DNS OARC's 24th Workshop
Our first presentation was at the DNS-OARC’s 24th Workshop, an event organized by the DNS Operations, Analysis, and Research Center (DNS-OARC). SIDN Labs contributed with two presentations.
SIDN Labs' Maarten Wullink presented “ENTRADA: The Impact of a TTL Change at the TLD-level”. In his presentation, Maarten showed a measurement analysis of the DNS traffic changes we observed at our .nl authoritative servers after we reduced the TTL of the .nl zone from two hours to one hour.
By reducing our zone TTL, we are making any newly registered domains and updates to existing domains available more quickly. However, DNS resolvers (typically in ISP networks) querying our authoritative servers would, in turn, would perform queries more often – since they use the TTL value as a metric to how long a DNS response should be kept in the cache.
One could assume that this would lead to twice as many DNS queries on our resolvers. As Maarten showed in his OARC presentation, the actual traffic increase was 59% in volume, since not every resolver queries the entire zone every hour. Maarten’s work may help other registries in what to expect when TTL values are changed. Parts of the datasets we used are publicly available. We used ENTRADA, our data streaming warehouse, to analyze our authoritative DNS traffic data.
CDAR (Continuous Data-driven Analysis of Root Stability)
The second presentation we were involved in was on CDAR (Continuous Data-driven Analysis of Root Stability), a joint project with NLnet Labs and TNO, commissioned by ICANN. Bart Gijsen from TNO presented CDAR at OARC24, covering our project description, approach, and preliminary results on the impact of the growth of the root zone files (related to ICANN’s new gTLD program) and the performance of the Root DNS system.
Giovane Moura presented CDAR as well, but to a different community: IEPG.
His presentation differed in content and focus from the one at OARC24, and focused on the measurement analysis of the CDAR project and preliminary results. It covers the analysis of RIPE Atlas measurement data towards all root server letters (A-M), and the impact in round-trip-time whenever the root zone file size was increased. The preliminary results shown that the impact is minimal.
The IETF is by far the largest of the three events. In this edition, we had two contributions:
DDoS Open Threat Signaling (dots) WG
Marco Davids and Giovane Moura, together with two colleagues from Nancy, France (Jérôme François and Abdelkader Lahmadi) submitted an Internet draft on the DOTS working group. The DOTS working group aims to “develop a standards based approach for the real-time signaling of DDoS related telemetry and threat handling requests and data between elements concerned with DDoS attack detection, classification, traceback, and mitigation”.
Our draft, draft-francois-ipv6-dots-signal-option-00, presents an opportunistic method to signal DDoS attacks by employing the IPv6 Hop-by-Hop options extension header. This draft was not discussed in the Buenos Aires meeting, but we expect it to be presented on the next IETF96 Berlin Meeting. DDoS is a major concern for us and any other Internet services operators, and recently even the Root DNS servers have been attacked.
Proposed Network Machine Learning Research Group (nmlrg)
This IRTF proposed research group focus on “applying machine learning technologies in network control, network management, and supplying network data for upper-layer applications.”
Giovane’s presentation “Malicious domains: Automatic Detection with DNS traffic analysis” summarized both our data processing platform (ENTRADA) and our nDEWS system, which employs machine learning to detect newly registered malicious domains on the .nl zone, based on their query patterns. This presentation is also a summary of two research papers (1, 2), which we will present at the IFIP/IEEE NOMS 2016 conference at the end of April 2016.
We are very happy with our contributions in Buenos Aires. We received positive feedback in our presentations and several questions. For example, if QNAME minimization would impact nDEWS (the answer is no, since we only look at 2nd level domains). We hope to present our DOTS draft at the IETF 96 Berlin and other new things we’re currently working on the next events.