This reminds me of a neat little trick I used back then to "reliably" compute IP address of my machines for a dynamic DNS utility I wrote for myself.
OpenDNS resolvers (such as resolver1.opendns.com) will resolve myip.opendns.com to your actual IP address. Whether you get A or AAAA records depends on your connection. Since the IP addresses for these resolvers tend to be anycast IPs, I also want to believe they are marginally faster than pinging some central HTTP service that can go down at any time. (Of course, OpenDNS can vanish at any time, too, but I find the risk of that more tolerable than the countless "what is my IP address?" HTTP services out there)
Anyway, I remember hearing before that DNS originally was intended to be used with a broader scope of data than just domain names (hence the existence of TXT records and the like). This website greatly demonstrates how much utility you can get out of DNS.
There are many, many websites that print the client IP address in a webpage or in a HTTP head. Not necessarily "What is my IP" websites. No need to rely on just one source.
Websites that use Cloudlfare to block certain requests are another option. For example, StackOverflow. Just send HTTP request without User-Agent header.
You have a good point that most of those HTTP services out there for getting your IP don't seem like they would be particularly reliable in terms of uptime.
Worth noting that Cloudflare run one though, and that seems more likely to be reliable:
I worked on VoIP before RFC3489. We built our own ways to handle NAT and firewalls, but it always involved something like a directory server that would see both your private and public IPs and share information between clients at call time to connect calls.
The equatorial circumference is 40,075.017 km (24,901.461 mi), while the polar circumference is 40,007.863 km (24,859.734 mi).
I guess there's no great harm in assuming the earth is hypothetically cow shaped, and it avoids that awkward series for shortest distance twixt points following an ellipsoids surface.
Yeah, it's pretty minor stuff of no real import to many ... unless someone had a background in geodesy and had to measure fields on a oblate spheroid with fragmented moving plates girt by sloshing fluids.
Don't use the word "abuse" unless it's in the sense of "SOAP and XHR are an 'abuse' of HTTP".
The IN (internet) class is the evolutionary "towering cedar" of the moment, but there were the CH (chaos) and HS (hesiod) classes during the cambrian period; you might review those project's purposes and goals.
Arguably the abuse today is in the form of things like ten millisecond windows for retransmission and qname minimization which optimize specifically for cloud-based web services ("happy eyeballs") at the expense of all else (and seemingly without awareness of e.g. buffer bloat). There's a whole world outside of A / AAAA resolution.
It's not unheard of to see two people with pocket protectors having a knife fight (or at least poking at each other with pencils) in the hallway at an Internet confab. "RFC" stands for "Request For Comments" and BCPs (Best Current Practice) are routinely ignored.
I watched the video. He's trolling his hypothesized pearl clutchers. I'm sure I share the same critics. Actually most of the talk is open source intelligence basics and utilization of DNS for nonpublic purposes.
Good sell regarding hotel networks as adversaries. :-p
It's time. Start the long walk. We are migrating to meet the skexies, you're welcome to join us.
"Toy server" with 6 million queries and the talk is not about keeping the server up. We're done here; you can find the mike somewhere on the floor.
Fair point. Probably showing my lack of experience previous to the millennium, at most it was debugging res_mkquery for hours because of what I was passing as a class, iirc C_ANY rather than C_IN.
ANY is definitely a trap for the overconfident, as it is a qtype without a corresponding rdtype. Is there a wildcard for class? You got me there, I'd have to go look it up and I'm up to my armpits in something else at the moment.
I like it. I just wish that dig were installed on every platform. I'm always annoyed that it isn't available on Windows and when I checked Debian doesn't have it by default (though easily installable.) OpenBSD and Mac OS X have it though so that's good.
You're essentially resolving non-existent domains through their custom DNS server. For example:
dig 100USD-INR.fx @dns.toys
Translates into "resolve 100USD-INR.fx using dns.toys as a DNS server". They then return TXT records containing the actual answer. Since .fx is a non-existent domain, they're not impersonating anyone, and if you switch "@dns.toys" with say "@8.8.8.8", it wouldn't resolve to anything.
Imagine a site like news.ycombinator.com. The browser uses that name to lookup the IP from a specialized server. So for the domain it might have this saved:
A IP = ...1
AAAA IP = ...2
Where 'a' is the type of record. But there are other types of records:
TXT gender = 'male'
So there's a few assumptions here about DNS that are normally true:
1. People are using DNS as a switch board to other services.
2. The values in the switchboard are normally static.
With this setup they're doing something completely different because they're serving back changing values based on the domain. To do this you would need to write a custom DNS server (though the DNS protocol is quite simple.) The reasons this is a clever hack though are as follows:
1. DNS is one of the most widely used and supported protocols. All mainstream programming libraries support it. This includes numerous command-line tools already in operating system. By providing this as a service over DNS it provides an elegant way for command-line tools and libraries to access services with minimal dependencies.
2. It challenges the way the DNS system should be used by tipping the normal assumptions behind its use on its head (direct usage for information, dynamic content for values.) This makes it possible to use DNS directly as an application service rather than as a switch board operator for regular internet services.
3. DNS is so integral that a complex integration wouldn't be needed to add it to existing software. A DNS request is arguably more straight-forwards than a typical web API. Chances are this also has benefits for censorship resistance, too.
Sure, imagine a DNS server as a specialized type of web server, but it uses a different protocol over a different port. Just like you make requests to a web server using HTTP, you can interact with a DNS server using DNS protocols. Think of it like comparing how you might use telnet to simulate an HTTP or SMTP request; it's about communicating with a specific type of server over a specific set of rules. This server tends to do some computation before yielding its results, unlike most DNS records that you'd expect to be static.
The DNS protocol is just text over udp. When making a DNS request, your system will open a socket, write "google.com" in it and read for a response. The server, if it is properly configured as a DNS server, will reply with the appropriate DNS record, again as text. Google.com is a cname to some subdomain used for load balancing, so the server will simply reply "CNAME blabla.google.com" and may optionally also resolve blabla.google.com to save you the trouble of making another request.
The DNS protocol, defined in some RFC, says that I have to make a request a certain way, and that the server has to respond a certain way. One of these ways is that for top level domains that don't exist (for ex. .time is not a currently existing tld), the server is supposed to reply nxdomain, but in reality there is no technical measure stopping it from replying with anything it wants, such as the current time.
In fact, generally speaking, the expectation that the server operators will not fuck you over is the only thing preventing public (and indeed private) DNS operators from returning you bogus data. This is mitigated somewhat by HTTPS, but DNS records themselves are infinitely fakeable with no recourse.
Your reply is riddled with errors and you don't seem to actually know how the DNS protocol works at all, on the wire or otherwise. It is, firstly, impossible for "google.com" to contain a CNAME record. This would violate standards, and it's simply not done. Query or yourself; there is no CNAME at that label.
Your description of how queries work is not how queries work at all. Your entire comment is a net negative and detracts from the overall knowledge at Hacker News.
This is a disingenuous claim, because many of the comments at the linked thread indicate that it not only is a breach of the RFC requirements, but is also liable to malfunction, so any provider/software that permits it, is going to have trouble supporting it.
I stand by what I said: it's impossible, and is simply not done [by anyone who cares about adhering to standards or interoperability.]
The premise is kinda neat but it probably doesn’t need to do all this stuff just to provide the proof of concept that you can remotely execute a script somewhere via DNS.
I didn't know you could specify a DNS server with a name. So does dig first look up that name using whatever DNS server is normally configured to determine where the intended DNS server is?
NextDNS gives you a name that you can put in certain UIs (like "Private DNS" in Android) -- I always assumed there was just something special about those.
Almost. Every domain (or rather “zone”) has an authoritative name server that maintains the dns records for that zone. When you perform a lookup from your device, it will ask your configured name server (from your ISP or 8.8.8.8 and friends), which will then look up the authoritative server and contact it to resolve the answer and send back the result (which it caches).
You can tell dig to bypass the normal way of things and ask a specific name server instead. This can be useful to bypass caches and debug DNS issues.
(Drawing from 1-semester CCNA course in uni) Since DNS operates over UDP, isn't the amount of data that can be safely transferred effectively bottlenecked by the smallest page size between the routers that reach your device? DNS is served in one chunk, right?
Usually if a response is greater than 512 bytes the DNS server will renegotiate on TCP 53. Note some DNS servers might not do this, but every normal implementation does that I’m aware of.
> How does this actually work? Finding it hard to believe someone bought domains for all combinations of those unit conversions
dns.toys runs a (custom) DNS resolver. The example dig commands are asking this resolver. They are not using your configured (public) resolver.
The custom resolver can return whatever it wants depending on the request. You could also ask the resolver what the IP (A-record) of e.g. "google.com" is and it could answer with whatever it wants.
Therefore, they actually just use one domain: dns.toys.
DNS is everywhere. It offers massive caching potential. It is well-understood and there are multiple, interoperating, implementations. It is a data diode, which is to say read-only, which can simplify some risk assessments related to attack surface.
OpenDNS resolvers (such as resolver1.opendns.com) will resolve myip.opendns.com to your actual IP address. Whether you get A or AAAA records depends on your connection. Since the IP addresses for these resolvers tend to be anycast IPs, I also want to believe they are marginally faster than pinging some central HTTP service that can go down at any time. (Of course, OpenDNS can vanish at any time, too, but I find the risk of that more tolerable than the countless "what is my IP address?" HTTP services out there)
Anyway, I remember hearing before that DNS originally was intended to be used with a broader scope of data than just domain names (hence the existence of TXT records and the like). This website greatly demonstrates how much utility you can get out of DNS.