msm ID ..ripe-hackathon6.nlnetlabs.nl

DNSThought - DNS-OARC (Indico)...Willem Toorop DNSThought @OARC29 9/38 Measurements for all probes every hour Thank you Emile Aben! ♥️ query msm ID ..ripe-hackathon6.nlnetlabs.nl

KSK Sentinel - indico.dns-oarc.net€¦ · We need want to roll the DNSSEC trust-anchor (KSK) Users with a validating resolver that doesn't have the new KSK break; everything looks

KSK Sentinel - indico.dns-oarc.net€¦ · We need want to roll the DNSSEC trust-anchor (KSK) Users with a validating resolver that doesn't have the new KSK break; everything looks

ISOC.NL SIP © 15 March 2007 Stichting NLnet Labs DNSSEC and ENUM Olaf M. Kolkman olaf@nlnetlabs.nl.

ISOC.NL SIP © 15 March 2007 Stichting NLnet Labs DNSSEC and ENUM Olaf M. Kolkman [email protected].

Testing DNS Performance limits - indico.dns-oarc.net fileTesting DNS Performance limits the Final Chapter Research by ISC for CAIDA Funded by NSF David Boggs, lead investigator Brian

Testing DNS Performance limits - indico.dns-oarc.net fileTesting DNS Performance limits the Final Chapter Research by ISC for CAIDA Funded by NSF David Boggs, lead investigator Brian

Annual Report 2007 - nlnetlabs.nl · In collaboration with Alain Anain, and on invitation by MYNIC Berhad, the Malaysian TLD registry, Kolkman taught a 3 days course in Kuala Lumpur.

Annual Report 2007 - nlnetlabs.nl · In collaboration with Alain Anain, and on invitation by MYNIC Berhad, the Malaysian TLD registry, Kolkman taught a 3 days course in Kuala Lumpur.

Joint Techs, Albuquerque Feb 2006 © 8 Feb 2006 Stichting NLnet Labs DNS Risks, DNSSEC Olaf M. Kolkman and Allison Mankin olaf@nlnetlabs.nl.

Joint Techs, Albuquerque Feb 2006 © 8 Feb 2006 Stichting NLnet Labs DNS Risks, DNSSEC Olaf M. Kolkman and Allison Mankin [email protected].

DNS Poisoning: Recent Developments - dns-oarc.net · Note that 16-bit resolution is nearly 100% poisonable in ... (observing TTL). ... no poisoning would result in improved DNS service

DNS Poisoning: Recent Developments - dns-oarc.net · Note that 16-bit resolution is nearly 100% poisonable in ... (observing TTL). ... no poisoning would result in improved DNS service

Willem@NLnetLabs.nl NLnet Labs · 10/16/2013  · exceeding 1280 I Utilizing ICMPv6 PTB messages to send bigger unfragmented answers (in the 1232-1452 range) I Increase DNS responsiveness

[email protected] NLnet Labs · 10/16/2013  · exceeding 1280 I Utilizing ICMPv6 PTB messages to send bigger unfragmented answers (in the 1232-1452 range) I Increase DNS responsiveness

Unbound in C - NLnet Labs · © Stichting NLnet Labs Unbound in C San Diego - 2006 Wouter Wijngaards (wouter@NLnetLabs.nl)

Unbound in C - NLnet Labs · © Stichting NLnet Labs Unbound in C San Diego - 2006 Wouter Wijngaards ([email protected])

PowerPoint Presentation - An introduction to DNSSECnlnetlabs.nl. 3600 IN RRSIG A 5 2 3600 (20050611144523 20050511144523 3112 nlnetlabs.nl. VJ+8ijXvbrTLeoAiEk/qMrdudRnYZM1VlqhN vhYuAcYKe2X/jqYfMfjfSUrmhPo+0/GOZjW

PowerPoint Presentation - An introduction to DNSSECnlnetlabs.nl. 3600 IN RRSIG A 5 2 3600 (20050611144523 20050511144523 3112 nlnetlabs.nl. VJ+8ijXvbrTLeoAiEk/qMrdudRnYZM1VlqhN vhYuAcYKe2X/jqYfMfjfSUrmhPo+0/GOZjW

What if Everyone Did It? - indico.dns-oarc.net · DNS Resolution Time This measures just the DNS resolution part, collecting the elapsed time between the first and last queries for

What if Everyone Did It? - indico.dns-oarc.net · DNS Resolution Time This measures just the DNS resolution part, collecting the elapsed time between the first and last queries for

IETF an overview and a few work items · 2010. 12. 21. · IETF an overview and a few work items... Olaf M. Kolkman olaf@NLnetLabs.nl Contains material from Lars Eggers, Scott Bradner,

IETF an overview and a few work items · 2010. 12. 21. · IETF an overview and a few work items... Olaf M. Kolkman [email protected] Contains material from Lars Eggers, Scott Bradner,