[HN Gopher] DNS Toys
___________________________________________________________________
DNS Toys
Author : edent
Score : 520 points
Date : 2022-06-11 14:44 UTC (8 hours ago)
(HTM) web link (www.dns.toys)
(TXT) w3m dump (www.dns.toys)
| kazinator wrote:
| "Prior art" for this is DNS block lists (DNSBLs).
|
| Typically these are used like this: your mail server gets an SMTP
| connection from some address (let's use the familiar IPv4
| example): 10.20.30.40.
|
| You reverse these octets and do an "A" record dns query to some
| 40.30.10.10.dnsbl.example.com to look up that IP in example.com's
| list. If a match is returned, the address is listed. If you do a
| "TXT" record query, you can find out why it's listed.
|
| Block lists are typically blacklists, but they can be whitelists
| as well.
|
| DNSBL's are hammered with queries from vast numbers of mail
| servers; DNS keeps things efficient.
| Yajirobe wrote:
| ELIFreshman, please
| Ayesh wrote:
| DNS servers _usually_ reply with information about a queried
| domain name or a host name. dig is a command-line tool that
| queries a given name server (or a preset one) for that
| information. For example `dig news.ycombinator.com` returns the
| IP address of HN, and `dig news.ycombinator.com @example.com`
| queries the example.com nameserver for that domain.
|
| dns.toys runs a DNS server that dynamically returns answers
| such as times, currency information, etc (instead of domain
| name information) if you format your query right.
|
| So for example, `dig mumbai.time @dns.toys` returns the time in
| Mumbai in a DNS TXT record instead of an IP address (or an
| NXDOMAIN response, saying the domain does not exists).
|
| Play around with the `dig` command, it is an intuitive tool
| that you will eventually use if you are a CS or a related
| Freshman.
| CAPSLOCKSSTUCK wrote:
| Fun :). It would be interesting to see how accurate one could get
| the time records (I see a TTL of 1 second, but what if the
| algorithm for reporting the time could try to measure latency
| between DNS client and itself and . . . yadda yadda yadda). Wish
| we had more submissions like this one.
| ylyn wrote:
| The TTL doesn't really matter in this case because you query
| the dns.toys DNS server directly, rather than going through a
| remote recursive resolver (which would normally cache any
| results it gets based on the TTL).
| CAPSLOCKSSTUCK wrote:
| Will a local stub resolver respect the TTL, or are queries to
| authoritative name servers never cached? I know something
| like dnsproxy would care about the TTL, but not sure about,
| say, systemd-resolved. But good point nonetheless.
| [deleted]
| [deleted]
| mvuksano wrote:
| Love it!
| frogger8 wrote:
| pmoriarty wrote:
| I guess you could deliver web pages over DNS too, if you
| wanted... though I'm not sure why you'd want to.
|
| Instead of DoH it would be HoD.
| AdrianoKF wrote:
| You can also use iodine (https://github.com/yarrick/iodine/) to
| tunnel IPv4 data through DNS (useful e.g. when on a captive
| portal network that doesn't block DNS requests). Performance
| isn't great obviously, but the concept is fascinating
| nonetheless.
| chris_wot wrote:
| So you could tunnel ipv4 through DNS, and serve HTML via DNS,
| and use DNS over HTTPS?
| 3-cheese-sundae wrote:
| It's not DNS. There's no way it's DNS. It was DNS.
| bigoljim wrote:
| Example and more conversation on that here:
| https://news.ycombinator.com/item?id=28218406
| Klasiaster wrote:
| I think it would work to use "time" etc as subdomains instead of
| TLD to be able to use any DNS server for the query.
| SpaghettiCthulu wrote:
| But they'd still need a domain for those, and you'd still have
| to enter it.
| kureikain wrote:
| Does this configured to handle DNS amplification attack our of
| the box?
| djbusby wrote:
| Neat! For unit conversions there is an older tool called 'unit'
| which can convert nearly anything.
| aftbit wrote:
| Fun fact: units can do math too! Try it:
| units -t '12 * 45 * 11'
|
| This can be combined with unit conversion of course:
| units -t '(8 lbf) / (9.8 m/s^2)' slug
|
| Be careful using it for temperature conversion. You need to use
| tempC and tempF functions, not degC and degF units, because of
| the linear offset from absolute zero.
|
| Correct way (absolute temperature): units -t
| 'tempF(71)' tempC
|
| Incorrect way (temperature difference): units
| -t '71 degF' degC
|
| I use units a ton, so I have the following in my .zshrc:
| # in-terminal calculator: e.g. `calc 60 * 60 * 4` _calc
| () { units -t "$*" } alias
| calc='noglob _calc' # units convenience, use ( and
| * without quoting alias u='noglob units -t'
| jwilk wrote:
| Do you mean 'units'? https://www.gnu.org/software/units/
| joveian wrote:
| I used the BSD version of this (which seems the same AFAICT)
| a few times years ago and managed to misunderstand the output
| a few times and gave up. I doubt it was an actual error in
| the conversion but the UI is comically bad. The typical
| search engine UI is great, ask for a conversion using
| whatever abbreviations you want and it gives you a detailed
| explanation of what it thinks you asked for and the result
| (and not some other number you didn't ask for). I see GNU
| units at least has a -1 option to just give the result.
|
| Firefox has a hidden simple unit conversion tool that can be
| enabled by setting browser.urlbar.unitConversion.enabled to
| true. It only has a few conversions, though, and doesn't give
| much detail about what it thinks you asked for.
|
| It looks like there is a rust unit conversion utility called
| rink that seems better although, like many rust utilities, it
| lacks a man page or any local documentation besides a brief
| --help message (there is an online manual). Some units are a
| bit annoying; you can't just do c to f, only degC to degF
| (and not even degc to degf either). But much nicer than units
| and can also be easily be used as an interactive calculator.
|
| https://rinkcalc.app/
|
| Edit: Playing around with rink a bit more it has some neat
| stuff. It gives info if you enter a unit (or constant or
| substance), usually defined in terms of the base unit of each
| type but if you give the base unit it has a brief text
| explaining how the base unit is defined. "c to f" not working
| is because it doesn't use context and c is the speed of
| light. You can use 'units for' to see available units for a
| particular type, although it doesn't look like you can show
| all available units other than checking the source (based on
| the GNU units definitions but with some differences, such as
| degC). It suggests a supported unit if you type one it
| doesn't understand.
| djbusby wrote:
| I did, now too late to edit
| 4oo4 wrote:
| This is awesome but I'm getting NXDOMAIN when I try to use it. Am
| I doing something wrong, perhaps something to do with EDNS?
| $ dig 42km-mi.unit @dns.toys ; <<>> DiG
| 9.16.27-Debian <<>> @dns.toys 42km-mi.unit ; (1 server
| found) ;; global options: +cmd ;; Got answer:
| ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 2059
| ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1,
| ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS:
| version: 0, flags:; udp: 4096 ; COOKIE:
| efe3c6f9e0b6e4da56aba44d62a4e63ba7a19bed262b0e1a (good)
| ;; QUESTION SECTION: ;42km-mi.unit. IN A
| ;; AUTHORITY SECTION: . 6959 IN SOA a.root-servers.net.
| nstld.verisign-grs.com. 2022061100 1800 900 604800 86400
| ;; Query time: 44 msec ;; SERVER:
| 138.197.68.199#53(138.197.68.199) ;; WHEN: Sat Jun 11
| 14:00:11 CDT 2022 ;; MSG SIZE rcvd: 144
| itsmemattchung wrote:
| Awesome! Surprised to see the resolver correctly handle my typo:
|
| $ dig seat2222tle.time @dns.toys +short "Seattle
| (America/Los_Angeles, US)" "Sat, 11 Jun 2022 08:22:42 -0700"
| m00dy wrote:
| It is probably levenshtein distance
| ktpsns wrote:
| Picky overcorrect comment: Try dig +short
|
| instead of dig +noall +answer +additional
|
| i.e. dig +short mumbai.time @dns.toys
|
| gives you the short and breve answer you probably expect :-)
| jcims wrote:
| Awesome idea and already with the requests lol: Would it be
| possible to add the resource records as subdomain of dns.toys?
|
| Eg.
|
| dig newyork.time.dns.toys with a low ttl?
|
| This way folks operating in an environment where they can't
| egress on port 53 can still use the tools?
| fio_ini wrote:
| vivekv wrote:
| brilliant!
| awill wrote:
| This is great. It's especially useful if you're already in a
| terminal. No special tools needed.
| BuildTheRobots wrote:
| Really pleasing - though the most surprising thing was learning a
| forward slash is a valid character in a domain name. Are there
| any real world examples?
| neomantra wrote:
| Fun tool! I use `pi.neomantra.net` for unit testing:
| > dig pi.neomantra.net +short 3.141.59.26 >
| dig pi.neomantra.net +short -t AAAA
| 3141:5926:5358:9793:2384:6264:3383:2795
|
| Just added pi support to it:
| https://github.com/knadh/dns.toys/pull/9
| sjnair96 wrote:
| Ha, no one has pointed out who the author is yet - a CTO of one
| of India's recent unicorns.
| bradrn wrote:
| In case anyone else is as unfamiliar as I was with the commands
| here: https://en.wikipedia.org/wiki/Dig_(command)
| schleck8 wrote:
| Interesting find on this site: The Norwegian Meteorological
| Institute has a free weather API
|
| https://developer.yr.no/featured-products/forecast/
| cbsks wrote:
| As does the National Weather Service:
| https://www.weather.gov/documentation/services-web-api
| corbet wrote:
| Hey cool somebody has reimplemented finger!
| WastedLife wrote:
| This is a fun tool, but it has some assumptions around IPv4.
|
| It appears to work by responding with TXT records when given a
| query for A records. I have a `.digrc` file setup to query for
| AAAA records by default (since I mostly deal with IPv6 only
| networks). So I have to set the query for either A or TXT.
| Unfortunately, AAAA doesn't get the special treatment that A
| gets.
| Waterluvian wrote:
| "Why? For fun."
|
| I love this. It doesn't need a reason to exist. It's interesting
| on its own.
|
| That being said, can anyone think of additional interesting
| reasons for why this would be useful rather than the same toys
| over HTTP?
| martinmunk wrote:
| I can see the IP echo command be useful to verify if DNS
| traffic is routed differently than other traffic on a corporate
| network. Assuming outbound port 53 is not blocked completely on
| the network that is.
| woevdbz wrote:
| Maybe less likely to be blocked by some firewall policy?
| 323 wrote:
| > During the last decade, several types of software and malware
| used the DNS protocol for data exchange.
|
| https://resources.infosecinstitute.com/topic/bypassing-secur...
| mbreese wrote:
| That doesn't mean the protocol isn't useful for other
| purposes. Part of why it's useful for the malware writers is
| that it's highly available and often ignored by firewall
| rules.
|
| That availability can also be used for good.
| inopinatus wrote:
| My default is the other way around, I'll question why something
| that is not a web page uses HTTP as an application-layer
| protocol when better fitted alternatives usually exist.
|
| Add a bonus withering stare for assuming JSON is the only data
| serialization/interchange format.
| pinato wrote:
| I came across "open" WiFis that required another form of login
| inside that filtered all HTTP traffic but let through DNS. But
| no, it's not really useful outside of special circumstances.
| midasuni wrote:
| I have WireGuard endpoints of UDP 53, 443 and a high random
| port - at least one of them tends to work (although not
| always -- one hotel recently only allowed tcp/80 and tcp/443
| gpmcadam wrote:
| maybe on a wifi network before authentication when it may allow
| DNS resolution but not HTTP requests?
| haliskerbas wrote:
| Could you shuttle more data through this method to have a
| browser that works on unauthenticated captive portal wifi
| networks?
| sneak wrote:
| It's called dns tunnelling.
|
| https://github.com/yarrick/iodine
| slt2021 wrote:
| looks like this can be used to get free wifi on airplane
| Diesel555 wrote:
| This may work on pay to use Wi-Fi. There was a previous
| interesting post here about tunneling through DNS on airplane
| or other pay to use Wi-Fi.
|
| https://news.ycombinator.com/item?id=511908
| swznd wrote:
| I have used this trick when I in high school grade.
|
| Just setup openvpn with port 53 UDP with cheap vps, then
| connect it, and get unlimited internet access
|
| Internet connection in my country is very limited and
| expensive in that day
| QuadrupleA wrote:
| Simplicity / latency / efficiency - DNS typically just fires
| off one UDP packet (generally one IP packet & ethernet frame
| too) and then gets one back (hopefully) and it's done. HTTP
| requires the TCP 3-way connection handshake, then the out &
| back roundtrip for request/response, then the 4-way teardown
| handshake. If it's HTTPS you also need the 4-way TLS <= 1.2
| handshake and close notification alert. Although QUIC or TLS
| 1.3 improves that a bit.
|
| Anyway if you're using a 14.4 modem in a rusty bunker at the
| bottom of the sea you'll notice a substantial improvement :)
| solardev wrote:
| Why do you need to know the time in Paris while you're
| relaxing in a bunker at the bottom of the ocean? I know
| remote work is a thing now, but sheesh, some people just
| don't know how to disconnect ;)
| brian_cunnie wrote:
| This.
|
| I measured the difference using `tcpdump`, and this was my
| conclusion:
|
| > A big advantage of using DNS queries instead of HTTP
| queries is bandwidth: querying ns-aws.sslip.io requires a
| mere 592 bytes spread over 2 packets; Querying
| https://icanhazip.com/ requires 8692 bytes spread out over 34
| packets--over 14 times as much! Admittedly bandwidth usage is
| a bigger concern for the one hosting the service than the one
| using the service.
|
| (I had set up a service to determine your IP address via DNS,
| i.e. `dig @ns.sslip.io txt ip.sslip.io +short`, and measured
| why it was (marginally) better than using HTTP)
| lazide wrote:
| A couple decades ago I did SSH over DNS at the request of a
| client. It was pretty fun, worked surprisingly well. At the
| time, exactly zero firewalls stopped it.
| SahAssar wrote:
| > Although QUIC or TLS 1.3 improves that a bit.
|
| On a TLS1.3 QUIC connection with a session supporting 0-rtt
| would DNS still require less round trips?
| Dylan16807 wrote:
| Well it depends very strongly on what you're doing. Looking
| at these packet sizes, on a 14.4 modem I'd expect the extra
| traffic to take about a second. But also you're waiting 10-20
| seconds for HN to load or minutes for your average web page
| to load.
| [deleted]
| punnerud wrote:
| To others, yr.no is a free weather service with API:
| https://developer.yr.no
|
| I see that dns.toys use it.
| patrck wrote:
| Nice. like a command-line version of Charlie Cheever's bunny1.
| https://github.com/ccheever/bunny1
| fossdd wrote:
| this is insane cool. it's such an amazing creative idea. i hope
| people like them never stop having awesome ideas
___________________________________________________________________
(page generated 2022-06-11 23:00 UTC)