home.social

#domainnamesystem — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #domainnamesystem, aggregated by home.social.

  1. @cks @lanodan

    Missing from @drscriptt 's list are AAAA, HTTPS, and SVCB records.

    AAAA has plenty of obvious choices.

    You'll know the . convention for SRV, SVCB, and MX resource record sets, of course.

    I shall just drop in my personal experience from earlier this year that an accidentally supplied HTTPS resource record can *definitely* break WWW traffic; because browsers in practice do not obey RFC9460 §2.4.2.

    #djbdns
    #DomainNameSystem
    #SplitHorizon
    #ReservedSuperDomains #DNS #HTTPS #SVCB

  2. @cks @lanodan

    Missing from @drscriptt 's list are AAAA, HTTPS, and SVCB records.

    AAAA has plenty of obvious choices.

    You'll know the . convention for SRV, SVCB, and MX resource record sets, of course.

    I shall just drop in my personal experience from earlier this year that an accidentally supplied HTTPS resource record can *definitely* break WWW traffic; because browsers in practice do not obey RFC9460 §2.4.2.

    #djbdns
    #DomainNameSystem
    #SplitHorizon
    #ReservedSuperDomains #DNS #HTTPS #SVCB

  3. @cks @lanodan

    Missing from @drscriptt 's list are AAAA, HTTPS, and SVCB records.

    AAAA has plenty of obvious choices.

    You'll know the . convention for SRV, SVCB, and MX resource record sets, of course.

    I shall just drop in my personal experience from earlier this year that an accidentally supplied HTTPS resource record can *definitely* break WWW traffic; because browsers in practice do not obey RFC9460 §2.4.2.

    #djbdns
    #DomainNameSystem
    #SplitHorizon
    #ReservedSuperDomains #DNS #HTTPS #SVCB

  4. @cks @lanodan

    Missing from @drscriptt 's list are AAAA, HTTPS, and SVCB records.

    AAAA has plenty of obvious choices.

    You'll know the . convention for SRV, SVCB, and MX resource record sets, of course.

    I shall just drop in my personal experience from earlier this year that an accidentally supplied HTTPS resource record can *definitely* break WWW traffic; because browsers in practice do not obey RFC9460 §2.4.2.

    #djbdns
    #DomainNameSystem
    #SplitHorizon
    #ReservedSuperDomains #DNS #HTTPS #SVCB

  5. @cks @lanodan @drscriptt

    There are actually quite a few, nowadays. See RFCs 6762, 7686, and 8375.

    example. is not the worst choice, although you could have gone with test. or internal. or intranet. .

    Given your objective, any of the further ones that imply a residence or a corporation seem less well suited.

    Although home.arpa.'s public delegation to the blackhole-{1,2}.iana.org. names is re-used.

    github.com/jdebp/nosh/blob/tru

    #djbdns #DomainNameSystem #SplitHorizon #ReservedSuperDomains #DNS

  6. @pmevzek

    Thank you. But it actually tells me less than I already knew from cranking up developer tools and the server logs, and using direct observation. Which is, as I said, that the browsers continued to communicate with the origin domain's IP addresses, and did not switch to the target domain's.

    #HTTPS alias-mode resource records that nominally upgrade from HTTP to HTTPS actually instead locked the browsers on a Windows machine out of my own WWW site for half a day.

    #DomainNameSystem

  7. Today's top tip:

    Don't use HTTPS resource records.

    I set some alias-mode ones up pointing from one domain to another domain. WWW browsers were supposed, per RFC9460 §2.4.2, to talk to the target domain.

    All of my WWW browsers that picked up the records continued to send their requests to the IP address for *original* domain, and simply acted as if HSTS was turned on for that domain.

    The example scenario in RFC9460 does not actually do what is stated in practice.

    #HTTPS #DomainNameSystem

  8. @ermo

    There are a much smaller number of people doing SVCB lookups, too. But, interestingly, they are doing them wrongly.

    And with a direct correlation to some other abuses.

    Which does make me think that, in an ironic twist, it is the bad actors running robot vulnerability probes and scrapers that are the early adopters of SVCB, here.

    #djbwares #DomainNameSystem #svcb

  9. @ermo

    There are a much smaller number of people doing SVCB lookups, too. But, interestingly, they are doing them wrongly.

    And with a direct correlation to some other abuses.

    Which does make me think that, in an ironic twist, it is the bad actors running robot vulnerability probes and scrapers that are the early adopters of SVCB, here.

    #djbwares #DomainNameSystem #svcb

  10. @ermo

    There are a much smaller number of people doing SVCB lookups, too. But, interestingly, they are doing them wrongly.

    And with a direct correlation to some other abuses.

    Which does make me think that, in an ironic twist, it is the bad actors running robot vulnerability probes and scrapers that are the early adopters of SVCB, here.

    #djbwares #DomainNameSystem #svcb

  11. @ermo

    This does make you the second person in the world (if you picked up the source after I put it in yesterday) who can run

    dnsqr https google.com

    or even

    dnsqr https jdebp.info

    I didn't think that people were using this, it only having been accepted in November 2023, but I discovered a few lookups in my logs.

    #djbwares #DomainNameSystem #https

  12. Have something to whet your appetites for #djbwares version 11.

    If you don't know #djbdns, you probably won't notice what will make people who do know djbdns take interest. (-:

    It's also going to contain the FreeBSD 13 build fixes that @ermo helped with.

    #DomainNameSystem
    #DomainNameSystem

  13. Looking up www.bing.com. nowadays involves dnscache looking up intermediate domain names in org., com., net., and info.; the cross-dependencies of which regularly exceed dnscache's nested gluelessness limit above which it switches to a slower resolution algorithm.

    Some quick tests indicate that raising this limit from 2 to 3 improves matters.

    So this will be in #djbwares 11.

    #djbdns #dnscache #DomainNameSystem

  14. @robpumphrey

    I should probably mention this flaw on the #nslookup flaws page. The BIND DNS client library doesn't continue on to the next server if it receives a response without the "RA" flag; but nslookup does.

    A flaw going back to at least 2009, from a quick look at the people asking questions about it, but introduced since I last touched that page in 2004; as I believe I included all of the known major gotchas of the time. (-:

    jdebp.uk/FGA/nslookup-flaws.ht

    #DomainNameSystem

  15. @robpumphrey

    If it's (intentionally) not providing proxy DNS service (which is what "recursion not available" translates to), then you had best just take it out of resolv.conf completely. That's not the sort of DNS server that belongs in resolv.conf.

    The resource record set type is actually immaterial here. The C library expects complete answers from things in /etc/resolv.conf, not partial answers, which is what it will be getting from that DNS server.

    #DomainNameSystem

  16. Safcomms Limited DNS now comes with secure masking. We help mask your IP Address by providing you with ours to hide yourself without using a VPN. To purchase our DNS Service, contact me right away. Evidence as shown in the picture from the WiFi Analyzer Software.

    #DNS #DomainName #DomainNameSystem #InternetService #Internet #InternetServiceProvider #Networking #ComputerNetworking #ComputerNetwork #Network #Cybersecurity #CyberSec #InformationSecurity #InfoSec #Masking #HidingYourIP #HideYourIP #NoVPN #NoIP #IPSec

  17. Safcomms Limited DNS now comes with secure masking. We help mask your IP Address by providing you with ours to hide yourself without using a VPN. To purchase our DNS Service, contact me right away. Evidence as shown in the picture from the WiFi Analyzer Software.

    #DNS #DomainName #DomainNameSystem #InternetService #Internet #InternetServiceProvider #Networking #ComputerNetworking #ComputerNetwork #Network #Cybersecurity #CyberSec #InformationSecurity #InfoSec #Masking #HidingYourIP #HideYourIP #NoVPN #NoIP #IPSec

  18. Safcomms Limited DNS now comes with secure masking. We help mask your IP Address by providing you with ours to hide yourself without using a VPN. To purchase our DNS Service, contact me right away. Evidence as shown in the picture from the WiFi Analyzer Software.

    #DNS #DomainName #DomainNameSystem #InternetService #Internet #InternetServiceProvider #Networking #ComputerNetworking #ComputerNetwork #Network #Cybersecurity #CyberSec #InformationSecurity #InfoSec #Masking #HidingYourIP #HideYourIP #NoVPN #NoIP #IPSec

  19. Hacked ISP infects users receiving unsecure software updates - Enlarge (credit: Marco Verch Professional Photographer and Speaker)

    ... - arstechnica.com/?p=2041175 #domainnamesystem #dnspoisoning #infections #security #malware #biz&it

  20. DNS glitch that threatened Internet stability fixed; cause remains unclear - Enlarge

    For more than four days, a server at the very core of... - arstechnica.com/?p=2026566 #domainnamesystem #rootservers #security #biz#dnssec #dns

  21. DNS glitch that threatened Internet stability fixed; cause remains unclear - Enlarge

    For more than four days, a server at the very core of... - arstechnica.com/?p=2026566 #domainnamesystem #rootservers #security #biz#dnssec #dns

  22. DNS glitch that threatened Internet stability fixed; cause remains unclear - Enlarge

    For more than four days, a server at the very core of... - arstechnica.com/?p=2026566 #domainnamesystem #rootservers #security #biz#dnssec #dns

  23. DNS glitch that threatened Internet stability fixed; cause remains unclear - Enlarge

    For more than four days, a server at the very core of... - arstechnica.com/?p=2026566 #domainnamesystem #rootservers #security #biz#dnssec #dns

  24. DNS glitch that threatened Internet stability fixed; cause remains unclear - Enlarge

    For more than four days, a server at the very core of... - arstechnica.com/?p=2026566 #domainnamesystem #rootservers #security #biz#dnssec #dns

  25. Microsoft plans to lock down Windows DNS like never before. Here’s how. - Enlarge (credit: Getty Images)

    Translating human-readable doma... - arstechnica.com/?p=2021987 #domainnamesystem #microsoft #security #windows #biz#ztdns

  26. Doing DNS and DHCP for your LAN the old way—the way that works - Enlarge / All shall tremble before your fully functional forward and re... - arstechnica.com/?p=2001156 #domainnamesystem #weekendprojects #itprojects #features #projects #feature #homelab #biz#bind9 #dhcpd #bind #dns

  27. Doing DNS and DHCP for your LAN the old way—the way that works - Enlarge / All shall tremble before your fully functional forward and re... - arstechnica.com/?p=2001156 #domainnamesystem #weekendprojects #itprojects #features #projects #feature #homelab #biz#bind9 #dhcpd #bind #dns

  28. Doing DNS and DHCP for your LAN the old way—the way that works - Enlarge / All shall tremble before your fully functional forward and re... - arstechnica.com/?p=2001156 #domainnamesystem #weekendprojects #itprojects #features #projects #feature #homelab #biz#bind9 #dhcpd #bind #dns

  29. Doing DNS and DHCP for your LAN the old way—the way that works - Enlarge / All shall tremble before your fully functional forward and re... - arstechnica.com/?p=2001156 #domainnamesystem #weekendprojects #itprojects #features #projects #feature #homelab #biz#bind9 #dhcpd #bind #dns

  30. Doing DNS and DHCP for your LAN the old way—the way that works - Enlarge / All shall tremble before your fully functional forward and re... - arstechnica.com/?p=2001156 #domainnamesystem #weekendprojects #itprojects #features #projects #feature #homelab #biz#bind9 #dhcpd #bind #dns

  31. Hidden in the mostly-forgotten 2010 Digital Economy Act were powers to regulate the UK's domain name system. On July 20, 2023, DCIT published a consultation - which closes August 31 - on implementing these: gov.uk/government/news/new-con #UKInternet #DomainNameSystem #Nominet

  32. Hidden in the mostly-forgotten 2010 Digital Economy Act were powers to regulate the UK's domain name system. On July 20, 2023, DCIT published a consultation - which closes August 31 - on implementing these: gov.uk/government/news/new-con #UKInternet #DomainNameSystem #Nominet

  33. Hidden in the mostly-forgotten 2010 Digital Economy Act were powers to regulate the UK's domain name system. On July 20, 2023, DCIT published a consultation - which closes August 31 - on implementing these: gov.uk/government/news/new-con #UKInternet #DomainNameSystem #Nominet

  34. Hidden in the mostly-forgotten 2010 Digital Economy Act were powers to regulate the UK's domain name system. On July 20, 2023, DCIT published a consultation - which closes August 31 - on implementing these: gov.uk/government/news/new-con #UKInternet #DomainNameSystem #Nominet

  35. Hidden in the mostly-forgotten 2010 Digital Economy Act were powers to regulate the UK's domain name system. On July 20, 2023, DCIT published a consultation - which closes August 31 - on implementing these: gov.uk/government/news/new-con #UKInternet #DomainNameSystem #Nominet

  36. Attackers find new ways to deliver DDoSes with “alarming” sophistication - Enlarge (credit: Aurich Lawson / Getty)

    The protracted arms ra... - arstechnica.com/?p=1955118 #distributeddenialofserviceattack #domainnamesystem #security #biz#ddos #dns

  37. Cool just found out @zeek is on Mastodon too! One of my favorite #NetworkTools #DomainNameSystem #Parsing #HTTPS

    Give it a feed of network packets, and you get valuable data from the default configuration, which contain more than 10.000 lines of scripting code, which you can expand. Output in column format text or JSON

    Very efficient and soooo much NOT like messing about in C structs trying to parse something network related :-D

    Now I just need Suricata here! suricata.io/