Development Update #1812
Here are some DNS-OARC development highlights from the past couple of months. These updates are usually sent out on a bi-monthly basis but it’s been a while since the last one in July and it has been because I’ve mostly worked on internal projects, OARC 29 and some needed holiday. Previous updates can be found on our Medium blog.
dnscap v1.10.0 + IP (pseudo-)anonymization
Thanks to funding from Verisign there are now 5 new plugins for dnscap that do various IP anonymization/deanonymization which we hope will help our members comply with privacy requirements. The methods to do (pseudo-)anonymization have been taken from the RSSAC040 “Major Proposals for Methods of Anonymizing IP Addresses”.
- anonaes128: Anonymize IP addresses by encrypting them with AES128 (RSSAC040 4.1/4.3).
Since AES128 works on 128 bit blocks the IPv4 addresses (32 bits) are padded by copying itself to fill the 128 bits (IPv4*4) and then the output is truncated to 32 bits which means that it can’t be deanonymized. No modifications are needed for IPv6 since the output length is the same.
Thanks to help from Jim Hague (Sinodun) we have successfully tested interoperability with anonymization features of compactor/inspector and this plugin.
- anonmask: Pseudo-anonymize IP addresses by masking them as you do with netmasks (RSSAC040 4.4).
The default is a /24 for IPv4 and /48 for IPv6 but it can be changed by command line options to the plugin.
- cryptopan: Anonymize IP addresses using an extension to Crypto-PAn (College of Computing, Georgia Tech) made by David Stott (Lucent) (RSSAC040 4.2).
The extension was picked instead of the reference implementation because it provided a deanonymization function, handled endian and hopefully gives better randomness in the resulting anonymized addresses.
- cryptopant: Anonymize IP addresses using the library cryptopANT, a different implementation of Crypto-PAn, made by the ANT project at USC/ISI (RSSAC040 4.2).
- ipcrypt: Anonymize IP addresses using ipcrypt create by Jean-Philippe Aumasson (RSSAC040 4.3).
Although the method was designed for IPv4 addresses, the plugin can handle IPv6 addresses too. It does this with a command line option, treating IPv6 addresses as four IPv4 addresses, encrypting/decrypting them separately.
All of this, plus full list of changes, links to tar-ball and packages, is now available in release v1.10.0.
clang scan-build and LGTM
I’ve begun incorporating additional static code analysis software into OARC’s development processes.
DSC query/response time statistics
The next development work I will start on will be new indexers for the DNS Statistics Collector (DSC) that will gather statistics around the response time for queries.
The statistics gathered will be counters per response time bucket (configurable), 0–10ms 10–20ms etc, and also counters on only queries seen, only responses seen and removed queries/responses tracking due to memory limitations or timeouts.
This work is funded by NIC.AT and aims to be completed in January 2019.
Happy holidays and have an awesome 2019!