[HN Gopher] DNS Toys (2022)
___________________________________________________________________
DNS Toys (2022)
Author : finallyy
Score : 422 points
Date : 2024-01-07 07:29 UTC (15 hours ago)
(HTM) web link (www.dns.toys)
(TXT) w3m dump (www.dns.toys)
| dang wrote:
| Related:
|
| _DNS Toys_ - https://news.ycombinator.com/item?id=31704789 -
| June 2022 (104 comments)
|
| _DNS Toys: Useful utilities and services over DNS_ -
| https://news.ycombinator.com/item?id=31637226 - June 2022 (1
| comment)
| shivam-dev wrote:
| Here's a talk the author of the project gave recently, fun story
| of how the project came into being
|
| https://youtu.be/ANmFZ8rbmnc?si=ndEWH4xY2oxJuEnB
| defrost wrote:
| Odd that
|
| dig A0.0,0.0/0.0,90.0.aerial @dns.toys
|
| and
|
| dig A0.0,0.0/90.0,0.0.aerial @dns.toys
|
| both produce TXT "aerial distance = 10007.06 KM"
|
| The equatorial circumference is 40,075.017 km (24,901.461 mi),
| while the polar circumference is 40,007.863 km (24,859.734 mi).
|
| I guess there's no great harm in assuming the earth is
| hypothetically cow shaped, and it avoids that awkward series for
| shortest distance twixt points following an ellipsoids surface.
| aidos wrote:
| Oh interesting - those circumferences are actually closer than
| I assumed they would be!
| defrost wrote:
| Yeah, it's pretty minor stuff of no real import to many ...
| unless someone had a background in geodesy and had to measure
| fields on a oblate spheroid with fragmented moving plates
| girt by sloshing fluids.
| codetrotter wrote:
| I like your funny words, magic man :D
| koito17 wrote:
| This reminds me of a neat little trick I used back then to
| "reliably" compute IP address of my machines for a dynamic DNS
| utility I wrote for myself.
|
| OpenDNS resolvers (such as resolver1.opendns.com) will resolve
| myip.opendns.com to your actual IP address. Whether you get A or
| AAAA records depends on your connection. Since the IP addresses
| for these resolvers tend to be anycast IPs, I also want to
| believe they are marginally faster than pinging some central HTTP
| service that can go down at any time. (Of course, OpenDNS can
| vanish at any time, too, but I find the risk of that more
| tolerable than the countless "what is my IP address?" HTTP
| services out there)
|
| Anyway, I remember hearing before that DNS originally was
| intended to be used with a broader scope of data than just domain
| names (hence the existence of TXT records and the like). This
| website greatly demonstrates how much utility you can get out of
| DNS.
| Uptrenda wrote:
| Very nice idea. Seems way simpler than the STUN protocol.
| annoyingnoob wrote:
| I worked on VoIP before RFC3489. We built our own ways to
| handle NAT and firewalls, but it always involved something
| like a directory server that would see both your private and
| public IPs and share information between clients at call time
| to connect calls.
| kuon wrote:
| Google and akamai also has a DNS service. dig
| @ns1-1.akamaitech.net ANY whoami.akamai.net +short
| dig @ns1.google.com TXT o-o.myaddr.l.google.com +short
| masfuerte wrote:
| On Windows: nslookup whoami.akamai.net
| ns1-1.akamaitech.net
| sevg wrote:
| You have a good point that most of those HTTP services out
| there for getting your IP don't seem like they would be
| particularly reliable in terms of uptime.
|
| Worth noting that Cloudflare run one though, and that seems
| more likely to be reliable:
|
| https://icanhazip.com/
|
| https://ipv4.icanhazip.com/
|
| https://ipv6.icanhazip.com/
| Uptrenda wrote:
| I like it. I just wish that dig were installed on every platform.
| I'm always annoyed that it isn't available on Windows and when I
| checked Debian doesn't have it by default (though easily
| installable.) OpenBSD and Mac OS X have it though so that's good.
| emmanueloga_ wrote:
| Dog is cross platform and has some nice features, like json
| output.
|
| https://dns.lookup.dog/
| quesera wrote:
| You don't need to use dig. nslookup or host work also.
|
| Surely Windows has some kind of DNS lookup tool!
| jodrellblank wrote:
| Yes, in Powershell: Resolve-DnsName
| ulrischa wrote:
| Nice, but why over DNS? Perhaps I simply didn't get the point.
| jenoer wrote:
| For fun.
| WanderPanda wrote:
| dns clients come preinstalled on virtually any os
| anjanb wrote:
| what dns clients does one have in windows 8 or windows 10 ?
| TheNorthman wrote:
| `nslookup`
| kemotep wrote:
| `nslookup` for a command prompt utility, the `DnsClient`
| PowerShell module, and the DNS Client graphical utility.
| n_plus_1_acc wrote:
| nslookup comes with the OS
| martyvis wrote:
| Often passed through firewalls or effectively proxied through
| resolvers
| m3047 wrote:
| DNS is everywhere. It offers massive caching potential. It is
| well-understood and there are multiple, interoperating,
| implementations. It is a data diode, which is to say read-only,
| which can simplify some risk assessments related to attack
| surface.
|
| The README for this project may explain some of the general
| benefits (my project): https://github.com/m3047/rkvdns
|
| HTTP is everywhere. I think SOAP sucks, but it's everywhere and
| it works well enough. (For that matter XHR sucks, but even I
| use it occasionally.)
|
| (This is not the first time DNS Toys has shown up on Hacker
| News, there's a link in another comment.)
| Havoc wrote:
| How does this actually work? Finding it hard to believe someone
| bought domains for all combinations of those unit conversions
| maxmouchet wrote:
| It works by querying a specific DNS resolver (dns.toys):
| dig +short TXT mumbai.weather @dns.google # NXDOMAIN
| dig +short TXT mumbai.weather @dns.toys "Mumbai (IN)"
| "30.90C (87.62F)" "45.90% hu." "clearsky_day" "15:30, Sun"
| "Mumbai (IN)" "28.10C (82.58F)" "56.00% hu." "fair_day" "17:30,
| Sun" ...
| Havoc wrote:
| I see - thanks for explaining
| jfreax wrote:
| > How does this actually work? Finding it hard to believe
| someone bought domains for all combinations of those unit
| conversions
|
| dns.toys runs a (custom) DNS resolver. The example dig commands
| are asking this resolver. They are not using your configured
| (public) resolver. The custom resolver can return whatever it
| wants depending on the request. You could also ask the resolver
| what the IP (A-record) of e.g. "google.com" is and it could
| answer with whatever it wants.
|
| Therefore, they actually just use one domain: dns.toys.
| robryk wrote:
| I'm surprised that they aren't also available in some subdomain
| of dns.toys (so that they would resolve without using a special
| name server).
| quesera wrote:
| If you used default nameservers, you'd be introducing all the
| usual DNS complications, e.g. caching.
| avidiax wrote:
| Those complications would be easily controllable using the
| TTL.
| account-5 wrote:
| Can someone ELI5 for the idiot in the thread. I know it's for fun
| but I don't get it. Also how's it's working? I'm aware it's my
| ignorance.
| input_sh wrote:
| You're essentially resolving non-existent domains through their
| custom DNS server. For example: dig 100USD-
| INR.fx @dns.toys
|
| Translates into "resolve 100USD-INR.fx using dns.toys as a DNS
| server". They then return TXT records containing the actual
| answer. Since .fx is a non-existent domain, they're not
| impersonating anyone, and if you switch "@dns.toys" with say
| "@8.8.8.8", it wouldn't resolve to anything.
| themoonisachees wrote:
| The DNS protocol is just text over udp. When making a DNS
| request, your system will open a socket, write "google.com" in
| it and read for a response. The server, if it is properly
| configured as a DNS server, will reply with the appropriate DNS
| record, again as text. Google.com is a cname to some subdomain
| used for load balancing, so the server will simply reply "CNAME
| blabla.google.com" and may optionally also resolve
| blabla.google.com to save you the trouble of making another
| request.
|
| The DNS protocol, defined in some RFC, says that I have to make
| a request a certain way, and that the server has to respond a
| certain way. One of these ways is that for top level domains
| that don't exist (for ex. .time is not a currently existing
| tld), the server is supposed to reply nxdomain, but in reality
| there is no technical measure stopping it from replying with
| anything it wants, such as the current time.
|
| In fact, generally speaking, the expectation that the server
| operators will not fuck you over is the only thing preventing
| public (and indeed private) DNS operators from returning you
| bogus data. This is mitigated somewhat by HTTPS, but DNS
| records themselves are infinitely fakeable with no recourse.
| NoZebra120vClip wrote:
| Your reply is riddled with errors and you don't seem to
| actually know how the DNS protocol works at all, on the wire
| or otherwise. It is, firstly, impossible for "google.com" to
| contain a CNAME record. This would violate standards, and
| it's simply not done. Query or yourself; there is no CNAME at
| that label.
|
| Your description of how queries work is not how queries work
| at all. Your entire comment is a net negative and detracts
| from the overall knowledge at Hacker News.
| jodrellblank wrote:
| > " _It is, firstly, impossible for "google.com" to contain
| a CNAME record. This would violate standards, and it's
| simply not done._"
|
| It is possible for an apex domain to contain/be a CNAME,
| and it simply is done, by many companies:
| https://serverfault.com/questions/55528/set-root-domain-
| reco...
| NoZebra120vClip wrote:
| This is a disingenuous claim, because many of the
| comments at the linked thread indicate that it not only
| is a breach of the RFC requirements, but is also liable
| to malfunction, so any provider/software that permits it,
| is going to have trouble supporting it.
|
| I stand by what I said: it's impossible, and is simply
| not done [by anyone who cares about adhering to standards
| or interoperability.]
| denton-scratch wrote:
| DNS is not a text protocol, it's a binary protocol.
| sethammons wrote:
| Sure, imagine a DNS server as a specialized type of web server,
| but it uses a different protocol over a different port. Just
| like you make requests to a web server using HTTP, you can
| interact with a DNS server using DNS protocols. Think of it
| like comparing how you might use telnet to simulate an HTTP or
| SMTP request; it's about communicating with a specific type of
| server over a specific set of rules. This server tends to do
| some computation before yielding its results, unlike most DNS
| records that you'd expect to be static.
| Uptrenda wrote:
| Imagine a site like news.ycombinator.com. The browser uses that
| name to lookup the IP from a specialized server. So for the
| domain it might have this saved:
|
| A IP = ...1
|
| AAAA IP = ...2
|
| Where 'a' is the type of record. But there are other types of
| records:
|
| TXT gender = 'male'
|
| So there's a few assumptions here about DNS that are normally
| true:
|
| 1. People are using DNS as a switch board to other services.
|
| 2. The values in the switchboard are normally static.
|
| With this setup they're doing something completely different
| because they're serving back changing values based on the
| domain. To do this you would need to write a custom DNS server
| (though the DNS protocol is quite simple.) The reasons this is
| a clever hack though are as follows:
|
| 1. DNS is one of the most widely used and supported protocols.
| All mainstream programming libraries support it. This includes
| numerous command-line tools already in operating system. By
| providing this as a service over DNS it provides an elegant way
| for command-line tools and libraries to access services with
| minimal dependencies.
|
| 2. It challenges the way the DNS system should be used by
| tipping the normal assumptions behind its use on its head
| (direct usage for information, dynamic content for values.)
| This makes it possible to use DNS directly as an application
| service rather than as a switch board operator for regular
| internet services.
|
| 3. DNS is so integral that a complex integration wouldn't be
| needed to add it to existing software. A DNS request is
| arguably more straight-forwards than a typical web API. Chances
| are this also has benefits for censorship resistance, too.
|
| All in all a clever hack.
| ricardo81 wrote:
| Somewhat related, DNS lookup for (UK) business listings - same
| idea of 'abusing' the DNS service to provide non-DNS data.
|
| https://www.num.uk/
|
| Though going by their roadmap, it may be they're no longer
| maintaining the service.
| m3047 wrote:
| Don't use the word "abuse" unless it's in the sense of "SOAP
| and XHR are an 'abuse' of HTTP".
|
| The IN (internet) class is the evolutionary "towering cedar" of
| the moment, but there were the CH (chaos) and HS (hesiod)
| classes during the cambrian period; you might review those
| project's purposes and goals.
|
| Arguably the abuse today is in the form of things like ten
| millisecond windows for retransmission and qname minimization
| which optimize specifically for cloud-based web services
| ("happy eyeballs") at the expense of all else (and seemingly
| without awareness of e.g. buffer bloat). There's a whole world
| outside of A / AAAA resolution.
|
| It's not unheard of to see two people with pocket protectors
| having a knife fight (or at least poking at each other with
| pencils) in the hallway at an Internet confab. "RFC" stands for
| "Request For Comments" and BCPs (Best Current Practice) are
| routinely ignored.
| motopost wrote:
| Seems like we can just build light weight APIs on top of this.
| And port 53 is always open too just 80 and 443.
| remram wrote:
| DNS is designed for caching. You can use DNS for anything that
| is public, idempotent, and immutable (or at least, slow-
| changing).
| drones wrote:
| (Drawing from 1-semester CCNA course in uni) Since DNS operates
| over UDP, isn't the amount of data that can be safely transferred
| effectively bottlenecked by the smallest page size between the
| routers that reach your device? DNS is served in one chunk,
| right?
| baby_souffle wrote:
| DNS can switch to tcp for this reason
| lowpro wrote:
| Usually if a response is greater than 512 bytes the DNS server
| will renegotiate on TCP 53. Note some DNS servers might not do
| this, but every normal implementation does that I'm aware of.
| piperswe wrote:
| Historically musl libc didn't support TCP DNS, but even musl
| supports it now [1]
|
| [1]: https://www.theregister.com/2023/05/16/alpine_linux_318/
| johnhenry wrote:
| I'm a big fan of Julia Evans[1] who's made a number of useful
| toys including ones for DNS here[2] and here[3].
|
| - [1] https://jvns.ca/
|
| - [2] https://dns-lookup.jvns.ca/
|
| - [3] https://messwithdns.net/
| rochak wrote:
| Thanks for sharing these absolute gems!
| mejthemage wrote:
| I didn't know you could specify a DNS server with a name. So does
| dig first look up that name using whatever DNS server is normally
| configured to determine where the intended DNS server is?
|
| NextDNS gives you a name that you can put in certain UIs (like
| "Private DNS" in Android) -- I always assumed there was just
| something special about those.
| wutwutwat wrote:
| This is my goto these days https://addr.tools/
|
| https://dnscheck.tools/
|
| https://myip.addr.tools/help
| urbandw311er wrote:
| The premise is kinda neat but it probably doesn't need to do all
| this stuff just to provide the proof of concept that you can
| remotely execute a script somewhere via DNS.
___________________________________________________________________
(page generated 2024-01-07 23:01 UTC)