Post AYBbDdhRmexziffxtw by paul_ipv6@infosec.exchange
(DIR) More posts by paul_ipv6@infosec.exchange
(DIR) Post #AYBbDclJGoSioMTXHc by b0rk@social.jvns.ca
2023-07-28T15:56:28Z
0 likes, 0 repeats
why is DNS still hard to learn? https://jvns.ca/blog/2023/07/28/why-is-dns-still-hard-to-learn/
(DIR) Post #AYBbDdhRmexziffxtw by paul_ipv6@infosec.exchange
2023-07-28T21:13:30Z
0 likes, 0 repeats
@b0rk dnsviz.net is definitely more friendly than any of the command line DNS tools. the latter were really designed for folks already very familiar with the protocol to see all the detailed flags, codes and bits. they are really more like ascii dumps of pcaps, whereas dnsviz is more like wireshark.
(DIR) Post #AYBbDejbw6I8vfhCue by bortzmeyer@mastodon.gougere.fr
2023-07-29T12:12:59Z
0 likes, 0 repeats
@paul_ipv6 @b0rk Note that dnsviz *is* a command-line tool, too. So, people can choose what they want.% dnsviz probe jvns.ca | dnsviz print
(DIR) Post #AYBbDf70X70U6EdtNg by paul_ipv6@infosec.exchange
2023-07-28T21:17:39Z
0 likes, 0 repeats
@b0rk and as you point out, a major challenge is that even graphic tools like dnsviz give a view of what the authoritative servers have. that doesn't tell you what chain of DNS stub resolvers, recursive resolvers, forwarders, middleware boxes and even app mucking may be going on between the original query and the full answer coming back usefully. here's where good educational materials designed for non-experts are so helpful.
(DIR) Post #AYBc1SnGbg3GNF9jKi by bortzmeyer@mastodon.gougere.fr
2023-07-29T12:21:58Z
0 likes, 0 repeats
@b0rk "I feel like it would be extremely cool to extend DNS to include a “debugging information” section."EDE are exactly here for that, no?% dig bogus.bortzmeyer.fr...; EDE: 9 (DNSKEY Missing)
(DIR) Post #AYBc9PFHgMnhgc33JI by bortzmeyer@mastodon.gougere.fr
2023-07-29T12:23:27Z
0 likes, 0 repeats
@b0rk ADDITIONAL SECTION: EDNS: version: 0, flags:; udp: 512I disagree with this idea. EDNS (OPT) records are in the additional section for historical reason. This trick is irrelevant for debugging, current dig output seems clearer.
(DIR) Post #AYBcYexMPGx9eVhqmu by b0rk@social.jvns.ca
2023-07-29T12:26:08Z
0 likes, 0 repeats
@bortzmeyer I'd never heard of EDE, added that to the post
(DIR) Post #AYBcpXpQA5iAT52nGy by bortzmeyer@mastodon.gougere.fr
2023-07-29T12:31:03Z
0 likes, 0 repeats
@b0rk Oops, sorry, this is in RFC 8914 https://www.rfc-editor.org/info/rfc8914If you want to test them (need a recent dig), with Unbound, it is not enabled by default (add "ede: yes"). Otherwise, use Google Public DNS, they send EDE.
(DIR) Post #AYBd6Prj1L4Mh8AP5M by b0rk@social.jvns.ca
2023-07-29T12:32:58Z
0 likes, 0 repeats
@bortzmeyer yeah that's fair!
(DIR) Post #AYCKOVtnch10eH0rNA by bortzmeyer@mastodon.gougere.fr
2023-07-29T20:39:13Z
0 likes, 0 repeats
@b0rk On an OARC mailing list, someone noticed that one reason why #DNS is so hard to learn is, paradoxically, its robustness. You can make a lot of errors before DNS breaks. This is good for service continutiy but it does not help the learning process.
(DIR) Post #AYCOH2c2ViqvbkOkdM by MattPounsett@fosstodon.org
2023-07-29T21:22:40Z
0 likes, 0 repeats
@bortzmeyer @b0rk This has always been my observation. It’s also one of the reasons that DNS is often given to the junior or the intern without any guidance or training… because it’s perceived as hard to screw up.