[HN Gopher] Mess with DNS ___________________________________________________________________ Mess with DNS Author : im2nguyen Score : 580 points Date : 2021-12-15 16:55 UTC (6 hours ago) (HTM) web link (jvns.ca) (TXT) w3m dump (jvns.ca) | dharmab wrote: | This is a neat tool! FYI, make sure the domain is registered with | Safe Browsing in advance. If one subdomain is cataloged as | malicious by google the entire domain can be flagged. It can be a | pain to deal with. | kccqzy wrote: | You need multiple subdomains to be flagged in order to cause | the eTLD+1 domain to be flagged. But then since this is open | for anyone to change, I imagine it's really easy to cross that | threshold. | AlexanderTheGr8 wrote: | hypothetically, what happens if a domain is catalogued by | malicious? Also who catalogues it? If you haven't bought the | domain from Google, the only thing that Google can do is not | show the domain on google search results. Did I miss anything? | dharmab wrote: | Most major web browsers will display a scary red warning to | visitors to your website. It can take days for a human at | Google to fix the issue. | tnorthcutt wrote: | > If you haven't bought the domain from Google, the only | thing that Google can do is not show the domain on google | search results. Did I miss anything? | | I would imagine they might also show warnings in Chrome. | iotku wrote: | Pretty much all major browsers check against Google's safe | browsing list so it's pretty much a death sentence to be on | it. | kccqzy wrote: | Edge does not. Microsoft has their own thing. | darau1 wrote: | The tech is fantastic, and your writing skills also stood out to | me. This is excellent work all around. | lelandfe wrote: | Julia's writing always feels breathable and fun. | | It's impressive to get technical stuff to be this friendly. | nimbius wrote: | "These tests are still a little flaky for reasons I don't quite | understand" | | Jesus Christ its everything HN can do to just not pick up a book | and do it yourself. | | If you want to understand DNS stop expecting people to spoon feed | it to you from what little information they think they know | wrapped in aws micro services and start reading | | O'Reilly books 'bind DNS ' will teach you everything you ever | wanted to know and more about DNS. You run your own DNS server on | a laptop or wherever, and you read and practice to understand the | technology. | almostdeadguy wrote: | Great job reading the article: she's talking about frontend E2E | testing which literally has nothing to do w/ the mechanics of | DNS. Every one of these frameworks I've used _is_ a bit flaky | too, so this should be completely unsurprising to anyone who | actually knows anything about this. | xyzzy_plugh wrote: | The tone of your comment is pretty inappropriate. The whole | point of this is to _help_ people learn about DNS, including | the author, who happens to be one of the most humble and | helpful persons _on the internet_. | | No volume of books can be adequately substituted for _doing_ | something, which this project enables handily. | | I'm sure you'll be down voted to oblivion but maybe consider a | more constructive approach, like opening a PR and helping the | authors out. | thomasballinger wrote: | Note that this sentence was about browser-based integration | tests. Browser automation has come a long way, but even on very | frontend-fluent teams I've been on we had a few flakey tests, | and browser-based integration tests are sometimes flakey in | ways that are difficult and tedious to debug! Not understanding | why doesn't necessarily indicate any lack of understanding of | DNS. | | But maybe it increases the odds of a "Let's understand | Playwright!" post in the future! | krisrm wrote: | I don't really agree with the tone of your comment, and why | would you cite a section of the article where the author was | talking about a front-end testing framework? | warent wrote: | Someone is missing knowledge, admits it, and this somehow | inflames you? They created a free tool. Nowhere do they claim | that this is a comprehensive replacement of a full O'Reilly | book. | [deleted] | throwaway894345 wrote: | Some of my fondest memories were learning programming and then | infrastructure engineering in bits and pieces while so many | "veterans" at the time pissed and moaned about how the One True | Way to learn was reading O'Reilly books. | | A decade into my career, I'm pretty sure I out-earn nearly all | of them despite them having a solid decade on me. Of course, | income is a fallible indicator, and to the extent that it's | accurate, I don't think the difference is "reading books vs | Googling" but rather (if I had to guess) some handicap that | correlates with bitching about how other people learn on the | Internet. | m1ckey wrote: | life is too short for that. | | it is incredible valuable to have a basic understanding of many | things. Julia just built a tool which will help me learn the | basics of DNS in 20min. | NelsonMinar wrote: | This tool is so neat! One thing I've learned from it is my ISP | (sonic.net) seems to be doing queries to _.example.com. For | instance: | | $ dig @50.0.1.1 nelson.lily6.messwithdns.com a | | Results in two queries being answered by the messwithdns server. | One for nelson.lily6.messwithdns.com as expected, but also one | for _.lily6.messwithdns.com. | | Any guesses what that naked underscore query is for? Not every | nameserver does it (Cloudflare, Google, Quad9, and Adguard all | don't). But Sonic isn't the only one that does. | | I've asked on Twitter and the best guess right now is it has | something to do with RFC2782 or RFC 8552. But those are about | using _ to make unique tokens that aren't likely domain names, | things like _tcp or _udp. What would a naked _ mean? | WakiMiko wrote: | Very cool project! | | It's interesting to see how different DNS providers cap the | maximum TTL. | | Google uses 21600s | | Quad9 uses 43200s | | Cloudflare does not cap at all! | | And my personal unbound uses 86400s (which is the default) | blakesterz wrote: | Julia Evans continues to do so many cool projects! The blog, the | zines, now this, such great work! It always amazes me when one | person can create so many useful things. | luketheobscure wrote: | I had a few tasks last month that https://nginx- | playground.wizardzines.com/ really helped with. | pknerd wrote: | Because she loves it! She also cover her strategy | here(https://jvns.ca/blog/2021/09/20/teaching-by-filling-in- | knowl...) | beardyw wrote: | Looks like hug of death. Nice when it was going. | jvns wrote: | Restarted the server and it should be back up for now :). | Here's the culprit: | | > 2021/12/15 18:39:10 http: Accept error: accept tcp [::]:8080: | accept4: too many open files; retrying in 1s | 300bps wrote: | _What's happening...when I set a long /short TTL?_ | | Real answer: many ISP's DNS servers are set to ignore whatever | you set and use a value they feel works best for themselves. | rwbhn wrote: | Relevant: https://jvns.ca/blog/2021/12/06/dns-doesn-t- | propagate/ | m3047 wrote: | Very cool. dig 'a test.hazel10.messwithdns.com' | txt +short "test" | | If the owner of the site contacts me I'm happy to discuss... | maartenh wrote: | Nice! | | A month ago, I scripted https://github.com/moretea/browsers-with- | fake-dns as an alternative to editing /etc/hosts. It's a docker | container with a BIND DNS server, and chrome/Firefox reachable | via webvnc | anonymousiam wrote: | And then there's this too: | | https://blog.benjojo.co.uk/post/dns-filesystem-true-cloud-st... | Kototama wrote: | Very smart idea and great execution. | | Allowing to experiment _quickly_ on infras /devops knowledge is | the key and tools like Ansible are useless for that. | [deleted] | who-shot-jr wrote: | This looks great! | jfrunyon wrote: | > I needed to write an authoritative DNS server | | Why not just... use an authoritative DNS server? | | > I think I'm doing a pretty bad of following the DNS RFCs | | Yeah, probably, which makes this experiment much less worthwhile | than just... doing the same thing on an _actual_ DNS host. | | BTW, experimentation is no replacement for | training/education/experience. Just because an experiment results | one way on the computer you're testing with, doesn't mean it will | resolve the same way in another browser - or on another OS - or | even just on a different ISP(/resolver). | | > finding out who owns IP addresses with an ASN database - When a | DNS requests comes in, it comes from an IP address. I wanted to | tell users who owns that IP address (Google? Cloudflare? their | ISP?). The obvious way is to do a reverse DNS lookup. But what if | that doesn't work? | | Or just use one of the many databases that exists for exactly | this purpose (and are free, like MaxMind's GeoLite ASN). Except, | oh wait, you did do that (although with some random, auto-scraped | database). Not sure what the point of rDNS is. | | > I do a database write every time a DNS request comes in | | Why? There's no reason to store that info on disk. As you say, "I | could easily clear out old requests every hour and it probably | wouldn't make a difference" | | > let's talk about security | | Sure, except you skipped over the "huh, I'm sharing cookies | across all these people because I'm not on the PSL". But at least | "the website's domain" isn't sharing cookies with 'em too? | | Oh, and you also skipped over things like whether or not your | roll-your-own DNS server is vulnerable to being used as an | amplification vector (probably). | | > I have one main opinion about programming, which is that deeply | understanding the underlying systems | | It's a shame she doesn't deeply understand the underlying systems | she's using. | rektide wrote: | There's another AWS outage, & presently the top comment is | talking about us as barbarians that have stumbled into fancy hot | baths & are amazed but have no idea how to keep them running. And | a wonderful follow-up reply[1] talking about living in an | apartment in a storm versus living in a cave during a storm. It | presents another severe image of how much drift there has been in | the world, how much more built up, but how we ourselves are not | necessarily more advanced, smarter, wiser. | | It's work like this (Mess with DNS). This is the stuff. | Revealing, experimenting, inviting people in. Tech that | illuminates & shows off, that is there to explain & help create | understanding. This is the stuff, this is what keeps humanity | powerful & competent & connected. Tech does a lot for us, but | when it helps us become better wiser more creative people, when | it reveals itself & the world: that holds a very dear place in my | heart, is the light & heat in a vast cold and dark universe. I | love this project. It's a capital example of revelatory | technology, of enlightening technology. | | [1] https://news.ycombinator.com/item?id=29568078 | Karrot_Kream wrote: | Julia Evans's cool stuff aside (and it is _very cool_, we need | all the high quality didactic material we can get!), all this | info _is_ on the net. I'm always surprised when I see engineers | (like in that linked post) who don't understand how to do | things like regional failovers, DNS load balancing, load | balancing strategies, load shedding, circuit breaking, AZ | balancing/failover, etc. These are pretty standard concepts in | the world of high reliability net services, writing the code is | the easiest part! I guess that says a lot about the problem | domain I'm in and how different reliability guarantees tend to | be in other problem domains. | rektide wrote: | I've never seen anything at all as interactive & playful as | this. Nothing that comes close. All in one, designed to | create the experience of DNS. It's in the name: Mess with | DNS. That makes it far far far & away different | | And I think that makes all the difference. I tend to believe | very strongly in hands on experience, think that seeing | things happen yourself & getting to play is by far the best | way to learn, just incredibly surpassing. | | There's a theory of education called Constructivism[1] that | is broadly similar. Adherents include folks like Seymore | Papert[2], creator of Logo, employee at One Laptop Per Child | (which I think is the most interesting & innovative software | environment we've ever created, vastly under-appreciated). | Projects like Logo are supposed to create that hands on | feedback, to make programming not just writing scripts & | having programs run, but ways to see the code really execute, | to create more interactive modes. | | With software eating the world, it is so so so important to | me not just to create knowledge, to tell tales of what | software is, but to let people have the experience | themselves. To create playgrounds to meddle, to mess around. | I wish so much that applications could actually show & | explain what they are doing, what's inside of them, could | reveal their workings, but we're so far away from that | Enlightened world, we've fallen into such deep shadows imo. | | (Side note, I see things very differently, but I also am | disappointed folks would downvote your perspective like this. | As for the lack of knowledge/experience, I'd say that most | engineers don't have familiarity because there's not a lot of | opportunities to set up & learn systems work; most coders | spend their time coding, not setting up bits of | infrastructure to run code on. You yourself also say "writing | the code is the easiest part", which underscores just how | complex/inter-related/particular all the | systems/infrastructure stuff is, how probable it is engineers | might not feel fully competent or brave enough to engage.) | | [1] https://en.wikipedia.org/wiki/Constructivism_(philosophy_ | of_... | | [2] https://en.wikipedia.org/wiki/Seymour_Papert | Karrot_Kream wrote: | > I've never seen anything at all as interactive & playful | as this. Nothing that comes close. All in one, designed to | create the experience of DNS. It's in the name: Mess with | DNS. That makes it far far far & away different | | Oh absolutely! I don't mean to diminish this. The ability | to interact and play also works very well for my own | learning. | | > There's a theory of education called Constructivism[1] | that is broadly similar. Adherents include folks like | Seymore Papert[2], creator of Logo, employee at One Laptop | Per Child (which I think is the most interesting & | innovative software environment we've ever created, vastly | under-appreciated). Projects like Logo are supposed to | create that hands on feedback, to make programming not just | writing scripts & having programs run, but ways to see the | code really execute, to create more interactive modes. | | +100 | | > With software eating the world, it is so so so important | to me not just to create knowledge, to tell tales of what | software is, but to let people have the experience | themselves. To create playgrounds to meddle, to mess | around. I wish so much that applications could actually | show & explain what they are doing, what's inside of them, | could reveal their workings, but we're so far away from | that Enlightened world, we've fallen into such deep shadows | imo. | | You bring up a good point overall about the lack of | interactive materials for engineers/students/interested | folks. I also suggest opening up any cloud provider (cheap | for playing around is probably better!) and trying these | things with services like Traefik (which are easy to | configure/play with). Try to do some multi-region failover | stuff, observe what happens with different load balancing | strategies, that sort of thing. It reminds me a lot of | watching videos about setting up IP networks, stuff like | Cisco certification material. | | You've given me some food for thought on educational | materials for sure. | | > As for the lack of knowledge/experience, I'd say that | most engineers don't have familiarity because there's not a | lot of opportunities to set up & learn systems work; most | coders spend their time coding, not setting up bits of | infrastructure to run code on. You yourself also say | "writing the code is the easiest part", which underscores | just how complex/inter-related/particular all the | systems/infrastructure stuff is, how probable it is | engineers might not feel fully competent or brave enough to | engage. | | Yeah this stuff isn't easy and operational work is often a | different skillset than writing code. | ASalazarMX wrote: | Humans individually are pretty useless. Abandon a random human | in a jungle and they will likely perish soon no matter how | smart and well educated they are. | | The strength of humanity is teamwork, working together to build | things other groups can build things upon. Abandon 100 random | humans in the same jungle and they will build a town. | robrorcroptrer wrote: | How many would actually be able to build anything if it was | purely random? How many tries of 100 people batches until | they've built something? | | Not arguing, just questions that came into my mind. | ASalazarMX wrote: | Random people would have the most varied set of skills. A | single person can have skills that are useless for | surviving in the jungle, but if any of the 100 people has a | good enough idea of what to do, the rest can help. | | Even non-random groups like your coworkers or immediate | neighbors can have unexpected skills that will make you | feel dumb. | s_dev wrote: | >Abandon 100 random humans in the same jungle and they will | build a town. | | https://en.wikipedia.org/wiki/Lord_of_the_Flies | | I'm not sure -- but I do think it would be interesting how | that would turn out. Australia would founded in this sort of | fashion. I think there's a bit more nuance though. | gruez wrote: | except that's fiction, and this is non-fiction: | https://en.wikipedia.org/wiki/Tongan_castaways | Lammy wrote: | > The strength of humanity is teamwork, working together to | build things other groups can build things upon. | | This is why I don't trust anybody who tries to tell me that | human population growth is an actual problem and not just our | rulers' fear of irrelevance. | harikb wrote: | On the security aspect, I wonder how is this site affected | services that do domain ownership verification [1] where they | assume that only a person who owns the domain can edit dns | records. I think letsencrpt ACME protocol [2] does it for SSL | certs too. This site does create a subdomain for every user, so | may be these issues don't apply. | | [1] https://support.google.com/a/answer/183895?hl=en | | [2] https://letsencrypt.org/docs/client-options/ | isclever wrote: | At least for certificate issuance they can turn it off via a | CAA record: | | https://en.wikipedia.org/wiki/DNS_Certification_Authority_Au... | tialaramex wrote: | One inconvenience is that although RFC8657 explains _how_ to | tell a CA that it must use particular methods, the most | obvious public CA (Let 's Encrypt) has not shipped RFC8657 | support. So you can write a CAA record which says "Only Let's | Encrypt may issue" or indeed say "Only Sectigo may issue" but | you cannot write a record which says e.g. "Only Let's Encrypt | may issue, and they must use the tls-alpn-01 method". Or | rather, you can write that record but it won't work. | | Now, there are a bunch of things you could do about that, and | I believe this cool toy does one of the obvious ones: Don't | have any certificates for the problematic domain. The web | site isn't in the domain you can mess with. But it would be | nice if Let's Encrypt got to this, periodically I check so | far each time somebody has pestered them for RFC 8657 | recently, so I don't pile on since that's unhelpful. | mlyle wrote: | Generally a dot is used as a barrier for these, because | otherwise you need to have an infinite (and changing) list | where users are allowed to register subdomains. .ac.uk vs. | .com, etc. Not to mention that there are some of these domains | where the policy is _changing_ and there 's both delegates and | toplevel domains. | | If you don't trust across separator boundaries you're mostly | safe. That is, mytxt.foo.com shouldn't be blindly trusted for | my.subdomain.foo.com nor mytxt.subdomain.foo.com shouldn't be | trusted for foo.com. | | IMO the biggest concern is with organizations that blacklist | domains for various reasons, because they are not eager to just | build very fine-grained blacklists. | RKearney wrote: | I would think it would fall on the zone operator to properly | configure a CAA record to restrict issuance by an unauthorized | CA. | xyzzy_plugh wrote: | There's also the public suffix list: | https://publicsuffix.org/list/ | | It's probably a good idea for the author to add this project to | the list. ___________________________________________________________________ (page generated 2021-12-15 23:00 UTC)