[HN Gopher] Mess with DNS
___________________________________________________________________
Mess with DNS
Author : im2nguyen
Score : 580 points
Date : 2021-12-15 16:55 UTC (6 hours ago)
(HTM) web link (jvns.ca)
(TXT) w3m dump (jvns.ca)
| dharmab wrote:
| This is a neat tool! FYI, make sure the domain is registered with
| Safe Browsing in advance. If one subdomain is cataloged as
| malicious by google the entire domain can be flagged. It can be a
| pain to deal with.
| kccqzy wrote:
| You need multiple subdomains to be flagged in order to cause
| the eTLD+1 domain to be flagged. But then since this is open
| for anyone to change, I imagine it's really easy to cross that
| threshold.
| AlexanderTheGr8 wrote:
| hypothetically, what happens if a domain is catalogued by
| malicious? Also who catalogues it? If you haven't bought the
| domain from Google, the only thing that Google can do is not
| show the domain on google search results. Did I miss anything?
| dharmab wrote:
| Most major web browsers will display a scary red warning to
| visitors to your website. It can take days for a human at
| Google to fix the issue.
| tnorthcutt wrote:
| > If you haven't bought the domain from Google, the only
| thing that Google can do is not show the domain on google
| search results. Did I miss anything?
|
| I would imagine they might also show warnings in Chrome.
| iotku wrote:
| Pretty much all major browsers check against Google's safe
| browsing list so it's pretty much a death sentence to be on
| it.
| kccqzy wrote:
| Edge does not. Microsoft has their own thing.
| darau1 wrote:
| The tech is fantastic, and your writing skills also stood out to
| me. This is excellent work all around.
| lelandfe wrote:
| Julia's writing always feels breathable and fun.
|
| It's impressive to get technical stuff to be this friendly.
| nimbius wrote:
| "These tests are still a little flaky for reasons I don't quite
| understand"
|
| Jesus Christ its everything HN can do to just not pick up a book
| and do it yourself.
|
| If you want to understand DNS stop expecting people to spoon feed
| it to you from what little information they think they know
| wrapped in aws micro services and start reading
|
| O'Reilly books 'bind DNS ' will teach you everything you ever
| wanted to know and more about DNS. You run your own DNS server on
| a laptop or wherever, and you read and practice to understand the
| technology.
| almostdeadguy wrote:
| Great job reading the article: she's talking about frontend E2E
| testing which literally has nothing to do w/ the mechanics of
| DNS. Every one of these frameworks I've used _is_ a bit flaky
| too, so this should be completely unsurprising to anyone who
| actually knows anything about this.
| xyzzy_plugh wrote:
| The tone of your comment is pretty inappropriate. The whole
| point of this is to _help_ people learn about DNS, including
| the author, who happens to be one of the most humble and
| helpful persons _on the internet_.
|
| No volume of books can be adequately substituted for _doing_
| something, which this project enables handily.
|
| I'm sure you'll be down voted to oblivion but maybe consider a
| more constructive approach, like opening a PR and helping the
| authors out.
| thomasballinger wrote:
| Note that this sentence was about browser-based integration
| tests. Browser automation has come a long way, but even on very
| frontend-fluent teams I've been on we had a few flakey tests,
| and browser-based integration tests are sometimes flakey in
| ways that are difficult and tedious to debug! Not understanding
| why doesn't necessarily indicate any lack of understanding of
| DNS.
|
| But maybe it increases the odds of a "Let's understand
| Playwright!" post in the future!
| krisrm wrote:
| I don't really agree with the tone of your comment, and why
| would you cite a section of the article where the author was
| talking about a front-end testing framework?
| warent wrote:
| Someone is missing knowledge, admits it, and this somehow
| inflames you? They created a free tool. Nowhere do they claim
| that this is a comprehensive replacement of a full O'Reilly
| book.
| [deleted]
| throwaway894345 wrote:
| Some of my fondest memories were learning programming and then
| infrastructure engineering in bits and pieces while so many
| "veterans" at the time pissed and moaned about how the One True
| Way to learn was reading O'Reilly books.
|
| A decade into my career, I'm pretty sure I out-earn nearly all
| of them despite them having a solid decade on me. Of course,
| income is a fallible indicator, and to the extent that it's
| accurate, I don't think the difference is "reading books vs
| Googling" but rather (if I had to guess) some handicap that
| correlates with bitching about how other people learn on the
| Internet.
| m1ckey wrote:
| life is too short for that.
|
| it is incredible valuable to have a basic understanding of many
| things. Julia just built a tool which will help me learn the
| basics of DNS in 20min.
| NelsonMinar wrote:
| This tool is so neat! One thing I've learned from it is my ISP
| (sonic.net) seems to be doing queries to _.example.com. For
| instance:
|
| $ dig @50.0.1.1 nelson.lily6.messwithdns.com a
|
| Results in two queries being answered by the messwithdns server.
| One for nelson.lily6.messwithdns.com as expected, but also one
| for _.lily6.messwithdns.com.
|
| Any guesses what that naked underscore query is for? Not every
| nameserver does it (Cloudflare, Google, Quad9, and Adguard all
| don't). But Sonic isn't the only one that does.
|
| I've asked on Twitter and the best guess right now is it has
| something to do with RFC2782 or RFC 8552. But those are about
| using _ to make unique tokens that aren't likely domain names,
| things like _tcp or _udp. What would a naked _ mean?
| WakiMiko wrote:
| Very cool project!
|
| It's interesting to see how different DNS providers cap the
| maximum TTL.
|
| Google uses 21600s
|
| Quad9 uses 43200s
|
| Cloudflare does not cap at all!
|
| And my personal unbound uses 86400s (which is the default)
| blakesterz wrote:
| Julia Evans continues to do so many cool projects! The blog, the
| zines, now this, such great work! It always amazes me when one
| person can create so many useful things.
| luketheobscure wrote:
| I had a few tasks last month that https://nginx-
| playground.wizardzines.com/ really helped with.
| pknerd wrote:
| Because she loves it! She also cover her strategy
| here(https://jvns.ca/blog/2021/09/20/teaching-by-filling-in-
| knowl...)
| beardyw wrote:
| Looks like hug of death. Nice when it was going.
| jvns wrote:
| Restarted the server and it should be back up for now :).
| Here's the culprit:
|
| > 2021/12/15 18:39:10 http: Accept error: accept tcp [::]:8080:
| accept4: too many open files; retrying in 1s
| 300bps wrote:
| _What's happening...when I set a long /short TTL?_
|
| Real answer: many ISP's DNS servers are set to ignore whatever
| you set and use a value they feel works best for themselves.
| rwbhn wrote:
| Relevant: https://jvns.ca/blog/2021/12/06/dns-doesn-t-
| propagate/
| m3047 wrote:
| Very cool. dig 'a test.hazel10.messwithdns.com'
| txt +short "test"
|
| If the owner of the site contacts me I'm happy to discuss...
| maartenh wrote:
| Nice!
|
| A month ago, I scripted https://github.com/moretea/browsers-with-
| fake-dns as an alternative to editing /etc/hosts. It's a docker
| container with a BIND DNS server, and chrome/Firefox reachable
| via webvnc
| anonymousiam wrote:
| And then there's this too:
|
| https://blog.benjojo.co.uk/post/dns-filesystem-true-cloud-st...
| Kototama wrote:
| Very smart idea and great execution.
|
| Allowing to experiment _quickly_ on infras /devops knowledge is
| the key and tools like Ansible are useless for that.
| [deleted]
| who-shot-jr wrote:
| This looks great!
| jfrunyon wrote:
| > I needed to write an authoritative DNS server
|
| Why not just... use an authoritative DNS server?
|
| > I think I'm doing a pretty bad of following the DNS RFCs
|
| Yeah, probably, which makes this experiment much less worthwhile
| than just... doing the same thing on an _actual_ DNS host.
|
| BTW, experimentation is no replacement for
| training/education/experience. Just because an experiment results
| one way on the computer you're testing with, doesn't mean it will
| resolve the same way in another browser - or on another OS - or
| even just on a different ISP(/resolver).
|
| > finding out who owns IP addresses with an ASN database - When a
| DNS requests comes in, it comes from an IP address. I wanted to
| tell users who owns that IP address (Google? Cloudflare? their
| ISP?). The obvious way is to do a reverse DNS lookup. But what if
| that doesn't work?
|
| Or just use one of the many databases that exists for exactly
| this purpose (and are free, like MaxMind's GeoLite ASN). Except,
| oh wait, you did do that (although with some random, auto-scraped
| database). Not sure what the point of rDNS is.
|
| > I do a database write every time a DNS request comes in
|
| Why? There's no reason to store that info on disk. As you say, "I
| could easily clear out old requests every hour and it probably
| wouldn't make a difference"
|
| > let's talk about security
|
| Sure, except you skipped over the "huh, I'm sharing cookies
| across all these people because I'm not on the PSL". But at least
| "the website's domain" isn't sharing cookies with 'em too?
|
| Oh, and you also skipped over things like whether or not your
| roll-your-own DNS server is vulnerable to being used as an
| amplification vector (probably).
|
| > I have one main opinion about programming, which is that deeply
| understanding the underlying systems
|
| It's a shame she doesn't deeply understand the underlying systems
| she's using.
| rektide wrote:
| There's another AWS outage, & presently the top comment is
| talking about us as barbarians that have stumbled into fancy hot
| baths & are amazed but have no idea how to keep them running. And
| a wonderful follow-up reply[1] talking about living in an
| apartment in a storm versus living in a cave during a storm. It
| presents another severe image of how much drift there has been in
| the world, how much more built up, but how we ourselves are not
| necessarily more advanced, smarter, wiser.
|
| It's work like this (Mess with DNS). This is the stuff.
| Revealing, experimenting, inviting people in. Tech that
| illuminates & shows off, that is there to explain & help create
| understanding. This is the stuff, this is what keeps humanity
| powerful & competent & connected. Tech does a lot for us, but
| when it helps us become better wiser more creative people, when
| it reveals itself & the world: that holds a very dear place in my
| heart, is the light & heat in a vast cold and dark universe. I
| love this project. It's a capital example of revelatory
| technology, of enlightening technology.
|
| [1] https://news.ycombinator.com/item?id=29568078
| Karrot_Kream wrote:
| Julia Evans's cool stuff aside (and it is _very cool_, we need
| all the high quality didactic material we can get!), all this
| info _is_ on the net. I'm always surprised when I see engineers
| (like in that linked post) who don't understand how to do
| things like regional failovers, DNS load balancing, load
| balancing strategies, load shedding, circuit breaking, AZ
| balancing/failover, etc. These are pretty standard concepts in
| the world of high reliability net services, writing the code is
| the easiest part! I guess that says a lot about the problem
| domain I'm in and how different reliability guarantees tend to
| be in other problem domains.
| rektide wrote:
| I've never seen anything at all as interactive & playful as
| this. Nothing that comes close. All in one, designed to
| create the experience of DNS. It's in the name: Mess with
| DNS. That makes it far far far & away different
|
| And I think that makes all the difference. I tend to believe
| very strongly in hands on experience, think that seeing
| things happen yourself & getting to play is by far the best
| way to learn, just incredibly surpassing.
|
| There's a theory of education called Constructivism[1] that
| is broadly similar. Adherents include folks like Seymore
| Papert[2], creator of Logo, employee at One Laptop Per Child
| (which I think is the most interesting & innovative software
| environment we've ever created, vastly under-appreciated).
| Projects like Logo are supposed to create that hands on
| feedback, to make programming not just writing scripts &
| having programs run, but ways to see the code really execute,
| to create more interactive modes.
|
| With software eating the world, it is so so so important to
| me not just to create knowledge, to tell tales of what
| software is, but to let people have the experience
| themselves. To create playgrounds to meddle, to mess around.
| I wish so much that applications could actually show &
| explain what they are doing, what's inside of them, could
| reveal their workings, but we're so far away from that
| Enlightened world, we've fallen into such deep shadows imo.
|
| (Side note, I see things very differently, but I also am
| disappointed folks would downvote your perspective like this.
| As for the lack of knowledge/experience, I'd say that most
| engineers don't have familiarity because there's not a lot of
| opportunities to set up & learn systems work; most coders
| spend their time coding, not setting up bits of
| infrastructure to run code on. You yourself also say "writing
| the code is the easiest part", which underscores just how
| complex/inter-related/particular all the
| systems/infrastructure stuff is, how probable it is engineers
| might not feel fully competent or brave enough to engage.)
|
| [1] https://en.wikipedia.org/wiki/Constructivism_(philosophy_
| of_...
|
| [2] https://en.wikipedia.org/wiki/Seymour_Papert
| Karrot_Kream wrote:
| > I've never seen anything at all as interactive & playful
| as this. Nothing that comes close. All in one, designed to
| create the experience of DNS. It's in the name: Mess with
| DNS. That makes it far far far & away different
|
| Oh absolutely! I don't mean to diminish this. The ability
| to interact and play also works very well for my own
| learning.
|
| > There's a theory of education called Constructivism[1]
| that is broadly similar. Adherents include folks like
| Seymore Papert[2], creator of Logo, employee at One Laptop
| Per Child (which I think is the most interesting &
| innovative software environment we've ever created, vastly
| under-appreciated). Projects like Logo are supposed to
| create that hands on feedback, to make programming not just
| writing scripts & having programs run, but ways to see the
| code really execute, to create more interactive modes.
|
| +100
|
| > With software eating the world, it is so so so important
| to me not just to create knowledge, to tell tales of what
| software is, but to let people have the experience
| themselves. To create playgrounds to meddle, to mess
| around. I wish so much that applications could actually
| show & explain what they are doing, what's inside of them,
| could reveal their workings, but we're so far away from
| that Enlightened world, we've fallen into such deep shadows
| imo.
|
| You bring up a good point overall about the lack of
| interactive materials for engineers/students/interested
| folks. I also suggest opening up any cloud provider (cheap
| for playing around is probably better!) and trying these
| things with services like Traefik (which are easy to
| configure/play with). Try to do some multi-region failover
| stuff, observe what happens with different load balancing
| strategies, that sort of thing. It reminds me a lot of
| watching videos about setting up IP networks, stuff like
| Cisco certification material.
|
| You've given me some food for thought on educational
| materials for sure.
|
| > As for the lack of knowledge/experience, I'd say that
| most engineers don't have familiarity because there's not a
| lot of opportunities to set up & learn systems work; most
| coders spend their time coding, not setting up bits of
| infrastructure to run code on. You yourself also say
| "writing the code is the easiest part", which underscores
| just how complex/inter-related/particular all the
| systems/infrastructure stuff is, how probable it is
| engineers might not feel fully competent or brave enough to
| engage.
|
| Yeah this stuff isn't easy and operational work is often a
| different skillset than writing code.
| ASalazarMX wrote:
| Humans individually are pretty useless. Abandon a random human
| in a jungle and they will likely perish soon no matter how
| smart and well educated they are.
|
| The strength of humanity is teamwork, working together to build
| things other groups can build things upon. Abandon 100 random
| humans in the same jungle and they will build a town.
| robrorcroptrer wrote:
| How many would actually be able to build anything if it was
| purely random? How many tries of 100 people batches until
| they've built something?
|
| Not arguing, just questions that came into my mind.
| ASalazarMX wrote:
| Random people would have the most varied set of skills. A
| single person can have skills that are useless for
| surviving in the jungle, but if any of the 100 people has a
| good enough idea of what to do, the rest can help.
|
| Even non-random groups like your coworkers or immediate
| neighbors can have unexpected skills that will make you
| feel dumb.
| s_dev wrote:
| >Abandon 100 random humans in the same jungle and they will
| build a town.
|
| https://en.wikipedia.org/wiki/Lord_of_the_Flies
|
| I'm not sure -- but I do think it would be interesting how
| that would turn out. Australia would founded in this sort of
| fashion. I think there's a bit more nuance though.
| gruez wrote:
| except that's fiction, and this is non-fiction:
| https://en.wikipedia.org/wiki/Tongan_castaways
| Lammy wrote:
| > The strength of humanity is teamwork, working together to
| build things other groups can build things upon.
|
| This is why I don't trust anybody who tries to tell me that
| human population growth is an actual problem and not just our
| rulers' fear of irrelevance.
| harikb wrote:
| On the security aspect, I wonder how is this site affected
| services that do domain ownership verification [1] where they
| assume that only a person who owns the domain can edit dns
| records. I think letsencrpt ACME protocol [2] does it for SSL
| certs too. This site does create a subdomain for every user, so
| may be these issues don't apply.
|
| [1] https://support.google.com/a/answer/183895?hl=en
|
| [2] https://letsencrypt.org/docs/client-options/
| isclever wrote:
| At least for certificate issuance they can turn it off via a
| CAA record:
|
| https://en.wikipedia.org/wiki/DNS_Certification_Authority_Au...
| tialaramex wrote:
| One inconvenience is that although RFC8657 explains _how_ to
| tell a CA that it must use particular methods, the most
| obvious public CA (Let 's Encrypt) has not shipped RFC8657
| support. So you can write a CAA record which says "Only Let's
| Encrypt may issue" or indeed say "Only Sectigo may issue" but
| you cannot write a record which says e.g. "Only Let's Encrypt
| may issue, and they must use the tls-alpn-01 method". Or
| rather, you can write that record but it won't work.
|
| Now, there are a bunch of things you could do about that, and
| I believe this cool toy does one of the obvious ones: Don't
| have any certificates for the problematic domain. The web
| site isn't in the domain you can mess with. But it would be
| nice if Let's Encrypt got to this, periodically I check so
| far each time somebody has pestered them for RFC 8657
| recently, so I don't pile on since that's unhelpful.
| mlyle wrote:
| Generally a dot is used as a barrier for these, because
| otherwise you need to have an infinite (and changing) list
| where users are allowed to register subdomains. .ac.uk vs.
| .com, etc. Not to mention that there are some of these domains
| where the policy is _changing_ and there 's both delegates and
| toplevel domains.
|
| If you don't trust across separator boundaries you're mostly
| safe. That is, mytxt.foo.com shouldn't be blindly trusted for
| my.subdomain.foo.com nor mytxt.subdomain.foo.com shouldn't be
| trusted for foo.com.
|
| IMO the biggest concern is with organizations that blacklist
| domains for various reasons, because they are not eager to just
| build very fine-grained blacklists.
| RKearney wrote:
| I would think it would fall on the zone operator to properly
| configure a CAA record to restrict issuance by an unauthorized
| CA.
| xyzzy_plugh wrote:
| There's also the public suffix list:
| https://publicsuffix.org/list/
|
| It's probably a good idea for the author to add this project to
| the list.
___________________________________________________________________
(page generated 2021-12-15 23:00 UTC)