Domain Name System

Video thumbnail (Frame 0) Video thumbnail (Frame 1038) Video thumbnail (Frame 1869) Video thumbnail (Frame 3804) Video thumbnail (Frame 5180) Video thumbnail (Frame 6157) Video thumbnail (Frame 9414) Video thumbnail (Frame 18674) Video thumbnail (Frame 27719) Video thumbnail (Frame 30944) Video thumbnail (Frame 36685) Video thumbnail (Frame 38462) Video thumbnail (Frame 39331) Video thumbnail (Frame 42339) Video thumbnail (Frame 43571) Video thumbnail (Frame 46589) Video thumbnail (Frame 49223) Video thumbnail (Frame 50162) Video thumbnail (Frame 51053) Video thumbnail (Frame 52474) Video thumbnail (Frame 54366) Video thumbnail (Frame 55677) Video thumbnail (Frame 58251) Video thumbnail (Frame 61659) Video thumbnail (Frame 63295)
Video in TIB AV-Portal: Domain Name System

Formal Metadata

Title
Domain Name System
Subtitle
Hierarchical decentralized naming system used since 30 years
Title of Series
Author
License
CC Attribution 4.0 International:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
2018
Language
English

Content Metadata

Subject Area
Abstract
Whenever you enter a name into your computer, it resolves it to a numerical IP address. This resolution uses the Domain Name System (DNS), which is a hierarchical decentralised naming system used on the Internet. DNS is organised in a way that top-level domain (e.g. .com, .org) are delegated to registrars, which delegate subdomains (e.g. foo.com). This delegation is done as well via the DNS protocol via nameserver (NS) records. Since different types of data are kept in DNS, it can as well be seen as a distributed (and cached!) key-value store - which is fault-tolerant. I will explain the basic usage of DNS, including stub and recursive resolver, server, various protocol extensions (zone transfer, dynamic updates, authentication, notifications, ...), privacy extensions (query path minimisation, DNS-over-TLS), provisioning let's encrypt certificates. I will talk about attacks (poisoning, amplification, ...) and implementation pitfalls (not get stuck in the recursive resolver). I implemented DNS with above mentioned extensions as minimized MirageOS unikernels over past years.
Keywords Security

Related Material

The following resource is accompanying material for the video
Video is cited by the following resource
Domain name Roundness (object) Hacker (term) System programming Musical ensemble Information security Communications protocol
Domain name Direct numerical simulation Semiconductor memory System programming Mereology IP address Address space
Domain name Real number Multiplication sign Cartesian coordinate system Event horizon IP address Computer programming Number Direct numerical simulation Type theory Latent heat Event horizon Internetworking Hierarchy Direct numerical simulation Operating system Website System programming Utility software Cartesian closed category Communications protocol Row (database) Address space
Rational number Algorithm Authentication Domain name Data storage device Ellipse Electronic signature Direct numerical simulation Field extension Term (mathematics) Direct numerical simulation System programming Revision control Transportschicht Communications protocol Communications protocol Fundamental theorem of algebra RSA (algorithm)
Domain name Length Maxima and minima Event horizon Database normalization Direct numerical simulation Cache (computing) Hierarchy System programming Energy level Representation (politics) Data structure File format Domain name Maxima and minima Sequence Cache (computing) Type theory Rootkit Personal digital assistant Network topology Direct numerical simulation Cartesian closed category Representation (politics) Communications protocol
Length Multiplication sign File format Sheaf (mathematics) Opcode Client (computing) Counting IP address Front and back ends Direct numerical simulation Type theory Chaos theory Query language Social class Email Texture mapping File format Domain name Electronic mailing list Bit Database transaction Opcode Type theory Internetworking Direct numerical simulation Chaos theory Quicksort Row (database) Laptop Domain name Server (computing) Identifiability Code Event horizon Field (computer science) 2 (number) Number Latent heat Internetworking Authorization System programming Representation (politics) Service-oriented architecture Data structure Address space Addition Default (computer science) Information Server (computing) Weight Content (media) Counting Directory service Vector potential Cache (computing) Event horizon Software Query language Sheaf (mathematics) Social class Cartesian closed category Communications protocol Resolvent formalism Address space Flag
Email Multiplication sign Sheaf (mathematics) 1 (number) Client (computing) Information privacy Mereology IP address Mail Server Direct numerical simulation Type theory Oval Query language Email Domain name Electronic mailing list Internet service provider Maxima and minima Entire function Mechanism design Type theory In-System-Programmierung Direct numerical simulation IRIS-T Resultant Sinc function Router (computing) Row (database) Laptop Aliasing Slide rule Domain name Server (computing) Functional (mathematics) Image resolution Event horizon Number Cache (computing) Field extension Iteration Rootkit Authorization Cartesian closed category System programming Router (computing) Address space Task (computing) Time zone Dependent and independent variables Information Server (computing) Directory service Information privacy Component-based software engineering Cache (computing) Event horizon Query language Rootkit Sheaf (mathematics) Iteration Resolvent formalism Address space
Email Serial port Length Multiplication sign File format Time zone Client (computing) Mereology Fault-tolerant system IP address Mail Server Direct numerical simulation Mechanism design Type theory Synchronization Flag Extension (kinesiology) UDP <Protokoll> Vulnerability (computing) Email File format Structural load Domain name Bit Maxima and minima Instance (computer science) Schlüsselverteilung Mechanism design Type theory Order (biology) Direct numerical simulation Sinc function Row (database) Point (geometry) Domain name Server (computing) Overhead (computing) Variety (linguistics) Chemical equation Authentication Maxima and minima Canonical ensemble Heat transfer Number Revision control Field extension Authorization Service-oriented architecture Proxy server Address space Authentication Time zone Overhead (computing) Multiplication Server (computing) Content (media) Heat transfer Computer network Frame problem Field extension Sic Software Computational fluid dynamics Communications protocol Resolvent formalism Address space
Domain name Server (computing) Randomization Set (mathematics) Client (computing) Semiconductor memory Direct numerical simulation Mechanism design Roundness (object) Telecommunication Lastteilung Quicksort Internationalization and localization Information security Resolvent formalism Address space Row (database)
Point (geometry) Domain name Direct numerical simulation Server (computing) Centralizer and normalizer Domain name Direct numerical simulation Point cloud Library (computing)
Filter <Stochastik> Domain name Trail Server (computing) Local area network Source code IP address Direct numerical simulation Latent heat Cache (computing) Iteration Entropie <Informationstheorie> Social class Authentication Default (computer science) Email Dependent and independent variables Information Video tracking Domain name Database transaction Bit Electronic signature Type theory In-System-Programmierung Personal digital assistant Entropie <Informationstheorie> Direct numerical simulation Website Resolvent formalism
Functional programming Dynamical system Information privacy Public key certificate Web 2.0 Direct numerical simulation Sign (mathematics) Repository (publishing) Encryption Validity (statistics) Library (computing) Email Public key certificate Data storage device Bit Public-key cryptography Formal language Connected space Type theory Fluid statics Vector space Repository (publishing) Order (biology) Direct numerical simulation System programming Encryption Metric system Functional (mathematics) Row (database) Surface Server (computing) Authentication Virtual machine Data storage device Cache (computing) Iteration Vector graphics Operating system System programming Implementation Router (computing) Metropolitan area network Authentication Server (computing) Surface Projective plane Cache (computing) Database normalization Formal verification Computational fluid dynamics Musical ensemble Communications protocol Resolvent formalism
Axiom of choice Data storage device Number
Revision control Direct numerical simulation INTEGRAL Structural load Encryption Planning Bit Office suite Proxy server Number Dynamic Host Configuration Protocol
Point (geometry) Direct numerical simulation Server (computing) Structural load Multiplication sign Website Set (mathematics) Lastteilung Instance (computer science) Proxy server Connected space Number
Point (geometry) Direct numerical simulation Field extension Group action Roundness (object) Internetworking Musical ensemble Trigonometric functions Connected space
Field extension Type theory Internetworking Multiplication sign Electronic mailing list Authorization Row (database) Number Geometry
Direct numerical simulation Field extension Mechanism design Server (computing) Uniform resource locator Information Different (Kate Ryan album) Data center Flag Client (computing) IP address Number
Point (geometry) Domain name Server (computing) Game controller Group action Implementation Ferry Corsten Multiplication sign Client (computing) Public key certificate Number Web 2.0 Direct numerical simulation Bit rate Internetworking Proxy server Information Moment (mathematics) Sphere Field extension Arithmetic mean Software Order (biology) Self-organization Wireless LAN Communications protocol
Direct numerical simulation Enterprise architecture Server (computing) Internetworking Physical law Independence (probability theory) Self-organization Point cloud Musical ensemble Information privacy Resolvent formalism
Cartesian closed category Musical ensemble Semiconductor memory Storage area network
[Music] because I'll talk is about to begin it will be domain name system the hierarchical decentralized naming system used since 30 years it will be by highness Mia not Mirage OS hacker who's been developing security protocols TLS OTR and others and is a coffee nerd please give him a round a warm round of applause welcome
thank you as Karen was mentioning I'm Hannes and I will talk about the domain name system this is a part of the foundations track at this conference so if you already know a lot of details about Dean as I don't expect you to learn anything new and if you don't know anything about DNS I hope to explain it to you so what is DNS all about well its purpose is to resolve human readable and
human memories able host names to IP addresses that is the only purpose of the Amandla Ness so it's basically very similar to a phonebook you may know it
from the old days it's a piece of paper or real book where you can look up a human name and find their phone number in a specific City but DNS it's actually not as static as a phonebook but this D centrally managed so we can push updates much more frequently and we have a the central and hierarchical delegation system so that people who own domain name they can update their records and DNS is used in a lot of applications and all around be in the Internet so there's a command-line utility called host on Linux and other UNIX operating systems and if you type in a host of events dot cccd or de which is the main website and so on you get a reply from this program and this program uses DNS so the protocol I'm talking here about in the background and requests record for it
obviously a host then can also fail if the name doesn't exist at all but here a host of events that CCC dot de returns an IP address which is 195 44 54 164 dot 66 what if Dean as well well dienes is specified by the IETF which is the internet Engineering Task Force as a collection of RFC's it started in November 1987 so more than 30 years ago with RFC 1034 and 1035 which specified the basics of the fundamental protocol on how to resolve those names into IP addresses and tina's has evolved over the time as you might be able to see here and DNS is nowadays maybe 20 30 or
40 different RFC so it's a quite complex protocol but the same basics and the same fundamentals are still used and since then as Dinah's is used since 30 years I expected to be used for another 50 years or so so I believe that we found out lift that we weren't out left in s so that Dinah's will be around when I die that's why I care about Dena's DNS
in other terms is a distributed key-value store which has been standardized and specified 30 years ago
it uses a hierarchical name system and it uses delegations to get some decentralization aspect in there it is it has a built-in redundancy and
built-in caching into the protocol itself so let's look how the names look in DNS so we saw as an as a first example even stats ECC da de and the name system as I mentioned is hierarchical so it is a tree like structure we have the root at the top the root is empty here and then below the root we have for example the top level domain de and the top level domain org and other top level domains then below the de we have also some second-level domains like CCC and various others here and then below CCC we have for example the events name so it's a tree like that respect each domain name so domain name is evinced on cccd consists of sequence of labels which are separated by the dot character so if you actually type even stop CCC da te the DNS protocol itself knows it is the top-level domain name is de then you have the second-level domain name which is CCC Nadi and the third level domain name is even start CCC dirty each label now may contain only alphanumeric characters which is a to z lower and uppercase and 0 to 9 and dashes but this may not be the first character the label length may be only between 1 and 63 characters and the textual representations of the representation using the dot format which is even stop CCC dirty for example has a maximum length of 253 characters the main names are case incentive insensitive so in any case in whichever
casing you ask a name the nest server for you will always get the same answer the data format the data format on the
wire is in respect to some requests so you your client or your resolver asks requests to some servers and the request is triple of a name which we just saw then a record type and the class the reply contains the very same information so a name type and a class but additionally it includes a time to live in length and data field and the data field is interpreted differently depending on the type the time-to-live field specifies an amount of seconds for how long this resource record may be cached so we have built in caching and cache timeout what are potential types or resource record types there's one which is the address which we just saw it's also called a record then we have other types like name server record which is also named NS instead of authority which is the WA the classes which we saw up here so it's a triple where we not discussed the name and the type and the class is usually used internet that is basically the only one used in today's networks but there are others as well as DNS was developed back then there's also a chaos net which is not really used these days how does the DNS packet look like so we have a request a request is this triple and the reply is set or a list of these triples together with had time to live vent some data a DNS packet has a header of 12 bytes that the first two bytes are some transaction ID so some identifier which is just a code from the echoed from the client to the server then we have the next 16 bits which are which contain flex the operation code and the return code and then we have four fields which are each two byte in length and they contain the amount of questions answers the amount of authorities and the amount of additionals and then after this twelve byte header we have arbitrary length of these things so an arbitrary number of questions well a number of questions are specified in the question count then answers then Authority and then an additional each of the questions as mentioned earlier is this triple and all the other fields are this whole structure so how does we've seen a host command now there's a different command called dick which is used for debugging and for looking into the as packets if I type into my laptop be the dick of the record type ace so I want to resolve the host name even start CCC de da de with an a record so I want to get the address record off of that and I'm asking now not my default resolver but a specific name server which is this NS dot c c cv da de which is an authoritative name server for that domain i get back as a textural representation year so dick also uses the DNS protocol in the backend and i get here as an answer back first I get the question repeated so I get even stats ECC's da te then I'm in the class internet and then I am using the resource record type a e so I'm interested in address records I also get an answer which is even stop CCC da te the time to live is 600 which is five minutes then also the class is in the record type as a and then the actual content the actual data is now the IP address we've seen it earlier then I get some additional information in the authority section I get which name servers are responsible for this domain so for even start si si si la de I also get time to live and then name server entries one is NS dot C CC dot dot C CC v dot the e and the other one is a nested si si si da de and then I get some additional information namely that an S dot c c cv v da de is has also an IP address down here so how does this whole delegation we have now seen names and the query how does the delegation system work together well first of all you need to set up your name service for the specific domain or subdomain so you need to insert into your name server some name server records and some sort of authority record and then for the subdomain you want to surf you need to insert into the super domain 7 - for example CCC da de you need to include the delegation that now my name servers are responsible for this subdomain what is this start of authority resource record type well it consists so if you you can also use dick to request other resource record types for example the start of authority as done here and then you get as an answer and I only copied the answer section here you get events at CCC da-te then a time to live again and
then you get the start of authority record that one contains first of all which name server this information originated from then an email address where the first ad is replaced by a dot character which is the responsible email address for that zone then a serial number which is here pretty high and then some timers when you should refresh things in the zone and what is the minimum time to live in that zone then if you ask for the name servers of events that CC 3 we just saw that as a part of the austerity section but if you specifically asked for the names of a records you get those two names of records back and you get as in the difficult section again an IP address in s works that you have now a service and servers have some delegation and the root of the system is part of the root servers so there they are organized or deployed by iana and every resolver or every client has information about which are the root name service and you can ask to do resolutions so how does the resolver work so on the other side we have a resolver and there are two kinds of resources one is an iterative one and forwarding one and I will go into detail of an iterative resolver so my UNIX my laptop for example asks by using the get host by name um API asks for the record for events that cccd and that one sends a query out to the local configured resolver which tasks for the resource record type a and then for the domain name even stats Ecco te what does the resolver do let's consider the resolver doesn't know anything apart from the root name service then it queries Oh what is the name server who was responsible for the de domain to the root name servers they reply with oh here's a list of name servers which are responsible for that the resolver then asks that name server one of these name service what is his name server for cccd that one replies with those name service then it asks oh who is responsible for events that CC da de and that one replies with the IP address this IP addresses then answered but the resolver to the get host by name unix function that's how an iterative resolution step works so you have noticed there are multiple packets in from the resolver sent to various other hosts and now here the host only have names but no IP addresses so how does the resolve actually know whose Zednik da de that is a problem which is also called glue so Deena's answer as we have seen earlier needs to include some IP address if the name servers inside of the domain of the responsible server so since even start CCC dot de since the names of a for CC v dot de is also responsible for CC v dot EE whenever you ask it for a name server and it says oh it's an S dot C C V da de it also needs to reply oh by the way Anniston c cv v dot ee has the following IP address because otherwise you wouldn't be able to find out which name server of which IP to ask the iterative resolution I just showed in the earlier slides um uses Korean name minimization to improve privacy that was a concept that you don't ask the top level so that you don't ask the root name server for the entire address for the entire domain name so you don't ask the root name server for who is even thought CCC da de and this is a privacy feature which has been standardized in 2016 and is nowadays deployed by at least some resources but not by all otherwise it is a privacy feature because otherwise you leak the information at the to the root server which host you are interested in what about caching well every resolver since there's a time to live for every resource record set every resolver can as well cache all the data and all the records and then used we use the cache in the cache data for new replies usually a set up looks like I have my laptop over here and then I have on my router likely DNS resolver forwarding resolver which doesn't do a turret of queries but which just various all the time another resolver run for example by my ISP and that we solve a run by my ISP is then asking the authoritative nameservers that is a common set up another set up another possible set up is that you just don't ask the ISP name server but you just ask you about her and the does interative queries the result record types I just showed to you with the three ones or not that is not a complete list there are many more some useful ones which I use quite a lot is for example a way to introduce aliases so if food or eggs
but come should always redirect to bar.example.com we can use a so-called cname or canonical name resource record that one will just reply to every query for foo.example.com independent of the resource record type which is requested with oh look at spot on example.com another resource record type is MX records or mail exchanges which contain a priority and the name of the mail server which is responsible for this domain then similar to the address records we also have what a records which are used for IP version 6 addresses so f4 IP version 4 and quad-a for IP version 6 tick C is a record which just contains some text data and it's used by a variety of protocols Adina's is an extension mechanism and the extension mechanism is also done just by using DNS and resource records types so they have an intro tackle extension mechanism which is pretty interesting and pretty nice so I mean DNS since it's 30 years old it has to be developed over time and you need to whenever you want to extend that you have to be sure to be backwards compatible because you have a huge deployed server and resolver base out there so you don't want to end up in interoperability problems with earlier versions Adina's has been developed a long time ago but there's next year Aflac day to say oh now it is actually required and service should behave well if there are eating as records requested by the client what transport does DNS use usually it uses UDP because it has a very low overhead only 8 bytes of header and a very low delay but you can also use DNS over TCP and that was actually
done if the reply is too big for UDP frame and then if the reply is too big it is just truncated at the point that let's say 512 bytes and a flag in the DNS header said that oh by the way this answer is now truncated and then the requester has to read request or can request the same request using TCP TCP then requires it to set up a whole TCP session TCP if you used in as over TCP it uses a very same packet format as we have seen earlier but it's prefixed by its by the length of the content in the e dienes resource record we just saw that contains or carries the Datagram size of the UDP of the maximum UDP packet what more about DNS well first of all if you want to register a second-level domain you are forced to run at least two or three of DNS servers which are in this row and IP networks in order to have some fault tolerance because some one IP network may be offline or the routing may be broken at any given time and in order to resolve your hostname you need to have another one so that clients will always be able to resolve that you can now since you are running multiple instances of the same data you need a way to synchronize that DNS has a methodology called zone transfer to do that within the protocol itself and this zone transfer used the serial numbers in order to compare with the zone transfers actually needed and also some timers which are part of the start of authority resource record that's all very much in the protocol encoded how you can do synchronization and for Thorens and Dunsey dns has also extensions in order to do dynamic updates the seven instead of having to restart your server whenever you reconfigured you have a in protocol update where you can say oh now let's add this domain name with this IP address or let's remove this domain name since now we have Dean as updates and only this time as for the secondary for the synchronization there's also a notification mechanism specified so the primary server when you do the updates where you do the dynamic updates that one then tells or notifies the secondary name servers to say oh by the way the serial number of my start of authority has increased please update yourselves and since sometimes if you want to do update you don't want to allow it to everybody and only filtering by IP addresses might be a bit weak there's an authentication mechanism called T SiC which usually uses hmx secret so she had secrets if you need to free share across the different servers but you can also use some taffy Hellman key exchange in that layer you can use DNS to do load balancing so if you encode multiple address records for the same name the server will reply with all of them in a random order to all of the clients so to all of the requesters and the requester
will pick the first one or again one it'll run at random and so if you have to read to address records for the same domain name the probability that roughly half of the clients will use one of the address records and the other half will use the other address is very high so we can actually do some sort of load balancing via DNS this is also called DNS round robin modernist features well there's some security mechanism which is which has been specified and standardized but it's not yet Nitori to use and it only protects valid mainly protects the iterative resolver the communication between the relative resolver and the authoritative nameservers there's DNS is also used for in a multicast setting for service discovery something like one of you or zeroconf that is all based on Dina's DNS can also use internationalized top-level domains and domain names by using some
Unicode encoding for them what are Dina's threats this on the one side censorship so any one who runs the
DNS server can filter domain name or if you use it in s resolver like the one from Google or the one from AT&T or the one from cloud fair they can at the central points filter domain names in there and don't give you any reply for example for domain names they don't like like liptint the library genesis dot orc
is in such a problematic situation in some countries there are people or some governments want to filter certain
websites and they do that by requiring all the ISPs to have filters for specific domain names cache poisoning is another threat so since tina's by default doesn't use any authentication and every request has a very low entropy so it's very aesthetic and attacker for example in the local network can can just reply with a huge amount of replies and will be will may be faster than the other one so the low entropy is because we only have the sixteen bits in the header as a transaction ID and apart from that we can only do some entropy by modifying the casing of the domain name and that's it basically we can also play with the UDP source port to get some more entropy what else is a threat is definitely user tracking so if you run a central resolver which is used by a lot of people you see a lot of information from from all of those people and you can track those people so you know about which domain names are around which the main demands are asks ask for and so on another issue which has been discovered in the yeah in DNS was amplification attacks so called amplification attacks and the issue here is that your request your DNS breakfast is usually very small so it has a 12-part header and then only contains the domain name type and class whereas the reply the response to it might be very very huge especially if
you used in SA and use a cryptographic signature on that so the ratio between the bytes you requested versus the bytes which was replied with is very small so as an attacker you can fake your IP address and ask a resolver with your faked IP address with a lot of very small packets and that and that DNS server will then replied to that faked IP address with a lot of large packets so you can amplify your attack instead of putting all the packets to your victim directly you put them first to a DNS resolve and the DNS resolver will amplify it and put that all on to the victim Dinah's over TLS is
another privacy enhancement it's specified in RFC seven eight five eight and that's a connection between the caching resolve and the turret of resolver so between your router and the iterative resolver you have to verify the certificate of the alterative resolver and the iterative resolver needs to be trusted to avoid any man in the middle and it protects against Eve drawings and modifications so if you are in a country where DNS is censored you can use DNS over TLS in order to connect to some remote server some other country where Dina's may not be filtered and you might happen to know some people who run such iterative resolvers and who are more trusted than yours then you rise P servers I think I'm now basically near by the end of my talk I will talk a bit about midrash ways which is an operating system with a very tiny attack surface and less attack vectors than a UNIX system and it's a developed in a functional language called Oh camel and Venus and manraja is how that how does that fit together well I implemented over the last years the DNS server and resolver including dynamic updates authentication using H make secret let's encrypt was also implemented by other people and I also integrated it there we have persistent storage in a git repository and we can provision those let's encrypt certificates using the DNS challenge so you can get a certificate from let's encrypt how does that work well the idea is you start a virtual machine or in Rio s unique on a so-called unikom with a static seed just
for a private key and an H make secret and that one then generates a private key from the static seed and a certificate signing request now requests the certificate from a DNS server which uses another resource record type called TLS a used well specified in the Dane project and then if that one if that certificate is found and the private key metrics and the certificate is still Welt then we continue and can serve some web server or some mail server if it is not found then the certificate signing request is uploaded to the DNS server and the DNS servers then poetically for a certificate in the meantime another unicorn all which is a DNS server is notified and communicates with the let encrypt and tries to provision that certificate so that's how I do my deployments of DNS and self signs and let's encrypt signed certificate so I'm now at the end of the talk to conclude DNS is widely deployed and has been around for thirty years I believe it will be around for another at least 50 years it's a redundant and federated distributed key-value store and it already includes in protocol caching and dynamic updates and authentication so it's pretty complete protocol that's it for me do you have any questions [Music]
and the questions works as follows you
stand up behind the microphones and then you allowed a question or not a comment and those of you leaving please leave quietly so that we can do the Q&A we have a question from microphone number one yeah I got a question regarding your
choice what are you plans for 2019 like I think we have a new release of almond coming up but what do you guys have in store for next year in general I think
that's a bit out of scope for this talk but we are organizing hecka retreats in Marrakesh again next year and we have some plans for a next major version of my office and also of integration with the DNS and automated let's encrypt things I also want to integrate some DHCP stuff in there we have some questions for microphone number two will
be like the pros and cons of using dns for load balancing versus running a different like a load down sir by each a proxy well what a proxy you have at the
end a single point which needs to handle all the load so which needs to handle all the connections there is with the dns-based load balancing you can just set up a set of service which all gets distributed load but with a load balancer or with a proxy in front of that you have the advantage that you have a single point where all the connections are flowing so you have a central instance some some in some setups DNS round-robin is not very suitable but in others it is so if you need some common shared state between all of the connections you better use a proxy and have somewhere the shared State whereas if you don't have shared state like if you have a static website or a static server then you can use DNS round-robin and you don't lose anything a next question for microphone number
two hi in the last time I heard about techniques like do HD NS over HTTP what are the pros and cons well penis of a
HTTP is now an extension where you can but you don't have to use UDP or TCP but you can transport DNS directly over 8 DP which is an advantage if you already speak HTTP and you are happy with Drazen and so on but it also adds some some I mean some some more work some more data because we need to do it do it HTTP request for getting that data so there are some pros and cons in various setups and the DNS working group that IDF is currently discussing the soul Venus over HTTP in detail so one disadvantage is that usually with DNS you use UDP and you have a very low delay whereas if you use TCP you have to first do the connection establishment and you lose quite some round trips until you get to the point where you can send and receive data I can see from the
signal angel we have a question from the internet [Music] useful for ham radio like methane cosine
to the main name or vice-versa I didn't I didn't understand the question can you repeat please no there's any extension useful for ham radio I unfortunately don't know that but Jana the internet assigned the internet Authority for names and numbers they have assigned all the resource record types and that is a central list and you can browse it so you can maybe find it in there there is still time for
more questions so please get out of your seat if you have a question there will be time for your question as well question from microphone number two please hey my question is about a Geo
DNS and so for example if I want to connect to wikipedia.org from Singapore or from Europe so I would connect it to a different data center how that's being handled by DNS well Dean as it depends so you can set up for example your DNS servers as any cost notes and any cost this routing extension or routing mechanism that you have the same IP address at different REO locations and then the closest one is used so using that mechanism you can have your data center in Singapore and your dead center in Europe both sharing the same IP address for the name server and then hand out in the in your Singaporean data center an IP address which is also hosted in Singapore and in your European data center one which is in Europe you can also use well the one motivation for the Eden as Flag Day for next year is to be able to deploy that and to deploy having the ability as a client to add some information into the request about its own IP address you if you know at the server side that your client is hosted in Europe you can reply with an IP address that is also in Europe so there are various mechanisms and you have to find out and choose which one is suitable for you one more
question from microphone number two could you elaborate on DNS tunneling
attacks as a means to transport information exfiltrate information out of an organization like in order yes exit unfortunately I didn't talk too much about exfiltration but certainly since DNS uses these domain names you can in a request already impose or include some information like using the domain name and using an automatically generated domain name or encode some information in the domain name and then if you are in control over the server you can accelerate some data from the client or the client network to the server which is very useful if you are and scenarios where your client shouldn't be able to connect to the outside but DNS is fine and DNS works Tina's also works we are the proxies so you can export rate information using DNS and domain names and then as well you can there are even implementations that you can talk I pee over DNS so if you are in some setup sphere for example a wireless network hotspot where all internet access is forbidden and you have to pay money for it but DNS is still open then you can have if you are in control over the server and over your client then you can actually communicate via DNS over that over that not paid for wireless hotspot we're nearly out of time we have two more questions first from microphone number one I how useful do you judge DNS to ship certificates for other protocols like SMTP or for the web I think that is very useful if we would have trashed Shane and eNOS so for example using DNS SEC if we have D in a second we have a trust anchor then we could ship any other certificates just via DNS there's the Dane protocol working at the Dane working group working on that extension and I think the weakest point at the
moment is that DNS 16s SEC deployment is not so huge or is not widely deployed so
the last question is from the internet [Music] you think about using DNS services from big enterprises like Google cloud fair and so on concerning privacy yeah you shouldn't use that there are independent DNS resolvers run by nonprofit organizations which also have some data privacy laws and they don't lock anything so I would recommend to not use those 1.1.11 or 8.8.8.8 99.999 do not use those centrally organized dns resource because there you don't pay anything but the company never less gets all your data what you should do though is thank Hanna's for his talk
[Applause]
[Music] [Applause] [Music] [Music]
Feedback