Introduction to DNS-OARC

The DNS Operations, Analysis, and Research Center (DNS-OARC) brings together key operators, implementors, and researchers on a trusted platform so they can coordinate responses to attacks and other concerns, share information and learn together.

DNS-OARC has five key functions:

  • Information Sharing. DNS-OARC provides a trusted, shared platform to allow the DNS operations community to share information and data. Stringent confidentiality requirements and secure communications mean that proprietary information can be shared on a bilateral basis.
  • Operational Characterization. As Internet traffic levels continue to grow, the demand on root and other key nameservers will outgrow the current infrastructure: this year's DDoS attack traffic levels will become next year's steady state load. DNS-OARC measures the performance and load of key nameservers and publish statistics on both traffic load and traffic type (including error types).
  • Workshops. DNS-OARC organizes semi-annual workshops where members and the public are invited to give presentations on timely topics relevant to DNS both operations and research.
  • Analysis. Leading researchers and developers provide long-term analysis of DNS performance and post-mortems of attacks so that institutional learning occurs. A well-provisioned system allows members to upload traces and logs, and to perform their own analysis.
  • Tools and Services. As vulnerabilities and DNS problems come to light, DNS-OARC develops publicly available tools and services to assist with highlighting, diagnosing, and remedying such problems.

DNS-OARC participants fall into one or more of the following categories:

  • Operators of root, TLD, or large commercial nameservers who consume DNS technology and produce DNS services.
  • Implementers who produce DNS technology including software, appliances, and network elements such as load balancing hardware.
  • Researchers whose work has a strong DNS emphasis and who need access to trace and log data about the global DNS under both "normal" and "abnormal" conditions.
  • Security Providers whose companies offer products and services that utilize DNS information to improve the security of their customers.

To inquire about membership, or for any other questions, please contact the OARC Admin.

Submitted by wessels on Thu, 2008-07-03 22:40

2016 OARC Elections and AGM

The DNS-OARC 2016 Annual General Meeting will take place on the 15th of October at the start of the OARC25 Workshop, in Dallas, Texas, USA.

We are looking for nominations for candidates willing to serve a two-year term on the Board and contribute to the continued growth of OARC. The Board meets monthly, by teleconference, and several times a year face-to-face, to review DNS-OARC operations. We expect our directors to actively contribute to the various ongoing, email based, discussions and provide oversight & feedback as needed.

Submitted by keith on Thu, 2016-08-11 15:57 categories [ ]

Mitigating DNS Denial of Service Attacks

The DNS protocol is, unfortunately, an effective Denial-of-Service attack vector for a few reasons:
  • DNS generally uses the connectionless User Datagram Protocol (UDP) as its transport.
  • Many autonomous systems allow source-spoofed packets to enter their network.
  • There is no shortage of Open Resolvers on the Internet.

These three factors mean that attackers can create large amounts of unwanted response packets by reflecting DNS queries off open resolvers. In such an attack, a DNS query is generated with spoofed source IP addresses belonging to the victim.

You can help reduce the effectiveness of these attacks by following the recommendations described below:

Submitted by wessels@dns-oarc.net on Wed, 2016-07-27 16:53

Root Zone Archive

With the assistance of its members and friends (especially AFNIC, RIPE, Paul Vixie, Duane Wessels, Peter Koch and Paul Hoffman) DNS-OARC has assembled a historical archive of the DNS root zone dating back to June 1999. This Root Zone Archive is a part of our larger project, the Zone File Repository.

Root Zone Trends

The following graph shows trends in the contents of the root zone:

Submitted by admin on Tue, 2016-07-19 14:28 categories [ ]

DNS-OARC facility relocation, 14th-18th May 2016

Please be advised that DNS-OARC will be relocating its equipment and services to a new facility during next week starting this Saturday, May 14th through Wednesday the 18th. There will be multiple sporadic outages during this time affecting ALL services and ALL systems as a result.

The main public and OARC Member-facing services, including websites, email, mailing lists, indico and jabber are planned to be re-located on Sunday 15th, and we hope to keep the total outage down to a few hours. Our dataset and analysis servers will be taken out of service on Saturday 14th, and are planned to be back in service late Monday 16th or early Tuesday 17th. All work is planned to be performed during daytime hours Pacific time (UTC-8).

Submitted by keith on Mon, 2016-05-09 22:16 categories [ ]

DITL Data Collection

A Day in the Life of the Internet is a large-scale data collection project initially undertaken by CAIDA and subsequently by OARC every year since 2006. This year, the DITL collection will take place in April. If you would like to participate by collecting and contributing DNS packet captures, please subscribe to the DITL mailing list.

Participation Requirements

Submitted by Anonymous on Sun, 2016-03-06 15:27

RSSAC 002

ICANN's Root Server System Advisory Committee has recently defined two standards, including RSSAC 002 , designed to obtain a baseline of the metrics for the Root Zone, specifically so that root operators can detect and mitigate any abnormalities in the performance of the DNS Root Server System as it continues to grow and develop.

Submitted by admin on Fri, 2016-02-26 18:17

OARC's DNS Reply Size Test Server

Recent increases in DNSSEC deployment are exposing problems with DNS resolvers that cannot receive large responses.

The maximim reply size between a DNS server and resolver may be limited by a number of factors:

  • If a resolver does not support the Extension Mechanisms for DNS (EDNS), replies are limited to 512 bytes.
  • The resolver may be behind a firewall that blocks IP fragments.
  • Some DNS-aware firewalls block responses larger than 512 bytes.

The BIND resolver, since version 9.5.0, includes a feature to decrease its advertised EDNS receive buffer size (down to 512) when its queries time out. We've seen this lead to significant increases in TCP for DNSSEC-signed zones.

Submitted by admin on Thu, 2016-02-18 12:03

OARC 2015 AGM Board Election Results

The following candidates were re/elected to the OARC Board for 2-year terms:

  • Paul Ebersman (Comcast)
  • David Knight (Dyn)
  • Duane Wessels (Verisign)

OARC welcomes Paul Ebersman to the Board and congratulates him and the re-elected Board members on their successful election.

Our sincere thanks to Jim Galvin for his service and support to OARC over the past year.

Submitted by keith on Wed, 2015-10-14 13:46

OARC's TLDmon Service

OARC's TLDmon uses Nagios to monitor operational characteristics of authoritative nameservers for the Root Zone and all Top Level Domains. TLDmon checks for authoritative answers, EDNS support, lame delegations, consistent NS RR sets, open resolvers, expired RRSIGs, matching serial numbers, and TCP support. As the Domain Name System continues its evolution, it becomes increasingly important that these critical nameservers are configured correctly.
Submitted by admin on Wed, 2015-10-07 10:23 categories [ ]