SlideShare a Scribd company logo

2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion

APNIC
APNIC

APNIC Chief Scientist Geoff Huston gives an overview of the complex many-layered model of DNS security, and a new emerging world of choices for protecting traffic, hiding queries, and the future trends in ISP provided, and independent third-party DNS services at the 2nd ICANN APAC-TWNIC Engagement Forum, held from 15 to 16 April 2021.

Internet
1 of 41
Download to read offline
DNS Oblivion Geoff Huston AM Chief Scientist APNIC Labs
Why pick on the DNS? The DNS is very easy to tap and tamper • DNS queries are open and unencrypted • DNS payloads are not secured and tampering cannot be detected • DNS responses are predictable and false answers can be readily inserted
Why pick on the DNS? The DNS is hard for users to trace • Noone knows exactly where their queries go • Noone can know precisely where their answers come from
Why pick on the DNS? The DNS is you! • Because pretty much everything you do on the net starts with a call to the DNS • If we could see your stream of DNS queries in real time we could easily assemble a detailed profile of you and your interests and activities as it happens! • And in the Internet Surveillance Economy this profile information is highly valuable to all kinds of actors
Countering DNS Surveillance • Can we stop DNS surveillance completely? • Probably not! • Can we make it harder to collect individual profiles of activity? • Well, yes • And that’s what I want to talk about today
What’s the problem here? • Is the DNS label being queried a secret? • Well, not normally * ✵ Although there are DNS versions of steganography that can conceal data in the query string
What’s the problem here? • Is the DNS label being queried a secret? • Well, not normally • Is the DNS response to a query a secret? • Again, not normally * ✵ Although there are DNS versions of steganography that can conceal data in the response value
What’s the problem here? • Is the DNS label being queried a secret? • Well, not normally • Is the DNS response to a query a secret? • Again, not normally • So what is the issue here? • It’s the combination of query and the meta-data around a query that creates a problem: • The end user identity, from the IP packet header • The DNS label (or sequence of labels) being queried, from the payload • The date and time
Let’s take a step back… Client DNS Resolver DNS Server How the idealised model of the DNS works
What we suspect the DNS is like Client DNS Server DNS Resolver DNS Resolver DNS Resolver DNS Resolver DNS Resolver DNS Resolver DNS Resolver DNS Resolver DNS Resolver DNS Resolver DNS Resolver DNS Resolver DNS Resolver DNS Resolver DNS Resolver DNS Resolver DNS Resolver DNS Resolver DNS Resolver
What we suspect the DNS is like Client DNS Resolver DNS Server DNS Resolver DNS Resolver DNS Resolver DNS Resolver DNS Resolver DNS Resolver DNS Resolver DNS Resolver DNS Resolver DNS Resolver DNS Resolver DNS Resolver Corrupted host platforms Wireline and middleware Inspection and interception Resolvers that leak queries Servers that leak queries
Second-hand DNS queries are a business opportunity these days
How can we improve DNS Privacy? Let’s look at a few behaviours of the DNS and see what we are doing to try and improve its privacy properties
QNAME Minimisation • A resolver technique intended to improve DNS privacy where a DNS resolver no longer sends the entire original query name to the upstream name server • Described in RFC 7816
Yes, but… It’s a technique to minimise the information leak between a recursive resolver and authoritative servers, as stub resolvers pass the full query label to the recursive resolver So while it sounds good, its actually not a major improvement
DNSSEC pixie dust • A DNSSEC-signed zone can be used to allow clients to verify that the DNS answer they that receive about an entry in that zone is authentic • A DNS response that has been modified will fail to validate under DNSSEC when: • a client asks a security-aware resolver to resolve a name, and • sets the EDNS(0) DNSSEC OK bit, and • the zone is DNSSEC-signed • A DNSSEC-validating recursive resolver will only return a RRset for the query if it can validate the response using the associated digital signature, and It will set the AD bit in the resolver response to indicate validation success Otherwise it will return SERVFAIL
Yes, but… • The zone (and all its parent zones) must be DNSSEC-signed • If the recursive resolver performs DNSSEC validation (using the recursive resolver to validate is the most prevalent deployment model) then the all- important stub-to-recursive link is still vulnerable to interception and re- writing • And if your recursive resolver is performing the re-writing of the response then the stub is none the wiser if the stub does not perform DNSSEC validation • Stub resolvers don’t generally perform DNSSEC validation • It’s too slow!
Middleware and WireTapping • If we want to make DNS surveillance harder we should look at encrypting the transport used by DNS queries and responses between stub and recursive resolvers • Today’s standard tool is Transport Layer Security, which uses a dynamically generated session key to encrypt all traffic between two parties
DoT - DNS over TLS • TLS is a TCP ‘overlay’ that adds server authentication and session encryption to TCP • DoT uses a persistent stub-to-recursive relationship to amortize the setup costs of TCP and TLS over many subsequent queries • Which works efficiently in a stub-to-recursive scenario, but its not even a little bit efficient for recursive-to-authoritatives! • If the initial server name certificate is validated by the client then • The client can be assured (to some extent) of who it is talking to by name • No third parties can observe or intrude in the DNS queries and responses in this DoT session
Yes, but… • The TCP session state is on port 853 • DNS over TLS can be readily blocked by CPE and middleware • DoT will generate a higher recursive resolver memory load as each client may have a held state with one or more recursive resolvers • The privacy is relative, as the recursive resolver still knows all about you and your DNS queries • And until ECH* in TLS 1.3 is widely supported, the identity of the TLS server is still in the clear, which also facilitates blocking even if the DoT session jumps over to use TCP port 443 * Encrypting the Server Name in the Client Hello message of TLS setup
DoH - DNS over HTTPS • DNS over HTTPS • Uses an HTTPS session for the stub-to-recursive link • Similar to DNS over TLS, but with HTTP object semantics interposed between the DNS and TLS • Uses TCP port 443, so can be masked within other HTTPS traffic • Uses DNS wire format
Why prefer DoH over DoT? • To bypass middleware blocking of TCP port 853 (DoT) • DoH allows the stub resolver function to be merged into the application at the client end and DNS resolver to be multiplexed at the server side (browsers and web servers) • HTTP object semantics allow for HTTP object caching in the client • This enables server-side HTTP push of DNS responses • Resolver-less DNS! • Can speed up transactions through pre-provisioning of DNS responses • Applications can switch to use DoH without waiting for the OS platform or the ISP service infrastructure to also support DoH
Yes, but… • Aside from changing the TCP port to 443 there is little difference between DoH and DoT from a conventional DNS perspective • Most of the DNS issues with DoH are about the use of resolver-less DNS and content-based DoH-server switching using the HTTP framing shim, which are still largely speculative matters these days • Application-level DoH can be readily hidden from the platform and from the local network – this can be seen as a good or bad thing!
DNS over QUIC • QUIC is a transport protocol originally developed by Google and passed over to the IETF for standardised profile development • QUIC uses a thin UDP shim and an encrypted payload • The payload is divided into a TCP-like transport header and a payload • QUIC allows for multiple DNS queries without TCP Head Of Line blocking DNS TLS TCP IP DNS QUIC UDP IP DOT DOQ
Yes, but… • QUIC on UDP port 443 has issues with port blocking in middleware • There is little difference between DoQ, DoH and DoT from a conventional DNS perspective • The remote end recursive resolver still is privy to all your DNS queries and your identity
Hiding in the Crowd • What if you use a DoT or DoH session to a very busy open resolver? • No third party can see you queries to the open resolver • Noone else can see the responses from the open resolver • The open resolver asks the authoritative servers which makes it challenging to map the query back to the end user • So if you you are prepared to trust Google, Open DNS, Cloudflare, Quad9, etc with your DNS, and you use DoH or DoT on the stub-to-recursive hop then its far harder for any third party to associate your identity with your queries
I’m still uncomfortable • It the intention of all of these measures is to prevent a third party from known who I am and what DNS queries I make, then none of these approaches really work! • Is sharing my identity and all my DNS with Google* really a step forward in protecting my privacy? • I don’t pay Google • I don’t have a contract with Google • It’s not even clear if Google obey the laws of the country where I reside • So how am I “protected” here? * Or any other third party DNS resolution service provider
Can we improve this? • A big part of the problem is being able to associate my identity with DNS queries • So can we break this association?
Oblivious DNS (oDNS) • Uses the QUERY name to disassociate stub identity from query • Stub resolver encrypts the DNS query name into a new query name • Encryption uses the public key of a known oDNS server, and appends the name of the oDNS server to the encrypted query name • Stub resolver queries a ‘normal’ recursive resolver with this encrypted query name • Recursive resolver queries an oDNS server with this encrypted query name • oDNS server strips out its own name and decrypts the query name, and resolves this name • oDNS server encrypts the DNS response to send back to the stub via the recursive resolver
Oblivious DNS This is “you” Knows your identity, but not what DNS name you are asking for Knows what DNS name you are asking for, but not your identity
Yes, but… • The DNS is still DNS over UDP port 53 • But nothing prevents a oDNS stub using Do[THQ] to a recursive resolver. The recursive resolver has no knowledge of oDNS and process the DNS query like any other • The encryption is limited due to limited size and alphabet of the query name field
Oblivious DoH Use double TLS wrapper on a DoH transport to dissociate query name from stub identity This is “you” Knows your identity, but not what DNS name you are asking for Knows what DNS name you are asking for, but not your identity
Oblivious DoH • An outer TLS wrapper is used for the stub-to-oDoH Proxy hop and a different TLS wrapper is used for the oDoH Proxy-to-oDoH Target hop • The inner TLS wrapper is used to encrypt the DNS query, encrypted using the public key of the target • The response is encrypted using a session key generated by the client
Yes, but… • This requires a modified DNS stub resolver that can send and receive oDoH messages, an ODoH Proxy and an ODoH Target • Oh, and the ODoH Proxy and the ODoH Target must not collude! • But we can’t ensure that no collusion happens!
Where is this heading? • Will any of these DNS Privacy approaches becomes mainstream in the public Internet?
The DNS Economy • In the public Internet, end clients don’t normally pay directly for DNS recursive resolution services • Which implies that outside of the domain of the local ISP, DNS resolvers are essentially unfunded by the resolver’s clients • And efforts to monetise the DNS with various forms of funded misdirection (such as NXDOMAIN substitution) are generally viewed with extreme disfavour • Open Resolver efforts run the risk of success-disaster • They more they are used, the greater the funding problem • The greater the funding problem the greater the temptation to monetise the DNS resolver function in more subtle ways
The DNS Economy • The default option is that the ISP funds and operate the recursive DNS service, funded by the ISP’s client base • 70% of all end clients use same-AS recursive resolvers * • However the fact that is works today does not mean that you can double the input costs and expect it to just keep on working tomorrow • For ISPs the DNS is a cost department, not a revenue source • We should expect strong resistance from ISPs to increase their costs in DNS service provision • The DNS is also highly resistant to changes in the edge infrastructure 37 * https://stats.labs.apnic.net/rvrs
My Opinion • ISP-based provisioning of DNS servers without channel encryption will continue to be the mainstream of the public DNS infrastructure • Most users don’t change their platform settings from the defaults and CPE based service provisioning in the wired networks and direct provisioning in mobile networks will persist • But that’s not the full story...
“Fragmented” DNS • Is appears more likely that applications who want to tailor their DNS use to adopt a more private profile will hive off to use DoH to an application-selected DNS service, while the platform itself will continue to use libraries that will default to DNS over UDP to the ISP- provided recursive DNS resolver • That way the application ecosystem can fund its own DNS privacy infrastructure and avoid waiting for everyone else to make the necessary infrastructure and service investments before they can adopt DNS privacy themselves • The prospect of application-specific naming services is a very real prospect in such a scenario
It’s life Jim, but not as we know it! • The progression here is an evolution from network-centric services to platform-centric services to today’s world of application-centric services • It’s clear that the DNS is being swept up in this shift, and the DNS is changing in almost every respect • The future prospects of a single unified coherent name space as embodied in the DNS, as we currently know it, for the entire Internet service domain are looking pretty poor right now! * Apologies to Trekkies! *
Thanks!

Recommended

2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters
2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters
2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI MattersAPNIC
 
RIPE 82: DNS Evolution
RIPE 82: DNS EvolutionRIPE 82: DNS Evolution
RIPE 82: DNS EvolutionAPNIC
 
NANOG 82: DNS Evolution
NANOG 82: DNS EvolutionNANOG 82: DNS Evolution
NANOG 82: DNS EvolutionAPNIC
 
RIPE 82: An Update on Fragmentation Loss Rates in IPv6
RIPE 82: An Update on Fragmentation Loss Rates in IPv6RIPE 82: An Update on Fragmentation Loss Rates in IPv6
RIPE 82: An Update on Fragmentation Loss Rates in IPv6APNIC
 
RIPE 82: Measuring Recursive Resolver Centrality
RIPE 82: Measuring Recursive Resolver CentralityRIPE 82: Measuring Recursive Resolver Centrality
RIPE 82: Measuring Recursive Resolver CentralityAPNIC
 
ICANN DNS Symposium 2021: Measuring Recursive Resolver Centrality
ICANN DNS Symposium 2021: Measuring Recursive Resolver CentralityICANN DNS Symposium 2021: Measuring Recursive Resolver Centrality
ICANN DNS Symposium 2021: Measuring Recursive Resolver CentralityAPNIC
 
Thoughts about DNS for DDoS
Thoughts about DNS for DDoSThoughts about DNS for DDoS
Thoughts about DNS for DDoSAPNIC
 
Testing Rolling Roots
Testing Rolling RootsTesting Rolling Roots
Testing Rolling RootsAPNIC
 

Recommended

2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters
2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters
2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI MattersAPNIC
 
RIPE 82: DNS Evolution
RIPE 82: DNS EvolutionRIPE 82: DNS Evolution
RIPE 82: DNS EvolutionAPNIC
 
NANOG 82: DNS Evolution
NANOG 82: DNS EvolutionNANOG 82: DNS Evolution
NANOG 82: DNS EvolutionAPNIC
 
RIPE 82: An Update on Fragmentation Loss Rates in IPv6
RIPE 82: An Update on Fragmentation Loss Rates in IPv6RIPE 82: An Update on Fragmentation Loss Rates in IPv6
RIPE 82: An Update on Fragmentation Loss Rates in IPv6APNIC
 
RIPE 82: Measuring Recursive Resolver Centrality
RIPE 82: Measuring Recursive Resolver CentralityRIPE 82: Measuring Recursive Resolver Centrality
RIPE 82: Measuring Recursive Resolver CentralityAPNIC
 
ICANN DNS Symposium 2021: Measuring Recursive Resolver Centrality
ICANN DNS Symposium 2021: Measuring Recursive Resolver CentralityICANN DNS Symposium 2021: Measuring Recursive Resolver Centrality
ICANN DNS Symposium 2021: Measuring Recursive Resolver CentralityAPNIC
 
Thoughts about DNS for DDoS
Thoughts about DNS for DDoSThoughts about DNS for DDoS
Thoughts about DNS for DDoSAPNIC
 
Testing Rolling Roots
Testing Rolling RootsTesting Rolling Roots
Testing Rolling RootsAPNIC
 
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096APNIC
 
Experience Using RIR Whois
Experience Using RIR WhoisExperience Using RIR Whois
Experience Using RIR WhoisAPNIC
 
NANOG32 - DNS Anomalies and Their Impacts on DNS Cache Servers
NANOG32 - DNS Anomalies and Their Impacts on DNS Cache ServersNANOG32 - DNS Anomalies and Their Impacts on DNS Cache Servers
NANOG32 - DNS Anomalies and Their Impacts on DNS Cache ServersChika Yoshimura
 
DINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNS
DINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNSDINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNS
DINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNSAPNIC
 
DNS Cache Poisoning
DNS Cache PoisoningDNS Cache Poisoning
DNS Cache PoisoningChristiaan Ottow
 
bdNOG 7 - Re-engineering the DNS - one resolver at a time
bdNOG 7 - Re-engineering the DNS - one resolver at a timebdNOG 7 - Re-engineering the DNS - one resolver at a time
bdNOG 7 - Re-engineering the DNS - one resolver at a timeAPNIC
 
IETF 100: A signalling mechanism for trusted keys in the DNS
IETF 100: A signalling mechanism for trusted keys in the DNSIETF 100: A signalling mechanism for trusted keys in the DNS
IETF 100: A signalling mechanism for trusted keys in the DNSAPNIC
 
NZNOG 2020: DOH
NZNOG 2020: DOHNZNOG 2020: DOH
NZNOG 2020: DOHAPNIC
 
DNS Openness
DNS OpennessDNS Openness
DNS OpennessAPNIC
 
DNS-OARC 34: Measuring DNS Flag Day 2020
DNS-OARC 34: Measuring DNS Flag Day 2020DNS-OARC 34: Measuring DNS Flag Day 2020
DNS-OARC 34: Measuring DNS Flag Day 2020APNIC
 
BSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet RoutingBSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet RoutingAPNIC
 
NZNOG 2013 - Experiments in DNSSEC
NZNOG 2013 - Experiments in DNSSECNZNOG 2013 - Experiments in DNSSEC
NZNOG 2013 - Experiments in DNSSECAPNIC
 
OARC 26: Who's asking
OARC 26: Who's askingOARC 26: Who's asking
OARC 26: Who's askingAPNIC
 
Rolling the Root Zone DNSSEC Key Signing Key
Rolling the Root Zone DNSSEC Key Signing KeyRolling the Root Zone DNSSEC Key Signing Key
Rolling the Root Zone DNSSEC Key Signing KeyAPNIC
 
PLNOG14: DNS, czyli co nowego w świecie DNS-ozaurów - Adam Obszyński
PLNOG14: DNS, czyli co nowego w świecie DNS-ozaurów - Adam ObszyńskiPLNOG14: DNS, czyli co nowego w świecie DNS-ozaurów - Adam Obszyński
PLNOG14: DNS, czyli co nowego w świecie DNS-ozaurów - Adam ObszyńskiPROIDEA
 
DNS Cache White Paper
DNS Cache White PaperDNS Cache White Paper
DNS Cache White PaperRyan Ellingson
 
Are we really ready to turn off IPv4?
Are we really ready to turn off IPv4?Are we really ready to turn off IPv4?
Are we really ready to turn off IPv4?APNIC
 
6421 b Module-04
6421 b Module-046421 b Module-04
6421 b Module-04Bibekananada Jena
 
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]APNIC
 
SIP and DNS - federation, failover, load balancing and more
SIP and DNS - federation, failover, load balancing and moreSIP and DNS - federation, failover, load balancing and more
SIP and DNS - federation, failover, load balancing and moreOlle E Johansson
 
IGF 2023: DNS Privacy
IGF 2023: DNS PrivacyIGF 2023: DNS Privacy
IGF 2023: DNS PrivacyAPNIC
 
RIPE 86: DNSSEC — Yes or No?
RIPE 86: DNSSEC — Yes or No?RIPE 86: DNSSEC — Yes or No?
RIPE 86: DNSSEC — Yes or No?APNIC
 

More Related Content

What's hot

DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096APNIC
 
Experience Using RIR Whois
Experience Using RIR WhoisExperience Using RIR Whois
Experience Using RIR WhoisAPNIC
 
NANOG32 - DNS Anomalies and Their Impacts on DNS Cache Servers
NANOG32 - DNS Anomalies and Their Impacts on DNS Cache ServersNANOG32 - DNS Anomalies and Their Impacts on DNS Cache Servers
NANOG32 - DNS Anomalies and Their Impacts on DNS Cache ServersChika Yoshimura
 
DINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNS
DINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNSDINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNS
DINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNSAPNIC
 
bdNOG 7 - Re-engineering the DNS - one resolver at a time
bdNOG 7 - Re-engineering the DNS - one resolver at a timebdNOG 7 - Re-engineering the DNS - one resolver at a time
bdNOG 7 - Re-engineering the DNS - one resolver at a timeAPNIC
 
IETF 100: A signalling mechanism for trusted keys in the DNS
IETF 100: A signalling mechanism for trusted keys in the DNSIETF 100: A signalling mechanism for trusted keys in the DNS
IETF 100: A signalling mechanism for trusted keys in the DNSAPNIC
 
NZNOG 2020: DOH
NZNOG 2020: DOHNZNOG 2020: DOH
NZNOG 2020: DOHAPNIC
 
DNS Openness
DNS OpennessDNS Openness
DNS OpennessAPNIC
 
DNS-OARC 34: Measuring DNS Flag Day 2020
DNS-OARC 34: Measuring DNS Flag Day 2020DNS-OARC 34: Measuring DNS Flag Day 2020
DNS-OARC 34: Measuring DNS Flag Day 2020APNIC
 
BSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet RoutingBSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet RoutingAPNIC
 
NZNOG 2013 - Experiments in DNSSEC
NZNOG 2013 - Experiments in DNSSECNZNOG 2013 - Experiments in DNSSEC
NZNOG 2013 - Experiments in DNSSECAPNIC
 
OARC 26: Who's asking
OARC 26: Who's askingOARC 26: Who's asking
OARC 26: Who's askingAPNIC
 
Rolling the Root Zone DNSSEC Key Signing Key
Rolling the Root Zone DNSSEC Key Signing KeyRolling the Root Zone DNSSEC Key Signing Key
Rolling the Root Zone DNSSEC Key Signing KeyAPNIC
 
PLNOG14: DNS, czyli co nowego w świecie DNS-ozaurów - Adam Obszyński
PLNOG14: DNS, czyli co nowego w świecie DNS-ozaurów - Adam ObszyńskiPLNOG14: DNS, czyli co nowego w świecie DNS-ozaurów - Adam Obszyński
PLNOG14: DNS, czyli co nowego w świecie DNS-ozaurów - Adam ObszyńskiPROIDEA
 
Are we really ready to turn off IPv4?
Are we really ready to turn off IPv4?Are we really ready to turn off IPv4?
Are we really ready to turn off IPv4?APNIC
 
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]APNIC
 
SIP and DNS - federation, failover, load balancing and more
SIP and DNS - federation, failover, load balancing and moreSIP and DNS - federation, failover, load balancing and more
SIP and DNS - federation, failover, load balancing and moreOlle E Johansson
 

What's hot (20)

DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096
 
Experience Using RIR Whois
Experience Using RIR WhoisExperience Using RIR Whois
Experience Using RIR Whois
 
NANOG32 - DNS Anomalies and Their Impacts on DNS Cache Servers
NANOG32 - DNS Anomalies and Their Impacts on DNS Cache ServersNANOG32 - DNS Anomalies and Their Impacts on DNS Cache Servers
NANOG32 - DNS Anomalies and Their Impacts on DNS Cache Servers
 
DINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNS
DINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNSDINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNS
DINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNS
 
DNS Cache Poisoning
DNS Cache PoisoningDNS Cache Poisoning
DNS Cache Poisoning
 
bdNOG 7 - Re-engineering the DNS - one resolver at a time
bdNOG 7 - Re-engineering the DNS - one resolver at a timebdNOG 7 - Re-engineering the DNS - one resolver at a time
bdNOG 7 - Re-engineering the DNS - one resolver at a time
 
IETF 100: A signalling mechanism for trusted keys in the DNS
IETF 100: A signalling mechanism for trusted keys in the DNSIETF 100: A signalling mechanism for trusted keys in the DNS
IETF 100: A signalling mechanism for trusted keys in the DNS
 
NZNOG 2020: DOH
NZNOG 2020: DOHNZNOG 2020: DOH
NZNOG 2020: DOH
 
DNS Openness
DNS OpennessDNS Openness
DNS Openness
 
DNS-OARC 34: Measuring DNS Flag Day 2020
DNS-OARC 34: Measuring DNS Flag Day 2020DNS-OARC 34: Measuring DNS Flag Day 2020
DNS-OARC 34: Measuring DNS Flag Day 2020
 
BSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet RoutingBSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet Routing
 
NZNOG 2013 - Experiments in DNSSEC
NZNOG 2013 - Experiments in DNSSECNZNOG 2013 - Experiments in DNSSEC
NZNOG 2013 - Experiments in DNSSEC
 
OARC 26: Who's asking
OARC 26: Who's askingOARC 26: Who's asking
OARC 26: Who's asking
 
Rolling the Root Zone DNSSEC Key Signing Key
Rolling the Root Zone DNSSEC Key Signing KeyRolling the Root Zone DNSSEC Key Signing Key
Rolling the Root Zone DNSSEC Key Signing Key
 
PLNOG14: DNS, czyli co nowego w świecie DNS-ozaurów - Adam Obszyński
PLNOG14: DNS, czyli co nowego w świecie DNS-ozaurów - Adam ObszyńskiPLNOG14: DNS, czyli co nowego w świecie DNS-ozaurów - Adam Obszyński
PLNOG14: DNS, czyli co nowego w świecie DNS-ozaurów - Adam Obszyński
 
DNS Cache White Paper
DNS Cache White PaperDNS Cache White Paper
DNS Cache White Paper
 
Are we really ready to turn off IPv4?
Are we really ready to turn off IPv4?Are we really ready to turn off IPv4?
Are we really ready to turn off IPv4?
 
6421 b Module-04
6421 b Module-046421 b Module-04
6421 b Module-04
 
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
 
SIP and DNS - federation, failover, load balancing and more
SIP and DNS - federation, failover, load balancing and moreSIP and DNS - federation, failover, load balancing and more
SIP and DNS - federation, failover, load balancing and more
 

Similar to 2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion

IGF 2023: DNS Privacy
IGF 2023: DNS PrivacyIGF 2023: DNS Privacy
IGF 2023: DNS PrivacyAPNIC
 
RIPE 86: DNSSEC — Yes or No?
RIPE 86: DNSSEC — Yes or No?RIPE 86: DNSSEC — Yes or No?
RIPE 86: DNSSEC — Yes or No?APNIC
 
Presentation on 'The Path to Resolverless DNS' by Geoff Huston
Presentation on 'The Path to Resolverless DNS' by Geoff HustonPresentation on 'The Path to Resolverless DNS' by Geoff Huston
Presentation on 'The Path to Resolverless DNS' by Geoff HustonAPNIC
 
Introduction DNSSec
Introduction DNSSecIntroduction DNSSec
Introduction DNSSecAFRINIC
 
DNS in IR: Collection, Analysis and Response
DNS in IR: Collection, Analysis and ResponseDNS in IR: Collection, Analysis and Response
DNS in IR: Collection, Analysis and Responsepm123008
 
NANOG 84: DNS Openness
NANOG 84: DNS OpennessNANOG 84: DNS Openness
NANOG 84: DNS OpennessAPNIC
 
Technical and Business Considerations for DNSSEC Deployment
Technical and Business Considerations for DNSSEC DeploymentTechnical and Business Considerations for DNSSEC Deployment
Technical and Business Considerations for DNSSEC DeploymentAPNIC
 
DNS-OARC 38: The resolvers we use
DNS-OARC 38: The resolvers we useDNS-OARC 38: The resolvers we use
DNS-OARC 38: The resolvers we useAPNIC
 
An Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSECAn Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSECCarlos Martinez Cagnazzo
 
23rd PITA AGM and Conference: DNS Security - A holistic view
23rd PITA AGM and Conference: DNS Security - A holistic view 23rd PITA AGM and Conference: DNS Security - A holistic view
23rd PITA AGM and Conference: DNS Security - A holistic view APNIC
 
How DNS works and How to secure it: An Introduction
How DNS works and How to secure it: An IntroductionHow DNS works and How to secure it: An Introduction
How DNS works and How to secure it: An Introductionyasithbagya1
 
Domain Name System and Dynamic Host Configuration Protocol.pptx
Domain Name System and Dynamic Host Configuration Protocol.pptxDomain Name System and Dynamic Host Configuration Protocol.pptx
Domain Name System and Dynamic Host Configuration Protocol.pptxUsmanAhmed269749
 
What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]
What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]
What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]APNIC
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonAPNIC
 
mnNOG 1: DNS privacy over DOH
mnNOG 1: DNS privacy over DOHmnNOG 1: DNS privacy over DOH
mnNOG 1: DNS privacy over DOHAPNIC
 

Similar to 2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion (20)

IGF 2023: DNS Privacy
IGF 2023: DNS PrivacyIGF 2023: DNS Privacy
IGF 2023: DNS Privacy
 
RIPE 86: DNSSEC — Yes or No?
RIPE 86: DNSSEC — Yes or No?RIPE 86: DNSSEC — Yes or No?
RIPE 86: DNSSEC — Yes or No?
 
Presentation on 'The Path to Resolverless DNS' by Geoff Huston
Presentation on 'The Path to Resolverless DNS' by Geoff HustonPresentation on 'The Path to Resolverless DNS' by Geoff Huston
Presentation on 'The Path to Resolverless DNS' by Geoff Huston
 
Introduction DNSSec
Introduction DNSSecIntroduction DNSSec
Introduction DNSSec
 
Session 4.1 Roy Arends
Session 4.1 Roy ArendsSession 4.1 Roy Arends
Session 4.1 Roy Arends
 
DNS in IR: Collection, Analysis and Response
DNS in IR: Collection, Analysis and ResponseDNS in IR: Collection, Analysis and Response
DNS in IR: Collection, Analysis and Response
 
NANOG 84: DNS Openness
NANOG 84: DNS OpennessNANOG 84: DNS Openness
NANOG 84: DNS Openness
 
DNS Security
DNS SecurityDNS Security
DNS Security
 
Technical and Business Considerations for DNSSEC Deployment
Technical and Business Considerations for DNSSEC DeploymentTechnical and Business Considerations for DNSSEC Deployment
Technical and Business Considerations for DNSSEC Deployment
 
Understanding DNS Security
Understanding DNS SecurityUnderstanding DNS Security
Understanding DNS Security
 
2 technical-dns-workshop-day1
2 technical-dns-workshop-day12 technical-dns-workshop-day1
2 technical-dns-workshop-day1
 
DNS
DNSDNS
DNS
 
DNS-OARC 38: The resolvers we use
DNS-OARC 38: The resolvers we useDNS-OARC 38: The resolvers we use
DNS-OARC 38: The resolvers we use
 
An Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSECAn Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSEC
 
23rd PITA AGM and Conference: DNS Security - A holistic view
23rd PITA AGM and Conference: DNS Security - A holistic view 23rd PITA AGM and Conference: DNS Security - A holistic view
23rd PITA AGM and Conference: DNS Security - A holistic view
 
How DNS works and How to secure it: An Introduction
How DNS works and How to secure it: An IntroductionHow DNS works and How to secure it: An Introduction
How DNS works and How to secure it: An Introduction
 
Domain Name System and Dynamic Host Configuration Protocol.pptx
Domain Name System and Dynamic Host Configuration Protocol.pptxDomain Name System and Dynamic Host Configuration Protocol.pptx
Domain Name System and Dynamic Host Configuration Protocol.pptx
 
What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]
What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]
What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
 
mnNOG 1: DNS privacy over DOH
mnNOG 1: DNS privacy over DOHmnNOG 1: DNS privacy over DOH
mnNOG 1: DNS privacy over DOH
 

More from APNIC

APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024APNIC
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...APNIC
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024APNIC
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGAPNIC
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119APNIC
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119APNIC
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119APNIC
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119APNIC
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119APNIC
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...APNIC
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonAPNIC
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPNIC
 
Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6APNIC
 
AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!APNIC
 
CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023APNIC
 
AFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet developmentAFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet developmentAPNIC
 
AFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment StatusAFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment StatusAPNIC
 
AFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressingAFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressingAPNIC
 

More from APNIC (20)

APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOG
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff Huston
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
 
Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6
 
AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!
 
CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023
 
AFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet developmentAFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet development
 
AFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment StatusAFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment Status
 
AFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressingAFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressing
 

Recently uploaded

WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)Delhi Call girls
 
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxAWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxellan12
 
✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663
✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663
✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663Call Girls Mumbai
 
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersMoving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersDamian Radcliffe
 
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Callshivangimorya083
 
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...Call Girls in Nagpur High Profile
 
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...SofiyaSharma5
 
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.soniya singh
 
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...singhpriety023
 
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRLLucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRLimonikaupta
 
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine ServiceHot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Servicesexy call girls service in goa
 
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceEnjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceDelhi Call girls
 
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...Diya Sharma
 
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl ServiceRussian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl Servicegwenoracqe6
 

Recently uploaded (20)

WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
 
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxAWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
 
✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663
✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663
✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663
 
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersMoving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
 
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
 
@9999965857 🫦 Sexy Desi Call Girls Laxmi Nagar 💓 High Profile Escorts Delhi 🫶
@9999965857 🫦 Sexy Desi Call Girls Laxmi Nagar 💓 High Profile Escorts Delhi 🫶@9999965857 🫦 Sexy Desi Call Girls Laxmi Nagar 💓 High Profile Escorts Delhi 🫶
@9999965857 🫦 Sexy Desi Call Girls Laxmi Nagar 💓 High Profile Escorts Delhi 🫶
 
Russian Call Girls in %(+971524965298 )# Call Girls in Dubai
Russian Call Girls in %(+971524965298 )# Call Girls in DubaiRussian Call Girls in %(+971524965298 )# Call Girls in Dubai
Russian Call Girls in %(+971524965298 )# Call Girls in Dubai
 
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
 
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
 
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
 
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
 
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
 
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
 
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
 
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
 
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRLLucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
 
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine ServiceHot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
 
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceEnjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
 
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
 
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl ServiceRussian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
 

2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion

  • 1. DNS Oblivion Geoff Huston AM Chief Scientist APNIC Labs
  • 2. Why pick on the DNS? The DNS is very easy to tap and tamper • DNS queries are open and unencrypted • DNS payloads are not secured and tampering cannot be detected • DNS responses are predictable and false answers can be readily inserted
  • 3. Why pick on the DNS? The DNS is hard for users to trace • Noone knows exactly where their queries go • Noone can know precisely where their answers come from
  • 4. Why pick on the DNS? The DNS is you! • Because pretty much everything you do on the net starts with a call to the DNS • If we could see your stream of DNS queries in real time we could easily assemble a detailed profile of you and your interests and activities as it happens! • And in the Internet Surveillance Economy this profile information is highly valuable to all kinds of actors
  • 5. Countering DNS Surveillance • Can we stop DNS surveillance completely? • Probably not! • Can we make it harder to collect individual profiles of activity? • Well, yes • And that’s what I want to talk about today
  • 6. What’s the problem here? • Is the DNS label being queried a secret? • Well, not normally * ✵ Although there are DNS versions of steganography that can conceal data in the query string
  • 7. What’s the problem here? • Is the DNS label being queried a secret? • Well, not normally • Is the DNS response to a query a secret? • Again, not normally * ✵ Although there are DNS versions of steganography that can conceal data in the response value
  • 8. What’s the problem here? • Is the DNS label being queried a secret? • Well, not normally • Is the DNS response to a query a secret? • Again, not normally • So what is the issue here? • It’s the combination of query and the meta-data around a query that creates a problem: • The end user identity, from the IP packet header • The DNS label (or sequence of labels) being queried, from the payload • The date and time
  • 9. Let’s take a step back… Client DNS Resolver DNS Server How the idealised model of the DNS works
  • 10. What we suspect the DNS is like Client DNS Server DNS Resolver DNS Resolver DNS Resolver DNS Resolver DNS Resolver DNS Resolver DNS Resolver DNS Resolver DNS Resolver DNS Resolver DNS Resolver DNS Resolver DNS Resolver DNS Resolver DNS Resolver DNS Resolver DNS Resolver DNS Resolver DNS Resolver
  • 11. What we suspect the DNS is like Client DNS Resolver DNS Server DNS Resolver DNS Resolver DNS Resolver DNS Resolver DNS Resolver DNS Resolver DNS Resolver DNS Resolver DNS Resolver DNS Resolver DNS Resolver DNS Resolver Corrupted host platforms Wireline and middleware Inspection and interception Resolvers that leak queries Servers that leak queries
  • 12. Second-hand DNS queries are a business opportunity these days
  • 13. How can we improve DNS Privacy? Let’s look at a few behaviours of the DNS and see what we are doing to try and improve its privacy properties
  • 14. QNAME Minimisation • A resolver technique intended to improve DNS privacy where a DNS resolver no longer sends the entire original query name to the upstream name server • Described in RFC 7816
  • 15. Yes, but… It’s a technique to minimise the information leak between a recursive resolver and authoritative servers, as stub resolvers pass the full query label to the recursive resolver So while it sounds good, its actually not a major improvement
  • 16. DNSSEC pixie dust • A DNSSEC-signed zone can be used to allow clients to verify that the DNS answer they that receive about an entry in that zone is authentic • A DNS response that has been modified will fail to validate under DNSSEC when: • a client asks a security-aware resolver to resolve a name, and • sets the EDNS(0) DNSSEC OK bit, and • the zone is DNSSEC-signed • A DNSSEC-validating recursive resolver will only return a RRset for the query if it can validate the response using the associated digital signature, and It will set the AD bit in the resolver response to indicate validation success Otherwise it will return SERVFAIL
  • 17. Yes, but… • The zone (and all its parent zones) must be DNSSEC-signed • If the recursive resolver performs DNSSEC validation (using the recursive resolver to validate is the most prevalent deployment model) then the all- important stub-to-recursive link is still vulnerable to interception and re- writing • And if your recursive resolver is performing the re-writing of the response then the stub is none the wiser if the stub does not perform DNSSEC validation • Stub resolvers don’t generally perform DNSSEC validation • It’s too slow!
  • 18. Middleware and WireTapping • If we want to make DNS surveillance harder we should look at encrypting the transport used by DNS queries and responses between stub and recursive resolvers • Today’s standard tool is Transport Layer Security, which uses a dynamically generated session key to encrypt all traffic between two parties
  • 19. DoT - DNS over TLS • TLS is a TCP ‘overlay’ that adds server authentication and session encryption to TCP • DoT uses a persistent stub-to-recursive relationship to amortize the setup costs of TCP and TLS over many subsequent queries • Which works efficiently in a stub-to-recursive scenario, but its not even a little bit efficient for recursive-to-authoritatives! • If the initial server name certificate is validated by the client then • The client can be assured (to some extent) of who it is talking to by name • No third parties can observe or intrude in the DNS queries and responses in this DoT session
  • 20. Yes, but… • The TCP session state is on port 853 • DNS over TLS can be readily blocked by CPE and middleware • DoT will generate a higher recursive resolver memory load as each client may have a held state with one or more recursive resolvers • The privacy is relative, as the recursive resolver still knows all about you and your DNS queries • And until ECH* in TLS 1.3 is widely supported, the identity of the TLS server is still in the clear, which also facilitates blocking even if the DoT session jumps over to use TCP port 443 * Encrypting the Server Name in the Client Hello message of TLS setup
  • 21. DoH - DNS over HTTPS • DNS over HTTPS • Uses an HTTPS session for the stub-to-recursive link • Similar to DNS over TLS, but with HTTP object semantics interposed between the DNS and TLS • Uses TCP port 443, so can be masked within other HTTPS traffic • Uses DNS wire format
  • 22. Why prefer DoH over DoT? • To bypass middleware blocking of TCP port 853 (DoT) • DoH allows the stub resolver function to be merged into the application at the client end and DNS resolver to be multiplexed at the server side (browsers and web servers) • HTTP object semantics allow for HTTP object caching in the client • This enables server-side HTTP push of DNS responses • Resolver-less DNS! • Can speed up transactions through pre-provisioning of DNS responses • Applications can switch to use DoH without waiting for the OS platform or the ISP service infrastructure to also support DoH
  • 23. Yes, but… • Aside from changing the TCP port to 443 there is little difference between DoH and DoT from a conventional DNS perspective • Most of the DNS issues with DoH are about the use of resolver-less DNS and content-based DoH-server switching using the HTTP framing shim, which are still largely speculative matters these days • Application-level DoH can be readily hidden from the platform and from the local network – this can be seen as a good or bad thing!
  • 24. DNS over QUIC • QUIC is a transport protocol originally developed by Google and passed over to the IETF for standardised profile development • QUIC uses a thin UDP shim and an encrypted payload • The payload is divided into a TCP-like transport header and a payload • QUIC allows for multiple DNS queries without TCP Head Of Line blocking DNS TLS TCP IP DNS QUIC UDP IP DOT DOQ
  • 25. Yes, but… • QUIC on UDP port 443 has issues with port blocking in middleware • There is little difference between DoQ, DoH and DoT from a conventional DNS perspective • The remote end recursive resolver still is privy to all your DNS queries and your identity
  • 26. Hiding in the Crowd • What if you use a DoT or DoH session to a very busy open resolver? • No third party can see you queries to the open resolver • Noone else can see the responses from the open resolver • The open resolver asks the authoritative servers which makes it challenging to map the query back to the end user • So if you you are prepared to trust Google, Open DNS, Cloudflare, Quad9, etc with your DNS, and you use DoH or DoT on the stub-to-recursive hop then its far harder for any third party to associate your identity with your queries
  • 27. I’m still uncomfortable • It the intention of all of these measures is to prevent a third party from known who I am and what DNS queries I make, then none of these approaches really work! • Is sharing my identity and all my DNS with Google* really a step forward in protecting my privacy? • I don’t pay Google • I don’t have a contract with Google • It’s not even clear if Google obey the laws of the country where I reside • So how am I “protected” here? * Or any other third party DNS resolution service provider
  • 28. Can we improve this? • A big part of the problem is being able to associate my identity with DNS queries • So can we break this association?
  • 29. Oblivious DNS (oDNS) • Uses the QUERY name to disassociate stub identity from query • Stub resolver encrypts the DNS query name into a new query name • Encryption uses the public key of a known oDNS server, and appends the name of the oDNS server to the encrypted query name • Stub resolver queries a ‘normal’ recursive resolver with this encrypted query name • Recursive resolver queries an oDNS server with this encrypted query name • oDNS server strips out its own name and decrypts the query name, and resolves this name • oDNS server encrypts the DNS response to send back to the stub via the recursive resolver
  • 30. Oblivious DNS This is “you” Knows your identity, but not what DNS name you are asking for Knows what DNS name you are asking for, but not your identity
  • 31. Yes, but… • The DNS is still DNS over UDP port 53 • But nothing prevents a oDNS stub using Do[THQ] to a recursive resolver. The recursive resolver has no knowledge of oDNS and process the DNS query like any other • The encryption is limited due to limited size and alphabet of the query name field
  • 32. Oblivious DoH Use double TLS wrapper on a DoH transport to dissociate query name from stub identity This is “you” Knows your identity, but not what DNS name you are asking for Knows what DNS name you are asking for, but not your identity
  • 33. Oblivious DoH • An outer TLS wrapper is used for the stub-to-oDoH Proxy hop and a different TLS wrapper is used for the oDoH Proxy-to-oDoH Target hop • The inner TLS wrapper is used to encrypt the DNS query, encrypted using the public key of the target • The response is encrypted using a session key generated by the client
  • 34. Yes, but… • This requires a modified DNS stub resolver that can send and receive oDoH messages, an ODoH Proxy and an ODoH Target • Oh, and the ODoH Proxy and the ODoH Target must not collude! • But we can’t ensure that no collusion happens!
  • 35. Where is this heading? • Will any of these DNS Privacy approaches becomes mainstream in the public Internet?
  • 36. The DNS Economy • In the public Internet, end clients don’t normally pay directly for DNS recursive resolution services • Which implies that outside of the domain of the local ISP, DNS resolvers are essentially unfunded by the resolver’s clients • And efforts to monetise the DNS with various forms of funded misdirection (such as NXDOMAIN substitution) are generally viewed with extreme disfavour • Open Resolver efforts run the risk of success-disaster • They more they are used, the greater the funding problem • The greater the funding problem the greater the temptation to monetise the DNS resolver function in more subtle ways
  • 37. The DNS Economy • The default option is that the ISP funds and operate the recursive DNS service, funded by the ISP’s client base • 70% of all end clients use same-AS recursive resolvers * • However the fact that is works today does not mean that you can double the input costs and expect it to just keep on working tomorrow • For ISPs the DNS is a cost department, not a revenue source • We should expect strong resistance from ISPs to increase their costs in DNS service provision • The DNS is also highly resistant to changes in the edge infrastructure 37 * https://stats.labs.apnic.net/rvrs
  • 38. My Opinion • ISP-based provisioning of DNS servers without channel encryption will continue to be the mainstream of the public DNS infrastructure • Most users don’t change their platform settings from the defaults and CPE based service provisioning in the wired networks and direct provisioning in mobile networks will persist • But that’s not the full story...
  • 39. “Fragmented” DNS • Is appears more likely that applications who want to tailor their DNS use to adopt a more private profile will hive off to use DoH to an application-selected DNS service, while the platform itself will continue to use libraries that will default to DNS over UDP to the ISP- provided recursive DNS resolver • That way the application ecosystem can fund its own DNS privacy infrastructure and avoid waiting for everyone else to make the necessary infrastructure and service investments before they can adopt DNS privacy themselves • The prospect of application-specific naming services is a very real prospect in such a scenario
  • 40. It’s life Jim, but not as we know it! • The progression here is an evolution from network-centric services to platform-centric services to today’s world of application-centric services • It’s clear that the DNS is being swept up in this shift, and the DNS is changing in almost every respect • The future prospects of a single unified coherent name space as embodied in the DNS, as we currently know it, for the entire Internet service domain are looking pretty poor right now! * Apologies to Trekkies! *