warning: Creating default object from empty value in /usr/local/apache2/sites/drupal5/modules/taxonomy/ on line 33.
Public Stories, etc

2016 OARC Elections and AGM

The DNS-OARC 2016 Annual General Meeting will take place on the 15th of October at the start of the OARC25 Workshop, in Dallas, Texas, USA.

We are looking for nominations for candidates willing to serve a two-year term on the Board and contribute to the continued growth of OARC. The Board meets monthly, by teleconference, and several times a year face-to-face, to review DNS-OARC operations. We expect our directors to actively contribute to the various ongoing, email based, discussions and provide oversight & feedback as needed.

Submitted by keith on Thu, 2016-08-11 15:57 categories [ ]

Root Zone Archive

With the assistance of its members and friends (especially AFNIC, RIPE, Paul Vixie, Duane Wessels, Peter Koch and Paul Hoffman) DNS-OARC has assembled a historical archive of the DNS root zone dating back to June 1999. This Root Zone Archive is a part of our larger project, the Zone File Repository.

Root Zone Trends

The following graph shows trends in the contents of the root zone:

Submitted by admin on Tue, 2016-07-19 14:28 categories [ ]

OARC's Open DNS Privacy Resolver Testbed

How To Use OARC's DNS Privacy Resolver Testbed

OARC is pleased to offer dual-stack (IPv4 and IPv6), open DNS Privacy resolvers that anyone can use to experiment with secured DNS over TLS services (see RFC 7858). These listen for DNS queries over TLS on TCP port 853.

Two instances are available - one uses the ISI ANT T-DNS server proxy, with a back-end hooked into OARC's BIND ODVR server which provides packet capture as well as some modicum of logging. The second server uses Unbound as the front-end, which then forwards queries to the Unbound version of the ODVR service.

Submitted by keith on Mon, 2016-07-18 14:13 categories [ ]

OARC General FAQ

What is DNS-OARC?

DNS-OARC is an Operations, Analysis, and Research Center focused on the global Domain Name System. DNS-OARC brings together researchers, operators, and vendors to provide continued analysis of the DNS security, performance, to coordinate response to crisis situations, and generally to help make DNS safer and better.

How was DNS-OARC created?

DNS-OARC was created in 2003 by Internet Systems Consortium (ISC), a not-for-profit corporation based in Redwood City, California, and the Cooperative Association for Internet Data Analysis (CAIDA) based at the University of California San Diego. The National Science Foundation (NSF) provided initial sponsorship through a research grant (SCI-0427144).

Submitted by Anonymous on Tue, 2016-06-21 17:53 categories [ ]

OARC's Open DNSSEC Validating Resolver

20 May 2016 UPDATE: ODVR DNS servers have renumbered! This page has been updated to reflect changes as appropriate.

7 June 2011 UPDATE: The .de zone is now fully signed and the corresponding DS Resource Record has been added to the root zone, so the testbed redirection has been removed from both resolvers.

4 October 2010 UPDATE: We have now added the .de DNSSEC Testbed to both resolvers.

How To Use ODVR

OARC is pleased to offer dual-stack (as in IPv4 and IPv6), open DNSSEC-validating resolvers ("ODVR") that anyone can use to experiment with DNSSEC. The IP addresses for ODVR nameservers are:

Instance   IPv4   IPv6
BIND 9   2620:ff:c000:0:1::64:20
Unbound   2620:ff:c000:0:1::64:21

You might like to manually query the ODVR nameservers with a tool such as dig. Be sure to add the +dnssec option:

$ dig +dnssec @

The AD bit in the response flags tells you that the reply data has been validated:

;; flags: qr rd ra ad; ...

Another way to use ODVR is to place the following lines in your Unix /etc/resolv.conf file:


Windows users can manually set DNS servers in the Internet Protocol Properties dialog of a network connection.

Finally, the client (such as dig) that you use to test against ODVR should allow you to use this tool by specifying IPv4 or IPv6 options.

Trust Anchors

ODVR has been configured with the following list of trust anchors:

ZoneKey VerifiedPGP Sig Verified

ODVR also validates against ISC's DLV registry.

Data Collection

OARC collects data from the ODVR nameservers and makes this data available to our members for research purposes.

Traffic Graphs

These graphs, updated nightly, show the number of queries received with and without the "DO" bit set, and the number of responses sent with and without the "AD" bit set.

Configuration Files


Frequently Anticipated Questions

Q: Does it mean all my DNS lookups are secure if I use OARC's validating resolvers?

A: No, probably not, for the following reasons:

  1. Most zones are not yet signed. Chances are that, for most of your DNS queries, there will not be any DNSSEC signatures. However, we expect this to improve over time as more and more zones take advantage of DNSSEC.
  2. Most end-user applications (think Web browser) and stub resolvers (a part your computer's operating system) do not yet perform DNSSEC validation. This means that the channel between you and the OARC nameserver is still vulnerable to attack. In other words, security of the DNSSEC transaction is only guaranteed up to the point where the validation has been performed.

Q: Then why are you doing this?

A: A few reasons:

  1. So that you can play with DNSSEC without changing the configuration of your own nameserver.
  2. To convince you that a DNSSEC-validating resolver works almost exactly like a non-validating resolver and that you should go ahead and enable DNSSEC on your own resolvers.
  3. To collect and publish data on adoption of DNSSEC over time.

Q: Can I use ODVR nameservers provide protection from Kaminsky-style spoofing attacks?

A: The answer is complicated and depends on a number of other factors. Generally, this should not be your motivation for using ODVR. If you are stuck using a DNS resolver with poor source port randomization then ODVR may make you more secure. However, a determined attacker could probably spoof answers that appear to come from the ODVR nameservers and give you bad answers.

Q: What is OARC's Privacy Policy for use of ODVR nameservers?

A: In line with OARC's mission, query data from our various testbed resolvers is logged and stored for non-commercial, public benefit research purposes. Users of the service should be aware this may include personally identifiable information. OARC has strict policies and processes in place, set out in the DNS-OARC Data Sharing Agreement to limit access to this data to bona-fide OARC Members and researcher Participants.

Q: I thought open resolvers were a bad thing?

A: It's true that open resolvers are usually considered to be a problem and have been used — in combination with source address spoofing — to conduct large-scale DDoS attacks. Such attacks are made possible because (1) there are hundreds of thousands, if not millions, of open resolvers, and (2) their owners/operators are unaware of the openness. The ODVR nameservers are rate-limited and closely monitored. If we have reason to suspect abuse of the ODVR nameservers, we will act quickly to stop it. Please contact the OARC Admin if you have abuse concerns.

Q: Can DNS-OARC members have non-rate-limited access?

A: Absolutely. Write to the OARC Admin to find out how.

Submitted by admin on Mon, 2016-05-30 00:46 categories [ ]

DNS-OARC facility relocation, 14th-18th May 2016

Please be advised that DNS-OARC will be relocating its equipment and services to a new facility during next week starting this Saturday, May 14th through Wednesday the 18th. There will be multiple sporadic outages during this time affecting ALL services and ALL systems as a result.

The main public and OARC Member-facing services, including websites, email, mailing lists, indico and jabber are planned to be re-located on Sunday 15th, and we hope to keep the total outage down to a few hours. Our dataset and analysis servers will be taken out of service on Saturday 14th, and are planned to be back in service late Monday 16th or early Tuesday 17th. All work is planned to be performed during daytime hours Pacific time (UTC-8).

Submitted by keith on Mon, 2016-05-09 22:16 categories [ ]

OARC Data Catalog

One of OARC's functions is to collect and archive DNS-related data from its members. This data is available to members for research and operational use. Some of OARC's data is available through the secure member's portal. Other data is available via shell access from a read-only file server.

Members that require access to data must adhere to the guidelines outlined in the OARC Membership and Data Access Agreement.

Real-Time DSC Data

Submitted by admin on Mon, 2016-02-29 14:35 categories [ ]

DSC - DNS Stats Collector

DSC (originally developed by The Measurement Factory and now developed by DNS-OARC) is a system for collecting and exploring statistics from busy DNS servers. It uses a distributed architecture with collectors running on or near nameservers sending their data to one or more central presenters for display and archiving. Collectors use pcap to sniff network traffic. They transmit aggregated data to the
presenter as XML data.

dsc is configurable to allow the administrator to capture any kind of data that he or she chooses. A sample configuration is included that captures the following data:

  • Query types
  • Response codes
  • Opcodes
  • Source addressess or subnets
  • Query name TLD
  • EDNS parameters
  • Known types of DNS "pollution"
Submitted by admin on Wed, 2016-02-03 15:35 categories [ ]

DNS Statistics Collector (DSC) - FAQ - What It Is, and Why You Should Run It! (More...)

What is DSC?

DSC is an application for collecting and analyzing statistics from busy DNS servers. The application may be run directly on a DNS node or may be run on a standalone system that is configured to "capture" bi-directional traffic for a DNS node. DSC captures statistics such as: query types, response codes, most-queried TLDs, popular names, IPv6 root abusers, query name lengths, reply lengths, and much more. These statistics can aid operators in tracking or analyzing a wide range of problems including: excessive queriers, misconfigured systems, DNS software bugs, traffic count (packets/bytes), and possibly routing problems.

Submitted by admin on Sun, 2015-11-15 12:41 categories [ ]

OARC's TLDmon Service

OARC's TLDmon uses Nagios to monitor operational characteristics of authoritative nameservers for the Root Zone and all Top Level Domains. TLDmon checks for authoritative answers, EDNS support, lame delegations, consistent NS RR sets, open resolvers, expired RRSIGs, matching serial numbers, and TCP support. As the Domain Name System continues its evolution, it becomes increasingly important that these critical nameservers are configured correctly.
Submitted by admin on Wed, 2015-10-07 10:23 categories [ ]