• Home

  • Documents

  • DNSThought - DNS-OARC (Indico)...Willem Toorop DNSThought @OARC29 9/38 Measurements for all probes...
38
53 DNSThought Everything you ever wanted to know about caching resolvers but were afraid to ask Willem Toorop 13 October 2018 Amsterdam 29

DNSThought - DNS-OARC (Indico)...Willem Toorop DNSThought @OARC29 9/38 Measurements for all probes every hour Thank you Emile Aben! ♥️ query msm ID ..ripe-hackathon6.nlnetlabs.nl

  • Upload
    others

  • View
    10

  • Download
    0

Embed Size (px)

Citation preview

Page 1: DNSThought - DNS-OARC (Indico)...Willem Toorop DNSThought @OARC29 9/38 Measurements for all probes every hour Thank you Emile Aben! ♥️ query msm ID ..ripe-hackathon6.nlnetlabs.nl

53DNSThought

Everything you ever wanted to knowabout caching resolvers but were afraid to ask

Willem Toorop

13 October 2018Amsterdam

29

Page 2: DNSThought - DNS-OARC (Indico)...Willem Toorop DNSThought @OARC29 9/38 Measurements for all probes every hour Thank you Emile Aben! ♥️ query msm ID ..ripe-hackathon6.nlnetlabs.nl

Willem Toorop

DNSThought @OARC29 2/38

Pariticpants:Andrea Barberio, Petros Gigis, Jerry Lundström, Teemu Rytilahti, Willem Toorop

Goal:Provide insight into caching resolver capabilities

mailto:[email protected]?subject=About%20DNSThought
Page 3: DNSThought - DNS-OARC (Indico)...Willem Toorop DNSThought @OARC29 9/38 Measurements for all probes every hour Thank you Emile Aben! ♥️ query msm ID ..ripe-hackathon6.nlnetlabs.nl

Willem Toorop

DNSThought @OARC29 3/38

Capabilities & propertiesBasic : IPv6, TCP, TCP over IPv6Security: DNSSEC validation, Algorithm support,

TA’s Root KSK Sentinel, NXdomain rewritePrivacy : Qname minimization, EDNS Client Subnet

mailto:[email protected]?subject=About%20DNSThought
Page 4: DNSThought - DNS-OARC (Indico)...Willem Toorop DNSThought @OARC29 9/38 Measurements for all probes every hour Thank you Emile Aben! ♥️ query msm ID ..ripe-hackathon6.nlnetlabs.nl

Willem Toorop

DNSThought @OARC29 4/38

Some msms need just a zoneIPv6, DNSSEC validation, NXdomain rewriting

Some need authoritative perspectiveTCP, Qname minimization, EDNS Client subnet

dnsthoughtd

mailto:[email protected]?subject=About%20DNSThought
https://github.com/DNS-OARC/ripe-hackathon-dns-caching/tree/master/dnsthoughtd
Page 5: DNSThought - DNS-OARC (Indico)...Willem Toorop DNSThought @OARC29 9/38 Measurements for all probes every hour Thank you Emile Aben! ♥️ query msm ID ..ripe-hackathon6.nlnetlabs.nl

Willem Toorop

DNSThought @OARC29 5/38

dnsthoughtd

mailto:[email protected]?subject=About%20DNSThought
Page 6: DNSThought - DNS-OARC (Indico)...Willem Toorop DNSThought @OARC29 9/38 Measurements for all probes every hour Thank you Emile Aben! ♥️ query msm ID ..ripe-hackathon6.nlnetlabs.nl

Willem Toorop

DNSThought @OARC29 6/38

Host Network

The RIPE Atlas perspective

NLnet LabsInternet

Host NetworkResolver

Public Resolver53

dnsthoughtd

mailto:[email protected]?subject=About%20DNSThought
Page 7: DNSThought - DNS-OARC (Indico)...Willem Toorop DNSThought @OARC29 9/38 Measurements for all probes every hour Thank you Emile Aben! ♥️ query msm ID ..ripe-hackathon6.nlnetlabs.nl

Willem Toorop

DNSThought @OARC29 7/38

The RIPE Atlas perspective

ProbeASN

ResolverASN

AuthoritativeASN

Internal X = X

Forwarding X X Z

X Y Z

External X Z Z

mailto:[email protected]?subject=About%20DNSThought
Page 8: DNSThought - DNS-OARC (Indico)...Willem Toorop DNSThought @OARC29 9/38 Measurements for all probes every hour Thank you Emile Aben! ♥️ query msm ID ..ripe-hackathon6.nlnetlabs.nl

Willem Toorop

DNSThought @OARC29 8/38

Qname minimization

mailto:[email protected]?subject=About%20DNSThought
Page 9: DNSThought - DNS-OARC (Indico)...Willem Toorop DNSThought @OARC29 9/38 Measurements for all probes every hour Thank you Emile Aben! ♥️ query msm ID ..ripe-hackathon6.nlnetlabs.nl

Willem Toorop

DNSThought @OARC29 9/38

Measurements for all probes every hour

Thank you Emile Aben! ♥️

query msm ID<prb_id>.<time>.ripe-hackathon6.nlnetlabs.nl AAAA 8310366

<prb_id>.<time>.tc.ripe-hackathon4.nlnetlabs.nl A 8310360

<prb_id>.<time>.tc.ripe-hackathon6.nlnetlabs.nl AAAA 8310364

qnamemintest.internet.nl TXT 8310250

nxdomain.ripe-hackathon2.nlnetlabs.nl A 8311777

whoami.akamai.net A 8310245

o-o.myaddr.l.google.com TXT 8310237

secure.ripe-hackathon2.nlnetlabs.nl A 8311760

bogus.ripe-hackathon2.nlnetlabs.nl A 8311763

mailto:[email protected]?subject=About%20DNSThought
https://atlas.ripe.net/measurements/8310366/
Page 10: DNSThought - DNS-OARC (Indico)...Willem Toorop DNSThought @OARC29 9/38 Measurements for all probes every hour Thank you Emile Aben! ♥️ query msm ID ..ripe-hackathon6.nlnetlabs.nl

Willem Toorop

DNSThought @OARC29 10/38

mailto:[email protected]?subject=About%20DNSThought
Page 11: DNSThought - DNS-OARC (Indico)...Willem Toorop DNSThought @OARC29 9/38 Measurements for all probes every hour Thank you Emile Aben! ♥️ query msm ID ..ripe-hackathon6.nlnetlabs.nl

Willem Toorop

DNSThought @OARC29 11/38

Root Canary Project

● Participation with Roland van Rijswijk - Deij● Measurements started 20 June 2017

mailto:[email protected]?subject=About%20DNSThought
Page 12: DNSThought - DNS-OARC (Indico)...Willem Toorop DNSThought @OARC29 9/38 Measurements for all probes every hour Thank you Emile Aben! ♥️ query msm ID ..ripe-hackathon6.nlnetlabs.nl

Willem Toorop

DNSThought @OARC29 12/38

More measurements● Moritz Muller joined too● Root KSK Sentinel msms

since 19 July 2018 query msm ID

root-key-sentinel-not-ta-19036.d2a8n3.rootcanary.net A 15283670

root-key-sentinel-not-ta-20326.d2a8n3.rootcanary.net A 15283671

With validating resolvers we have three situations: 1. Key 20326 has not been picked up (yet) 2. Key 20326 is a valid TA, and key 19036 is still a valid TA 3. Key 20326 is a valid TA, and key 19036 is removedFor these situations (1, 2,3), measurements for: - (not-ta-19036 is-ta-20326) results in 1: (S S), 2: (S A), 3: (A A) - ( is-ta-19036 is-ta-20326) results in 1: (A S), 2: (A A), 3: (S A) - (not-ta-19036 not-ta-20326) results in 1: (S A), 2: (S S), 3: (A S) - ( is-ta-19036 not-ta-20326) results in 1: (A A), 2: (A S), 3: (S S)

mailto:[email protected]?subject=About%20DNSThought
Page 13: DNSThought - DNS-OARC (Indico)...Willem Toorop DNSThought @OARC29 9/38 Measurements for all probes every hour Thank you Emile Aben! ♥️ query msm ID ..ripe-hackathon6.nlnetlabs.nl

Willem Toorop

DNSThought @OARC29 13/38

1 years of measurements½Internal, Forwarding & External

with 19082 resolvers with 10155 probeshttps://dnsthought.nlnetlabs.nl/#int_fwd_ext

mailto:[email protected]?subject=About%20DNSThought
https://dnsthought.nlnetlabs.nl/#int_fwd_ext
Page 14: DNSThought - DNS-OARC (Indico)...Willem Toorop DNSThought @OARC29 9/38 Measurements for all probes every hour Thank you Emile Aben! ♥️ query msm ID ..ripe-hackathon6.nlnetlabs.nl

Willem Toorop

DNSThought @OARC29 14/38

1 years of measurements½Top 10 ASNs seen @ authoritative

with 19082 resolvershttps://dnsthought.nlnetlabs.nl/#top_auth_asns

mailto:[email protected]?subject=About%20DNSThought
https://dnsthought.nlnetlabs.nl/#top_auth_asns
Page 15: DNSThought - DNS-OARC (Indico)...Willem Toorop DNSThought @OARC29 9/38 Measurements for all probes every hour Thank you Emile Aben! ♥️ query msm ID ..ripe-hackathon6.nlnetlabs.nl

Willem Toorop

DNSThought @OARC29 15/38

Internal

with 10490 resolvers with 6611 probes

have the same ASN as the probe (internal)https://dnsthought.nlnetlabs.nl/is_internal/#int_fwd_ext

mailto:[email protected]?subject=About%20DNSThought
https://dnsthought.nlnetlabs.nl/is_internal/#int_fwd_ext
https://dnsthought.nlnetlabs.nl/is_internal/#int_fwd_ext
Page 16: DNSThought - DNS-OARC (Indico)...Willem Toorop DNSThought @OARC29 9/38 Measurements for all probes every hour Thank you Emile Aben! ♥️ query msm ID ..ripe-hackathon6.nlnetlabs.nl

Willem Toorop

DNSThought @OARC29 16/38

InternalTop 10 ASNs seen @ authoritative

with 10490 resolvers

have the same ASN as the probe (internal)https://dnsthought.nlnetlabs.nl/is_internal/#top_auth_asns

mailto:[email protected]?subject=About%20DNSThought
https://dnsthought.nlnetlabs.nl/is_internal/#top_auth_asns
https://dnsthought.nlnetlabs.nl/is_internal/#top_auth_asns
Page 17: DNSThought - DNS-OARC (Indico)...Willem Toorop DNSThought @OARC29 9/38 Measurements for all probes every hour Thank you Emile Aben! ♥️ query msm ID ..ripe-hackathon6.nlnetlabs.nl

Willem Toorop

DNSThought @OARC29 17/38

ForwardingTop 10 ASNs seen @ authoritative

with 3351 resolvers1st April 2018

16 November ‘17PCH = Quad9

forwarding to a resolver with a different ASNhttps://dnsthought.nlnetlabs.nl/is_forwarding/#top_auth_asns

mailto:[email protected]?subject=About%20DNSThought
https://dnsthought.nlnetlabs.nl/is_forwarding/#top_auth_asns
https://dnsthought.nlnetlabs.nl/is_forwarding/#top_auth_asns
Page 18: DNSThought - DNS-OARC (Indico)...Willem Toorop DNSThought @OARC29 9/38 Measurements for all probes every hour Thank you Emile Aben! ♥️ query msm ID ..ripe-hackathon6.nlnetlabs.nl

Willem Toorop

DNSThought @OARC29 18/38

ExternalTop 10 ASNs seen @ authoritative

with 4266 resolvers

have a ASN different from the probe ASNhttps://dnsthought.nlnetlabs.nl/is_external/#top_auth_asns

mailto:[email protected]?subject=About%20DNSThought
https://dnsthought.nlnetlabs.nl/is_external/#top_auth_asns
https://dnsthought.nlnetlabs.nl/is_external/#top_auth_asns
Page 19: DNSThought - DNS-OARC (Indico)...Willem Toorop DNSThought @OARC29 9/38 Measurements for all probes every hour Thank you Emile Aben! ♥️ query msm ID ..ripe-hackathon6.nlnetlabs.nl

Willem Toorop

DNSThought @OARC29 19/38

Internal, Forwarding, External

Diversity

mailto:[email protected]?subject=About%20DNSThought
Page 20: DNSThought - DNS-OARC (Indico)...Willem Toorop DNSThought @OARC29 9/38 Measurements for all probes every hour Thank you Emile Aben! ♥️ query msm ID ..ripe-hackathon6.nlnetlabs.nl

Willem Toorop

DNSThought @OARC29 20/38

DNSSECRSA-SHA256 support

with 19135 resolvers with 10178 probeshttps://dnsthought.nlnetlabs.nl/#rsasha256

mailto:[email protected]?subject=About%20DNSThought
https://dnsthought.nlnetlabs.nl/#rsasha256
Page 21: DNSThought - DNS-OARC (Indico)...Willem Toorop DNSThought @OARC29 9/38 Measurements for all probes every hour Thank you Emile Aben! ♥️ query msm ID ..ripe-hackathon6.nlnetlabs.nl

Willem Toorop

DNSThought @OARC29 21/38

DNSSEC RSA-SHA256 support

with 9493 resolvers with 5508 probes

● 54.1% of probes has validating resolver● 16.7% of those have a non validating resolver too● So realistically only 45.1% of probes is protected

validate DNSKEY algorithm RSA-SHA256https://dnsthought.nlnetlabs.nl/can_rsasha256/#rsasha256

mailto:[email protected]?subject=About%20DNSThought
https://dnsthought.nlnetlabs.nl/can_rsasha256/#rsasha256
https://dnsthought.nlnetlabs.nl/can_rsasha256/#rsasha256
Page 22: DNSThought - DNS-OARC (Indico)...Willem Toorop DNSThought @OARC29 9/38 Measurements for all probes every hour Thank you Emile Aben! ♥️ query msm ID ..ripe-hackathon6.nlnetlabs.nl

Willem Toorop

DNSThought @OARC29 22/38

DNSSECRoot Key Trust Anchor Sentinel

validate DNSKEY algorithm RSA-SHA256https://dnsthought.nlnetlabs.nl/can_rsasha256/#ta_20326

with 9493 resolvers with 5508 probes

mailto:[email protected]?subject=About%20DNSThought
https://dnsthought.nlnetlabs.nl/can_rsasha256/#ta_20326
https://dnsthought.nlnetlabs.nl/can_rsasha256/#ta_20326
Page 23: DNSThought - DNS-OARC (Indico)...Willem Toorop DNSThought @OARC29 9/38 Measurements for all probes every hour Thank you Emile Aben! ♥️ query msm ID ..ripe-hackathon6.nlnetlabs.nl

Willem Toorop

DNSThought @OARC29 23/38

DNSSECRoot Key Trust Anchor Sentinel

root KSK sentinel supporthttps://dnsthought.nlnetlabs.nl/has_ta_19036/#ta_20326

with 902 resolvers with 709 probes

mailto:[email protected]?subject=About%20DNSThought
https://dnsthought.nlnetlabs.nl/has_ta_19036/#ta_20326
https://dnsthought.nlnetlabs.nl/has_ta_19036/#ta_20326
Page 24: DNSThought - DNS-OARC (Indico)...Willem Toorop DNSThought @OARC29 9/38 Measurements for all probes every hour Thank you Emile Aben! ♥️ query msm ID ..ripe-hackathon6.nlnetlabs.nl

Willem Toorop

DNSThought @OARC29 24/38

DNSSECRoot Key Trust Anchor Sentinel

with 902 resolversIn 709 probes

root KSK sentinel supporthttps://dnsthought.nlnetlabs.nl/has_ta_19036/#top_resolver_asns

mailto:[email protected]?subject=About%20DNSThought
https://dnsthought.nlnetlabs.nl/has_ta_19036/#top_resolver_asns
https://dnsthought.nlnetlabs.nl/has_ta_19036/#top_resolver_asns
Page 25: DNSThought - DNS-OARC (Indico)...Willem Toorop DNSThought @OARC29 9/38 Measurements for all probes every hour Thank you Emile Aben! ♥️ query msm ID ..ripe-hackathon6.nlnetlabs.nl

Willem Toorop

DNSThought @OARC29 25/38

DNSSECStrange dent in August

with 9493 resolversIn 5508 probes

validate DNSKEY algorithm RSA-SHA256https://dnsthought.nlnetlabs.nl/can_rsasha256/#top_auth_asns

mailto:[email protected]?subject=About%20DNSThought
https://dnsthought.nlnetlabs.nl/can_rsasha256/#top_auth_asns
https://dnsthought.nlnetlabs.nl/can_rsasha256/#top_auth_asns
Page 26: DNSThought - DNS-OARC (Indico)...Willem Toorop DNSThought @OARC29 9/38 Measurements for all probes every hour Thank you Emile Aben! ♥️ query msm ID ..ripe-hackathon6.nlnetlabs.nl

Willem Toorop

DNSThought @OARC29 26/38

DNSSECStrange dent in August

with 897 resolvers with 650 probes

coming from AS13335https://dnsthought.nlnetlabs.nl/auth_AS13335/#rsasha256

mailto:[email protected]?subject=About%20DNSThought
https://dnsthought.nlnetlabs.nl/auth_AS13335/#rsasha256
https://dnsthought.nlnetlabs.nl/auth_AS13335/#rsasha256
Page 27: DNSThought - DNS-OARC (Indico)...Willem Toorop DNSThought @OARC29 9/38 Measurements for all probes every hour Thank you Emile Aben! ♥️ query msm ID ..ripe-hackathon6.nlnetlabs.nl

Willem Toorop

DNSThought @OARC29 27/38

DNSSECStrange broken GOST DS in September

with 897 resolvers with 650 probes

coming from AS13335https://dnsthought.nlnetlabs.nl/auth_AS13335/#gost

mailto:[email protected]?subject=About%20DNSThought
https://dnsthought.nlnetlabs.nl/auth_AS13335/#gost
https://dnsthought.nlnetlabs.nl/auth_AS13335/#gost
Page 28: DNSThought - DNS-OARC (Indico)...Willem Toorop DNSThought @OARC29 9/38 Measurements for all probes every hour Thank you Emile Aben! ♥️ query msm ID ..ripe-hackathon6.nlnetlabs.nl

Willem Toorop

DNSThought @OARC29 28/38

DNSSECStrange broken GOST DS in September

with 231 resolversin 185 probes

broken DS algorithm GOST validation supporthttps://dnsthought.nlnetlabs.nl/broken_gost/#top_auth_asns

mailto:[email protected]?subject=About%20DNSThought
https://dnsthought.nlnetlabs.nl/broken_gost/#top_auth_asns
https://dnsthought.nlnetlabs.nl/broken_gost/#top_auth_asns
Page 29: DNSThought - DNS-OARC (Indico)...Willem Toorop DNSThought @OARC29 9/38 Measurements for all probes every hour Thank you Emile Aben! ♥️ query msm ID ..ripe-hackathon6.nlnetlabs.nl

Willem Toorop

DNSThought @OARC29 29/38

DNSSECThe two incidents side by side

with 4304 resolversin 3025 probes

validate DNSKEY algorithm ED25519https://dnsthought.nlnetlabs.nl/can_ed25519/#gost

mailto:[email protected]?subject=About%20DNSThought
https://dnsthought.nlnetlabs.nl/can_ed25519/#gost
https://dnsthought.nlnetlabs.nl/can_ed25519/#gost
Page 30: DNSThought - DNS-OARC (Indico)...Willem Toorop DNSThought @OARC29 9/38 Measurements for all probes every hour Thank you Emile Aben! ♥️ query msm ID ..ripe-hackathon6.nlnetlabs.nl

Willem Toorop

DNSThought @OARC29 30/38

Privacy Send an EDNS Client Subnet option

With 4832 (25.3%) resolversin 3283 (32.3%) probes

send an EDNS Client Subnet optionhttps://dnsthought.nlnetlabs.nl/does_ecs/#top_auth_asns

mailto:[email protected]?subject=About%20DNSThought
https://dnsthought.nlnetlabs.nl/does_ecs/#top_auth_asns
https://dnsthought.nlnetlabs.nl/does_ecs/#top_auth_asns
Page 31: DNSThought - DNS-OARC (Indico)...Willem Toorop DNSThought @OARC29 9/38 Measurements for all probes every hour Thank you Emile Aben! ♥️ query msm ID ..ripe-hackathon6.nlnetlabs.nl

Willem Toorop

DNSThought @OARC29 31/38

Privacy Send an EDNS Client Subnet option

With 498 resolversin 338 probes

coming from AS36692https://dnsthought.nlnetlabs.nl/auth_AS36692/#ecs_masks

mailto:[email protected]?subject=About%20DNSThought
https://dnsthought.nlnetlabs.nl/auth_AS36692/#ecs_masks
https://dnsthought.nlnetlabs.nl/auth_AS36692/#ecs_masks
Page 32: DNSThought - DNS-OARC (Indico)...Willem Toorop DNSThought @OARC29 9/38 Measurements for all probes every hour Thank you Emile Aben! ♥️ query msm ID ..ripe-hackathon6.nlnetlabs.nl

Willem Toorop

DNSThought @OARC29 32/38

Privacy Send an EDNS Client Subnet option

With 4129 resolversin 2963 probes

coming from AS15169https://dnsthought.nlnetlabs.nl/auth_AS15169/#ecs_masks

mailto:[email protected]?subject=About%20DNSThought
https://dnsthought.nlnetlabs.nl/auth_AS15169/#ecs_masks
https://dnsthought.nlnetlabs.nl/auth_AS15169/#ecs_masks
Page 33: DNSThought - DNS-OARC (Indico)...Willem Toorop DNSThought @OARC29 9/38 Measurements for all probes every hour Thank you Emile Aben! ♥️ query msm ID ..ripe-hackathon6.nlnetlabs.nl

Willem Toorop

DNSThought @OARC29 33/38

PrivacyQNAME Minimization

With 1624 (8.5%) resolversin 1140 (11.2%) probes

do QNAME Minimizationhttps://dnsthought.nlnetlabs.nl/does_qnamemin/#top_auth_asns

with 1140 probes

mailto:[email protected]?subject=About%20DNSThought
https://dnsthought.nlnetlabs.nl/does_qnamemin/#top_auth_asns
https://dnsthought.nlnetlabs.nl/does_qnamemin/#top_auth_asns
Page 34: DNSThought - DNS-OARC (Indico)...Willem Toorop DNSThought @OARC29 9/38 Measurements for all probes every hour Thank you Emile Aben! ♥️ query msm ID ..ripe-hackathon6.nlnetlabs.nl

Willem Toorop

DNSThought @OARC29 34/38

PrivacyQNAME Minimization

with 1624 resolvers

do QNAME Minimizationhttps://dnsthought.nlnetlabs.nl/does_qnamemin/#ecs_masks

with 1140 probes

● Also zero NX domain rewriting● Also high % DNSSEC validation:

mailto:[email protected]?subject=About%20DNSThought
https://dnsthought.nlnetlabs.nl/does_qnamemin/#ecs_masks
https://dnsthought.nlnetlabs.nl/does_qnamemin/#ecs_masks
Page 35: DNSThought - DNS-OARC (Indico)...Willem Toorop DNSThought @OARC29 9/38 Measurements for all probes every hour Thank you Emile Aben! ♥️ query msm ID ..ripe-hackathon6.nlnetlabs.nl

Willem Toorop

DNSThought @OARC29 35/38

Privacy/SecurityNX domain rewriting

With 279 (1.5%) resolvers

do NX domain rewritinghttps://dnsthought.nlnetlabs.nl/does_nxdomain/#int_fwd_ext

With 206 (2.0%) probes

mailto:[email protected]?subject=About%20DNSThought
https://dnsthought.nlnetlabs.nl/does_nxdomain/#int_fwd_ext
https://dnsthought.nlnetlabs.nl/does_nxdomain/#int_fwd_ext
Page 36: DNSThought - DNS-OARC (Indico)...Willem Toorop DNSThought @OARC29 9/38 Measurements for all probes every hour Thank you Emile Aben! ♥️ query msm ID ..ripe-hackathon6.nlnetlabs.nl

Willem Toorop

DNSThought @OARC29 36/38

Privacy/SecurityNX domain rewriting

do NX domain rewritinghttps://dnsthought.nlnetlabs.nl/does_nxdomain/#top_auth_asns

Top 10 Probe ASNs == Top 10 Resolver ASNs == Top 10 Authoritative ASNs

mailto:[email protected]?subject=About%20DNSThought
https://dnsthought.nlnetlabs.nl/does_nxdomain/#top_auth_asns
https://dnsthought.nlnetlabs.nl/does_nxdomain/#top_auth_asns
Page 37: DNSThought - DNS-OARC (Indico)...Willem Toorop DNSThought @OARC29 9/38 Measurements for all probes every hour Thank you Emile Aben! ♥️ query msm ID ..ripe-hackathon6.nlnetlabs.nl

Willem Toorop

DNSThought @OARC29 37/38

Privacy/SecurityNX domain rewriting

do NX domain rewritinghttps://dnsthought.nlnetlabs.nl/does_nxdomain/#top_nxhj_asns

with 279 resolvers with 206 probes

● Also only 4.3% DNSSEC validation:

mailto:[email protected]?subject=About%20DNSThought
https://dnsthought.nlnetlabs.nl/does_nxdomain/#top_nxhj_asns
https://dnsthought.nlnetlabs.nl/does_nxdomain/#top_nxhj_asns
Page 38: DNSThought - DNS-OARC (Indico)...Willem Toorop DNSThought @OARC29 9/38 Measurements for all probes every hour Thank you Emile Aben! ♥️ query msm ID ..ripe-hackathon6.nlnetlabs.nl

Willem Toorop

DNSThought @OARC29 38/38

DNSThought● Public, though rough, interface to data available

https://dnsthought.nlnetlabs.nl/● Raw processed data available too

https://dnsthought.nlnetlabs.nl/raw● Focus on development of properties over time

Per probe properties & capabilities with RIPE Atlas Probe Tagshttps://atlas.ripe.net/docs/probe-tags/

● Lots to improve– Dynamic (zoomable) plots– IPv4 & IPv6 ECS detection– Better DS algorithm detection– Fragment dropping / Path MTU

?QuestionsSuggestions

mailto:[email protected]?subject=About%20DNSThought
https://dnsthought.nlnetlabs.nl/
https://dnsthought.nlnetlabs.nl/raw
https://atlas.ripe.net/docs/probe-tags/

Oarc slides c02 assessment workshop

Oarc slides c02 assessment workshop

Business
OARC 27 DNS Privacy clients · DNS Privacy Clients @ OARC 27 Sep 2017, San Jose Command line tools 9 Features getdns_query kdig delv (dig) (dig) drill DNS ECS privacy 9.12 (drill)

OARC 27 DNS Privacy clients · DNS Privacy Clients @ OARC 27 Sep 2017, San Jose Command line tools 9 Features getdns_query kdig delv (dig) (dig) drill DNS ECS privacy 9.12 (drill)

Documents
Reinier de Adelhart Toorop (Nikhef) MPI Heidelberg 12-03-2012

Reinier de Adelhart Toorop (Nikhef) MPI Heidelberg 12-03-2012

Documents
U.S.-Oman Trade Bulletin - State Aluminum Rolling Company LLC (OARC) Inauguration On December 15, the Omani Aluminum Rolling Company LLC (OARC) hosted U.S. Ambassador Greta C. Holtz

U.S.-Oman Trade Bulletin - State Aluminum Rolling Company LLC (OARC) Inauguration On December 15, the Omani Aluminum Rolling Company LLC (OARC) hosted U.S. Ambassador Greta C. Holtz

Documents
11/29/2015David Conn VE3KL1 OARC Microcontroller Club Project 2009 Picaxe PIC16F886

11/29/2015David Conn VE3KL1 OARC Microcontroller Club Project 2009 Picaxe PIC16F886

Documents
Welcome to the OARC e-Magazine - ogdenarc.org News April 2006.pdfWelcome to the OARC e-Magazine ... Tuna Tin 40m QRP Transmitter Kit ... ICOM-718 HF QRP Transceiver Tuna Tin QRP Transmitter

Welcome to the OARC e-Magazine - ogdenarc.org News April 2006.pdfWelcome to the OARC e-Magazine ... Tuna Tin 40m QRP Transmitter Kit ... ICOM-718 HF QRP Transceiver Tuna Tin QRP Transmitter

Documents
ATLAS MUON COSMIC RAY TESTSTATION Martijn van PottelbergheReinier de Adelhart Toorop

ATLAS MUON COSMIC RAY TESTSTATION Martijn van PottelbergheReinier de Adelhart Toorop

Documents
Welcome to the OARC e-Magazine - ogdenarc.org News August 2007.pdf · Welcome to the OARC e-Magazine ... It has been just over a year ago since Maggi, N7HCP, and I, K7HCP, ... This

Welcome to the OARC e-Magazine - ogdenarc.org News August 2007.pdf · Welcome to the OARC e-Magazine ... It has been just over a year ago since Maggi, N7HCP, and I, K7HCP, ... This

Documents
The Listening Post - OARCThe Listening Post is the OARC newsletter for OARC members. The LP will be distributed electronically via E-mail and the OARC web site (). Co-Editors: Thomas

The Listening Post - OARCThe Listening Post is the OARC newsletter for OARC members. The LP will be distributed electronically via E-mail and the OARC web site (). Co-Editors: Thomas

Documents
Multi-Signer DNSSEC Models - DNS-OARC

Multi-Signer DNSSEC Models - DNS-OARC

Documents
OARC Status Keith Mitchell OARC Programme Manager Internet Systems Consortium OARC Workshop Seattle, 16 th Nov 2006

OARC Status Keith Mitchell OARC Programme Manager Internet Systems Consortium OARC Workshop Seattle, 16 th Nov 2006

Documents
Jan Toorop (1858-1928) - London Art Week

Jan Toorop (1858-1928) - London Art Week

Documents
Welcome to the OARC e-Magazine - ogdenarc.org News August... · 2019-08-08 · Welcome to the OARC e-Magazine AUGUST 2012 Next Club Meeting/Activity 3rd Saturday 18 August 2012 Topic:

Welcome to the OARC e-Magazine - ogdenarc.org News August... · 2019-08-08 · Welcome to the OARC e-Magazine AUGUST 2012 Next Club Meeting/Activity 3rd Saturday 18 August 2012 Topic:

Documents
DNSSEC Support in SOHO CPE OARC Workshop Ottawa 24 th September 2008

DNSSEC Support in SOHO CPE OARC Workshop Ottawa 24 th September 2008

Documents
State of the DNS - RIPE 79Measurements for all probes every hour query msm ID ..ripe-hackathon6.nlnetlabs.nl AAAA 8310366 ..tc.ripe-hackathon4.nlnetlabs.nl

State of the DNS - RIPE 79Measurements for all probes every hour query msm ID ..ripe-hackathon6.nlnetlabs.nl AAAA 8310366 ..tc.ripe-hackathon4.nlnetlabs.nl

Documents
OARC 2014 Delegate Package

OARC 2014 Delegate Package

Documents
Jan Toorop and the year 1892 by Robert Siebelhoff, page 72

Jan Toorop and the year 1892 by Robert Siebelhoff, page 72

Documents
What we did last OARC - RIPE 77 · 2018. 10. 17. · 7 OARC Workshops Sharing of latest operational and research knowledge, experiences, data analysis, best practices & insights like

What we did last OARC - RIPE 77 · 2018. 10. 17. · 7 OARC Workshops Sharing of latest operational and research knowledge, experiences, data analysis, best practices & insights like

Documents
AIESEC OARC 2011 PARTNERSHIP PROPOSAL

AIESEC OARC 2011 PARTNERSHIP PROPOSAL

Documents
Welcome to the OARC e-Magazine - ogdenarc.orgogdenarc.org/newsletter_archive/Watts News May 2010.pdfWelcome to the OARC e-Magazine MAY 2010 Next Club Meeting 3rd Saturday 15 May 2010

Welcome to the OARC e-Magazine - ogdenarc.orgogdenarc.org/newsletter_archive/Watts News May 2010.pdfWelcome to the OARC e-Magazine MAY 2010 Next Club Meeting 3rd Saturday 15 May 2010

Documents
The Importance of Being an Earnest stub - NLnet LabsWillem Toorop (NLnet Labs) The Importance of Being an Earnest stub – OARC 26 3/45 From the ground-up security DNSSEC protects

The Importance of Being an Earnest stub - NLnet LabsWillem Toorop (NLnet Labs) The Importance of Being an Earnest stub – OARC 26 3/45 From the ground-up security DNSSEC protects

Documents
Welcome to the OARC e-Magazine - ogdenarc.orgogdenarc.org/newsletter_archive/Watts News September 2006... · 2019-08-08 · Welcome to the OARC e-Magazine SEPTEMBER 2006 Next Club

Welcome to the OARC e-Magazine - ogdenarc.orgogdenarc.org/newsletter_archive/Watts News September 2006... · 2019-08-08 · Welcome to the OARC e-Magazine SEPTEMBER 2006 Next Club

Documents
Ohio Area Repeater Directory 2016-2017 - OARC homepage · 2016-07-06 · THE OHIO AREA REPEATER COUNCIL, INC. THE OHIO COORDINATION PROCESS 1. An OARC application for coordination

Ohio Area Repeater Directory 2016-2017 - OARC homepage · 2016-07-06 · THE OHIO AREA REPEATER COUNCIL, INC. THE OHIO COORDINATION PROCESS 1. An OARC application for coordination

Documents
Celebrang the Seasons of Life - OARContarc.com/assets_newsletter/OARC_Seasons_Spring2016.pdf · Celebrang the Seasons of Life OARC Connecting in New Ways Across Ontario OARC has realized

Celebrang the Seasons of Life - OARContarc.com/assets_newsletter/OARC_Seasons_Spring2016.pdf · Celebrang the Seasons of Life OARC Connecting in New Ways Across Ontario OARC has realized

Documents
DNS-OARC 2014 AGM President's Report › event › 20 › contributions › ... · DNS-OARC Staff Resources President, Secretary (Keith Mitchell) 0.75 FTE Systems Engineer (William

DNS-OARC 2014 AGM President's Report › event › 20 › contributions › ... · DNS-OARC Staff Resources President, Secretary (Keith Mitchell) 0.75 FTE Systems Engineer (William

Documents
Welcome to the OARC e-Magazine - ogdenarc.org News May 2007.pdf · Welcome to the OARC e-Magazine www ... Thanks to Kent Gardner WA7AHY for arranging this very interesting ... searched

Welcome to the OARC e-Magazine - ogdenarc.org News May 2007.pdf · Welcome to the OARC e-Magazine www ... Thanks to Kent Gardner WA7AHY for arranging this very interesting ... searched

Documents
Welcome to the OARC e-Magazine - ogdenarc.orgogdenarc.org/newsletter_archive/Watts News May 2012.pdf · Welcome to the OARC e-Magazine MAY 2012 Next Club Meeting/Activity 3rd Saturday

Welcome to the OARC e-Magazine - ogdenarc.orgogdenarc.org/newsletter_archive/Watts News May 2012.pdf · Welcome to the OARC e-Magazine MAY 2012 Next Club Meeting/Activity 3rd Saturday

Documents
Welcome to the OARC e-Magazine - OARC - Ogden Amateur

Welcome to the OARC e-Magazine - OARC - Ogden Amateur

Documents
ISOC.NL SIP © 15 March 2007 Stichting NLnet Labs DNSSEC and ENUM Olaf M. Kolkman olaf@nlnetlabs.nl

ISOC.NL SIP © 15 March 2007 Stichting NLnet Labs DNSSEC and ENUM Olaf M. Kolkman [email protected]

Documents
DNSThought - NLnet Labs · Willem Toorop DNSThought @OARC29 9/38 Measurements for all probes every hour Thank you Emile Aben! ♥️ query msm ID ..ripe-hackathon6.nlnetlabs.nl

DNSThought - NLnet Labs · Willem Toorop DNSThought @OARC29 9/38 Measurements for all probes every hour Thank you Emile Aben! ♥️ query msm ID ..ripe-hackathon6.nlnetlabs.nl

Documents