root hints vs RFC 8806

An interesting discussion came up at a nerd dinner :-), where, the argument was that a recursive resolver already knows where the root servers are (root hints ) i.e the IPv4 and IPv6 addresses, so then what is the purpose of running a local copy of the root zone in the recursive resolver aka RFC 8806?

What are the root hints?

The root hints are a list of the servers that are authoritative for the root domain “.”, along with their IPv4 and IPv6 addresses. In other words, this is a collection of NS, A, and AAAA records for the root nameservers.
Source

Coming back to the question, to answer this, let’s look at a few assumptions,

  1. The root servers are going to be available at all times
  2. Even if the DNS query is not for a fully qualified domain name(FQDN), send the query to the root aka send junk to the root
  3. Because my recursive resolver knows the IPv4 and IPv6 addresses of the root servers, and, there are local instances of the root servers in the country, the DNS query to the root will hit the local instance

All the above assumptions are the reason recursive resolvers must embrace RFC 8806. For now, let’s focus on the third point because just knowing the IP addresses of the root servers is not enough. Packets need to traverse to the right address.

Aye Aye BGP!

Even if there’s a local root server instance in your country and your recursive resolver knows its IP address (from the root.hints file), the actual query might still transit outside the country due to BGP path selection inefficiencies. Case in point.

All root servers use IP anycast, which means:

  • The same IP address (e.g., for F-root: 192.5.5.241) is announced by multiple physical servers worldwide.
  • BGP determines which instance your resolver talks to, based on routing.

So even if:

  • A root server instance is in your country,
  • Your resolver queries 192.5.5.241 (from root hints),

…it could still be routed to another country, depending on how BGP steers the traffic at that time.

RFC 8806 suggests keeping a local copy of the root zone, which allows the resolver to:

  • Provide the same referrals the root server would give, but from memory/disk instead of waiting for a network response.

A recursive resolver with a local copy of the root zone is shaving off the round-trip time(RTT) to the root servers entirely, thereby eliminating any inefficiency in BGP routing. This may not mean much in low-traffic environments, but if you are an ISP/network operator, shaving even 20–50ms per resolution adds up.

Despite high TTLs on DNS A and AAAA records, a local root zone is especially beneficial during a cold start, when the resolver has no cached data.

Stop sending junk DNS queries to core Internet infrastructure

While it may not be possible to fix all software and ensure full RFC compliance, we can certainly put measures in place to mitigate unwanted or intentional or unintentional abuse of core Internet infrastructure.

An added benefit? It also eliminates junk traffic to the root servers. From a make-the-internet-better perspective, that’s a net win!

If you found this blog post useful, you might find RBI Cyber Security policy .bank.in and .fin.in interesting.

APRICOT 2025 – DNS RPZ tutorial

I recently delivered a hands-on tutorial at APRICOT 2025 on Blocking Threats at the DNS Layer: Using Response Policy Zones (RPZ) for Threat Detection & Mitigation. Thanks to CISA, DNS RPZ is now widely recognized under the broader umbrella of Protective DNS.

The goal was to introduce the power of DNS RPZ and demonstrate practical ways to deploy a DNS Firewall for blocking and mitigating threats at the DNS layer.

Swapneel Patnekar delivering a tutorial at APRICOT

Figure 1: Swapneel Patnekar delivering a tutorial

While network operators understand the critical nature of DNS infrastructure, few realize that DNS can also serve as a chokepoint—or sinkhole—to disrupt malicious communications.

Aside from the usefulness of DNS RPZ in an enterprise network, DNS RPZ has immense value for a network operator.

Why network operators should leverage DNS RPZ?

One of the persistent challenges for network operators is that IP addresses from their customer networks end up on blocklists. This typically occurs due to malicious traffic (e.g., spam, malware, botnet C2) originating from infected or compromised devices within their network.

The upstream impact of this can be severe:

  • The customer is unable to access a particular website/service on the Internet.
    Web Application firewalls(WAF) deploy blacklisting/threat intelligence to block access to the website/application
  • The Customer is unable to make a payment online
    Fraud detection algorithms at payment deploy blocklist/threat intelligence to block access
  • An enterprise customer is unable to sending and receive email
    IP address assigned to the customer is listed in blocklist database/threat intelligence

A network operator can choose to:

  1. Block DNS queries to known malicious domains, or
  2. Redirect them to a sinkhole for analysis or remediation

This helps contain abuse before it results in IP reputation damage. For large-scale operators, contacting individual customers is not scalable.

⚠️ Important Caveat: DNS RPZ is effective only when the communication uses domain names. It does not block direct IP-based malicious communication.

If you found this blog post useful, you might find APNIC 52 – Threat Hunting using DNS or RPZ Feed list: OSINT Threat Intelligence for DNS Security or Open resolvers in India interesting.

Media and AI workshop to journalists

I was invited by the Department of Information & Public Relations, Belagavi to deliver a workshop on Media and AI to print and new media journalists.

My objective was to demonstrate a few different ways of how I use various AI chatbots and point out some of the issues one needs to be careful about.

Figure 1: Swapneel Patnekar presenting a workshop on Media and AI

Image of presentation agenda, Media and AI

Figure 2 – Agenda of the workshop

OpSec best practices

The first thing that I spoke was about being cognizant of the fact on the information that is shared with the AI chatbot. From an operational security (OpSec) perspective, this is extremely important.

I’ve seen people putting in PII and other sensitive information into the AI chatbot without knowing the implications of it.

Media and AI – Biases, logical fallacies and misinformation

Then, I introduced the journalists to Spinscore. Using AI chatbots, the creation and modification of content is extremely easy, thus, it’s important to separate the facts and the misinformation.

Welcome to SpinScore – an advanced AI tool designed to analyze and score potential biases, logical fallacies, and misleading information in content. Our system uses a combination of state-of-the-art Large Language Models and sophisticated mathematical algorithms to deliver comprehensive insights into the content you explore.

I’ve personally used Spinscore in the past few months and I have found it quite useful to uncover potential biases and incorrect information. I also tend to use it lately with my own writing to find my blind spots, so that I can improve my writing.

I encourage anyone, not just journalists to use this tool to optimize their reading/writing of news on the Internet.

A large focal point of my presentation was spent on using various chatbots for translating text from a link or a video from English to Kannada or Marathi language. If you have used an AI chatbot for translation of text, you will know, it’s not a hundred percent perfect.

I also spent sometime in prompt engineering, explaining the methodology and demonstrating a few use cases to generate content based on topics such as industrial waste, climate change etc.

Self-hosted AI chatbot

And lastly, I showed what a self-hosted LLM using Ollama and OpenWebUI looks like.

Image of presentation slide outlining options for Self-hosted AI Chatbot

Figure 3: Self-hosted AI Chatbot

The benefits of self-hosting and running a local AI chatbot are many.

The workshop gave an exploratory tour of using AI chatbots for translation of text, video and generation of text based using prompt engineering.

My gratitude to the Department of Information & Public Relations, Belagavi for having me.

If you enjoyed reading this blog post, you might find Why I’m rejoining social media interesting.

Cybersecurity awareness session at St. Joseph’s Canossian Convent Higher Secondary School

I was tasked with educating bright young minds at St. Joseph’s Canossian Convent Higher Secondary School on the do’s and don’t in terms of cyber security hygiene. As the saying goes, catch them young!

Teaching and explaining Cyber security concepts and best practices to different age groups is a challenging exercise.

From setting unique passwords and enabling 2FA to the dangers of sideloading apps on Google Android phones etc. I covered a lot of ground and had an engaging session with lots of interesting questions.

Photo of Cyber security awareness workshop at St Joseph's Convent School, Belagavi



I am grateful to Sr. Mary Abraham, Principal, St. Joseph’s Canossian Convent Higher Secondary Schooland the PTA members for inviting me and organizing this.and

The event has been covered by The Hindu

If you would like to organize my session at your school/college in Belgaum, please contact me

RBI Cyber Security policy .bank.in and .fin.in

The Reserve Bank of India (RBI) in its latest cyber security policy released on 7th February 2025, has mandated all banks to use .bank.in and non-banks(other financial institutions) to use .fin.in. The goal of the measures is to curb phishing attacks against citizens of India.

RBI Cyber Security policy for banks to use .bank.in and non-banks to use fin.in

Figure 1: Snippet of RBI’s Cybersecurity policy

Notably, Institute for Development and Research in Banking Technology (IDRBT) will be the registrar for the parent domain names (.bank.in and .fin.in)

Technical details

In a DNS context, I am guessing IDRBT would control the parent zones .bank.in and .fin.in and delegate for example icici.bank.in to ICICI Bank authoritative nameservers.

Similarly, zerodha.fin.in would be delegated to Zerodha authoritative nameservers.

IDRBT would be able to control the namespace and delegate child zone to the respective bank or financial institution.

Delegation of DNS namespace from the root to .in and .bank.in and .fin.in

Figure 2: Diagrammatic representation of possible delegation of bank.in and fin.in domain namespace

Limitations of the cyber security policy

In my opinion, this is an excellent move at the policy level from a cybersecurity perspective. There will be operational challenges from the perspective of the banks or financial institutions. I will reserve them for another blog post.

However, this measure will not eliminate all types of phishing/impersonation , typo-squatting or domain shadowing attacks

Despite this, the RBI Cyber Security Policy aims to build trust in the namespace by restricting domain names for banks and non-banks to .bank.in and .fin.in, respectively. From a consumer’s perspective, this simplifies decision-making. As I mentioned earlier, this won’t eliminate all threats, but it is a good start and certainly better than the common advice banks give—checking for the padlock to ensure a website uses HTTPS!

At the time of writing, the delegation from .in at NIXI to IDRBT was not yet operational.

Delegation of bank.in and fin.in not yet implemented in .in namespace at NIXI

Figure 3: Delegation of bank.in and fin.in not yet implemented at NIXI

It is to be noted, that the RBI cyber security policy implementation will start April 2025 onwards.

If you liked this blog post, you might also enjoy reading Jio VoWiFi issue – It’s always DNS! or The curious case of esic.in DNS

RPZ Feed list: OSINT Threat Intelligence for DNS Security

This page lists OSINT DNS RPZ Feeds for recursive resolvers to enhance security by blocking malware, phishing, and C2 domains. Submit your RPZ feed if it’s not listed.

Response Policy Zones(RPZ) or DNS Firewall or Protective DNS (thanks CISA) is a solid way to use the DNS protocol as a defense. For a primer on DNS RPZ, please see the blog post

URLhaus Abuse.ch – Primarily malware domain names

CERT.pl – Phishing domain names targeting Polish citizens

YOYO – Advertisement domain names

StevenBlack hosts – Advertisement domain names & others(malware, gambling, porn)

If you enjoyed reading this blog post, you might find APRICOT 2025 – DNS RPZ tutorial interesting.

DNS RPZ (Response Policy Zones) – Using DNS as a layer of defence – Part I

Why I’m rejoining social media

Hello again! Starting today, I am back on these platforms (Facebook, Twitter, Instagram) after quitting them a long time ago. Here, I am outlining why I am rejoining social media.

The primary reason to quit these platforms was for a number of reasons, and I will not get into this bit here. If you are interested, I urge you to read the book “The Age of Surveillance Capitalism.”

Book image - The age of Surveillance capitalism

In the past couple of years, aside from building a cyber security company, I have tried my best to educate folks in my network by conducting seminars and workshops about some of the cyber scams and cyber security best practices. Rejoining social media will help me reach a wider audience.

One of the consistent feedback I have received from many is that awareness of on these cyber scams and cyber threats does not spread enough.

Considering that fellow Indian citizens lost ₹11,333 crore to cyber scams in the past year(2024) alone, rejoining social media platforms makes sense, as per data from the Home Ministry’s Indian Cyber Crime Coordination Centre (I4C) division, it’s no brainer that awareness and education are need of the hour.

The figure could be more than ₹11,333 crores, considering folks who haven’t reported the cybercrime.

Considering that, to many, Facebook, Twitter, Instagram etc is the Internet it would be foolish to not use these platforms.

I am flipping the switch today by rejoining social media and will be using these social media platforms to share the latest cyber scams and best practices in safeguarding your accounts and data.

If you are following me on any of these platforms, and feel this is noise or spam, please feel free to mute/block me 🙂

If you believe these cyber scams and best practices to counter these need to be amplified and shared with others, please spread the word.

For the nerds reading this, irrespective of how futile this attempt is, I am following OpSec practice by compartmentalizing each website in it’s own VM 🙂

If you enjoyed reading this blog post, you might find Media and AI workshop to journalists interesting.

Little Snitch Blocklists

What is Little Snitch?

Little Snitch is a network monitor & application firewall for the Mac OS. On 21st May 2024, with the release of Little Snitch 6.0, a notable Blocklists feature has been made available.

While the ability to add a custom blocklist existed in prior versions, it was a manual step. Little Snitch 6.0 changes that. Little Snitch 6.0 now provides a prepopulated list of blocklists for blocking Advertising, Malware, Tracking, Gambling etc.

Little Snitch Blocklists

Little Snitch Blocklists

Considering that the StevenBlack hosts file is one of the premier list for blocking adware, I was surprised not to find the StevenBlack blocklist in the list.

The other nice addition to the list is URLhaus. At the time of writing, there were 183 malicious domain names in the list.

And, the lists auto-update,

What is the advantage of blocking using Little Snitch over a browser extension like uBlock Origin?

I use both the methods. But the method of using Little Snitch is more powerful because it covers access to network connections (adware/malware etc) from any process in the Operating System and not just from those made from within the browser.

For example, Skype making a connecting to dns.google will be detected and can be blocked using Little Snitch.

Little Snitch detecting Skype connection to dns.google

It’s also important to note that this method of blocking network communication using an application firewall like Little Snitch might not scale if the blocklist is pretty large.

For example, the newly registered domain names dataset will most definitely cause the application to misbehave. In such cases, nothing beats having protection by using a DNS Firewall/DNS RPZ (Protective DNS).

Open Snitch for GNU/Linux

On similar lines to Little Snitch, Open Snitch is a GNU/Linux application firewall. Though I have to mention that I haven’t tried it yet.

Little Snitch can also be used to capture network traffic of a specific process.

If you enjoyed reading this blog post, you might find root hints vs RFC 8806 interesting.

Exploring Geopolitics, International Relations and Strategic Studies

A post here after a long time. I have been going down the rabbit hole and exploring Geopolitics, International Relations, and Strategic Studies.

I am stoked to share that I will be part of the Graduate Certificate in Public Policy(GCPP) Defence & Foreign Affairs cohort the Takshashila Institution offers to start tomorrow.

While I have been self-learning for some areas of interest, such as geopolitics, international relations and India’s foreign policy, I am looking forward to the course to gain a deeper understanding and networking with peers from various backgrounds in Indian armed forces, public policy Etc.

The classes will be held online on Saturday, requiring 4-5 hours in addition to the assignments and class work. It will be interesting to juggle my $dayjob and manage the class work and the deadlines, but as the saying goes, there is no gain without pain. 😀

One of the objectives for applying for the course was to understand the topics deeper and that geopolitics and international relations play an important role in dictating the flow of events in the cyber threat landscape.

Thanks to my good friend Karthik Bappanad for the encouragement.