Mess with DNS(jvns.ca) |
Mess with DNS(jvns.ca) |
It's work like this (Mess with DNS). This is the stuff. Revealing, experimenting, inviting people in. Tech that illuminates & shows off, that is there to explain & help create understanding. This is the stuff, this is what keeps humanity powerful & competent & connected. Tech does a lot for us, but when it helps us become better wiser more creative people, when it reveals itself & the world: that holds a very dear place in my heart, is the light & heat in a vast cold and dark universe. I love this project. It's a capital example of revelatory technology, of enlightening technology.
The strength of humanity is teamwork, working together to build things other groups can build things upon. Abandon 100 random humans in the same jungle and they will build a town.
This is why I don't trust anybody who tries to tell me that human population growth is an actual problem and not just our rulers' fear of irrelevance.
Not arguing, just questions that came into my mind.
https://en.wikipedia.org/wiki/Lord_of_the_Flies
I'm not sure -- but I do think it would be interesting how that would turn out. Australia would founded in this sort of fashion. I think there's a bit more nuance though.
Teamwork is still the work of many individuals, and I think a person's upbringing & disposition & the capabilities they've developed are hugely influential on what kinds of teams are possible in the world. The world of computing today gives users interesting capabilities, but only shallowly, only on the surface; it denies us the view below, denies us the freedom to see, understand & explore, and humanity always being so yolked restrains human growth, restricts what I see as one of our key better nature from getting a chance to come out & thrive.
Sure, we are not going to all learn how to build apartment buildings; we will take much for granted. But many people do learn some home repair, or try their hand at fixing appliances. Sometimes just to save some money, but sometimes because it's interesting, & because there's videos showing them how to, because they can. But computer/information tech, in my view, has created a highly resistant unrepairable unviewable digitalia that is anathematic to this basic human engagement with the world about us. It is not just a built environment, but a built environment which resists real understanding, which prevents human empowerment.
Creating an accessible world, one where human's have a strong locus of control, where they have flexibility & options to experiment, to play, to try, to explore is absolutely capital to me. Humanity loses who humanity was when/if we view the world as prebuilt, as a creation of some wider us, that we are but tiny figures upon. Yes there are many things that we have to rely on groups for, but that ability to learn about the world, to understand it, to investigate & understand & experiment in the pieces of it we so choose- that spirit is the lifeblood of this planet, and it's that attitude & disposition that produces highly functional teams & groups. Which is something we will, best I can tell, always need.
To speak to technology & it's revelatory potential, to put it in scope here, I think it's important to review Ursala Franklin's dichotomy of technology. She divides tech into work & control related, work that helps individuals do things, control that regulates systems. Going further, she divides tech into holistic & prescriptive techologies- prescriptive technologies which break down work into fixed, predictable, deliberate steps & processes, and holistic technologies, which amplify the capabilities & prowess of the tool-bearer. There's a lot of tech on this planet, but even "creative" tech like a photo-sharing sight is mechanistic in nature, follows limited & fixed flows, & affords only superficial control to it's users. Where-as tech like Mess with DNS amplifiers human understanding, gives us the power to explore & test out what is possible, lets us set our own rules. This world is in need of techno-spiritual healing- computers are widely used but rebuff understanding, they have become overwhelming elements of control rather than empowerment. I look forward eagerly to a shift, to revelatory technology that abides different ends, that seeks a holism. Mess with DNS is "just" a little playground for some tech, hardly an attractive application on it's own, but I believe that individuals everywhere would be much better off- that teams would be much richer as a result- if tech worked to open up the engine-bay & allow some monkeying around.
And I think that makes all the difference. I tend to believe very strongly in hands on experience, think that seeing things happen yourself & getting to play is by far the best way to learn, just incredibly surpassing.
There's a theory of education called Constructivism[1] that is broadly similar. Adherents include folks like Seymore Papert[2], creator of Logo, employee at One Laptop Per Child (which I think is the most interesting & innovative software environment we've ever created, vastly under-appreciated). Projects like Logo are supposed to create that hands on feedback, to make programming not just writing scripts & having programs run, but ways to see the code really execute, to create more interactive modes.
With software eating the world, it is so so so important to me not just to create knowledge, to tell tales of what software is, but to let people have the experience themselves. To create playgrounds to meddle, to mess around. I wish so much that applications could actually show & explain what they are doing, what's inside of them, could reveal their workings, but we're so far away from that Enlightened world, we've fallen into such deep shadows imo.
(Side note, I see things very differently, but I also am disappointed folks would downvote your perspective like this. As for the lack of knowledge/experience, I'd say that most engineers don't have familiarity because there's not a lot of opportunities to set up & learn systems work; most coders spend their time coding, not setting up bits of infrastructure to run code on. You yourself also say "writing the code is the easiest part", which underscores just how complex/inter-related/particular all the systems/infrastructure stuff is, how probable it is engineers might not feel fully competent or brave enough to engage.)
[1] https://en.wikipedia.org/wiki/Constructivism_(philosophy_of_...
$ dig @50.0.1.1 nelson.lily6.messwithdns.com a
Results in two queries being answered by the messwithdns server. One for nelson.lily6.messwithdns.com as expected, but also one for _.lily6.messwithdns.com.
Any guesses what that naked underscore query is for? Not every nameserver does it (Cloudflare, Google, Quad9, and Adguard all don't). But Sonic isn't the only one that does.
I've asked on Twitter and the best guess right now is it has something to do with RFC2782 or RFC 8552. But those are about using _ to make unique tokens that aren't likely domain names, things like _tcp or _udp. What would a naked _ mean?
But I wish a service existed that made domain names easy enough to use that the average person could manage them. IMO you shouldn't have to learn DNS and TLS in order to securely use a domain name. If I want to sign up to have Fastmail host my email, why do I have to manually copy and paste a bunch of DNS records? Fastmail already knows exactly what records need to be set. I should be able to OAuth redirect over to my domain registrar and approve giving Fastmail control over a subdomain of my choosing, and Fastmail should be able to use a simple open protocol to update the records.
It's obviously not as hassle-free than something like your oauth example, but it's using the infrastructure that is already there.
This is a real risk. When people start adding CNAME's or A's that point to known phishing sites, it's very easy for Google to notice and block.
I would imagine they might also show warnings in Chrome.
Real answer: many ISP’s DNS servers are set to ignore whatever you set and use a value they feel works best for themselves.
https://blog.benjojo.co.uk/post/dns-filesystem-true-cloud-st...
dig 'a test.hazel10.messwithdns.com' txt +short
"test"
If the owner of the site contacts me I'm happy to discuss...It's interesting to see how different DNS providers cap the maximum TTL.
Google uses 21600s
Quad9 uses 43200s
Cloudflare does not cap at all!
And my personal unbound uses 86400s (which is the default)
Its out there on my GitHub if folk are interested. Ironically 53 comments just before I added this comment...
Maybe, just maybe, it is an omen? ;-)
A month ago, I scripted https://github.com/moretea/browsers-with-fake-dns as an alternative to editing /etc/hosts. It's a docker container with a BIND DNS server, and chrome/Firefox reachable via webvnc
I do hope the author has set some limits on the DNS configuration you can freely enter. One annoying trick DDoS spammers will use is that they will set up DNS records that are as large as possible to use for their botnet's amplification attack, so allowing them arbitrarily large requests on your domain may be problematic and may cause nasty complaints against your domain. I'd recommend anyone running a free subdomain service (or something super cool like this!) to consider this in their configuration. We can't have nice things because of these bad people :(
I've seen jvns take a similar path to me in engineering over the years, almost uncannily. The difference mostly is that I stored it all in my head, and they take the time to write it up for everyone.
Same with DNS. DNS is such a freakin black box, mostly because outside of RFCs, it's some good ol boys club of 'consultants' that don't want to share information. You should see the mailing lists, it's a giant pissing contest.
Back on point, I always wanted to distill this information down to make it for everyone, but always hit some small hurdle like... making a website about it.
That Julia takes the time to do this and share this is invaluable. It's like a better version of me exists out there, and I'm happy for it.
It's impressive to get technical stuff to be this friendly.
Allowing to experiment quickly on infras/devops knowledge is the key and tools like Ansible are useless for that.
I wrote the draft algorithm that appears in appendix A of the first experimental RFC describing qname minimization https://datatracker.ietf.org/doc/html/rfc7816#appendix-A
I wrote it because I wanted more specific advice about how qname minimization should work, and I deliberately aimed it at an ideal world, ignoring obvious interoperability problems. I hoped that this would provoke discussion and get people working towards a more realistic algorithm. But that did not happen until years later.
So the early implementations of qname minimization had to invent their own ways of working around the inevitable interop problems, and some of those solutions were quite creative.
I think the bare _ version is trying to avoid querying delegation points directly, so that it still gets a referral as it would have done using the full qname. And the _ also avoids problems with negative responses, which are often implemented very badly - it is common to make a mess of the distinction between NXDOMAIN and NODATA.
Does QNAME minimization try to prevent the scenario where a malicious party has setup a DNS tracker that responds with the same A/AAAA entries for a specific subdomain in the sense that e.g. "session-id.actualserver.company.tld" results in the same entries as "actualserver.company.tld"?
How would a client detect this before actually resolving it? I mean, if TTL is 0, no client will cache the results and therefore the minimization aspects are kind of irrelevant because the client has to resolve all over again, right?
I think I am having questions about the logical conditions "when" a client tries to resolve "_" before resolving the actual domain, which I am assuming is what the draft proposed...because to me this scenario would have the requirement that the very same party also has ownership of the HTML/actual links in the code, so I don't understand what it's trying to prevent because the same party could just read their apache logs to gain better datasets.
Maybe I'm missing something here?
https://www.isc.org/blogs/qname-minimization-and-privacy/
https://bind9.readthedocs.io/en/latest/reference.html (look for qname)
(I work at Sonic)
In DNS, the recursive resolver sends the entire FQDN each time to every step.
Now realize, like every company, DNS operators want to collect and sell your data.
So imagine a 'bigsite.com' that does a lot of things. And you like, say porn.bigsite.com. Without this minimization, everyone from the root to verisign to bigsite knows what you queried for.
It's probably a good idea for the author to add this project to the list.
If you don't trust across separator boundaries you're mostly safe. That is, mytxt.foo.com shouldn't be blindly trusted for my.subdomain.foo.com nor mytxt.subdomain.foo.com shouldn't be trusted for foo.com.
IMO the biggest concern is with organizations that blacklist domains for various reasons, because they are not eager to just build very fine-grained blacklists.
https://en.wikipedia.org/wiki/DNS_Certification_Authority_Au...
Now, there are a bunch of things you could do about that, and I believe this cool toy does one of the obvious ones: Don't have any certificates for the problematic domain. The web site isn't in the domain you can mess with. But it would be nice if Let's Encrypt got to this, periodically I check so far each time somebody has pestered them for RFC 8657 recently, so I don't pile on since that's unhelpful.
Even non-random groups like your coworkers or immediate neighbors can have unexpected skills that will make you feel dumb.
Oh absolutely! I don't mean to diminish this. The ability to interact and play also works very well for my own learning.
> There's a theory of education called Constructivism[1] that is broadly similar. Adherents include folks like Seymore Papert[2], creator of Logo, employee at One Laptop Per Child (which I think is the most interesting & innovative software environment we've ever created, vastly under-appreciated). Projects like Logo are supposed to create that hands on feedback, to make programming not just writing scripts & having programs run, but ways to see the code really execute, to create more interactive modes.
+100
> With software eating the world, it is so so so important to me not just to create knowledge, to tell tales of what software is, but to let people have the experience themselves. To create playgrounds to meddle, to mess around. I wish so much that applications could actually show & explain what they are doing, what's inside of them, could reveal their workings, but we're so far away from that Enlightened world, we've fallen into such deep shadows imo.
You bring up a good point overall about the lack of interactive materials for engineers/students/interested folks. I also suggest opening up any cloud provider (cheap for playing around is probably better!) and trying these things with services like Traefik (which are easy to configure/play with). Try to do some multi-region failover stuff, observe what happens with different load balancing strategies, that sort of thing. It reminds me a lot of watching videos about setting up IP networks, stuff like Cisco certification material.
You've given me some food for thought on educational materials for sure.
> As for the lack of knowledge/experience, I'd say that most engineers don't have familiarity because there's not a lot of opportunities to set up & learn systems work; most coders spend their time coding, not setting up bits of infrastructure to run code on. You yourself also say "writing the code is the easiest part", which underscores just how complex/inter-related/particular all the systems/infrastructure stuff is, how probable it is engineers might not feel fully competent or brave enough to engage.
Yeah this stuff isn't easy and operational work is often a different skillset than writing code.
* the ability of collaborating groups of humans to achieve/produce scales super-linearly with the number of humans[1]
* the growth of human population is causing problems, and is likely to cause more problems in the future
One reason is the scarcity of resources[2]; another is that "humanity" as a whole is not collaborating with all of itself.
[1] actually, I don't even think this is true, beyond some limit - but it's true for small groups
[2] which could be mitigated somewhat by fairer allocation of resources, or by process changes to focus more on fundamental needs; but, still the fact remains that the resources that we have access to on Planet Earth are limited, and access to extraterrestrial resources are extremely expensive
Seems to me any other system is open to being gamed. Sure there are people born into generational wealth. But those are like one in a million and generational wealth doesn't typically last more than a handful of generations as the number of descendants grows exponentially.
https://www.domainconnect.org/
Don't you hate it when you have a good idea and someone already did it, but also love it because it's validation of your good idea?
[1] https://www.godaddy.com/engineering/2019/04/25/domain-connec...
[2] https://dash.cloudflare.com/domainconnect/v2/domainTemplates...
And yeah I hear what you're saying about ideas haha.
You can switch it off, but you probably shouldn't, even if you're sure you would spot a phishing scam, actually maybe even especially if you're sure you would spot the scam.
The service is capable of being quite nuanced since it works on (hashes of) HTTP path segments, so e.g. it can say OK this site https://some.example/ seems fine except the /cgi-bin/crapscript.php/fake-bank/ pages are clearly a fake bank, and so if your browser tries to visit those pages it gets flagged. But equally it can say OK, everything in bogus.example is bogus, fakebank.bogus.example, harrods.bogus.example, www.news.bogus.examples, it's all bogus, warn for all of it.
You can't get the actual list, because if you could of course that mostly helps bad guys. Your browser does a bunch of hash lookups, and it has a fancy tree structure, so it can rule out e.g. OK everything starting FE43 is fine, everything in FD9 is fine etc. If that tree can't rule out a hash it calls Google, who have much finer grained hash data that wouldn't fit in your browser. Also periodically the browser fetches delta updates to the tree from Google.
You really should disable it because Google cannot be allowed to be the gatekeeper of the internet. The list contains tons of non-malicious URLs [0] and Google has absolutely no incentive to remove them. And even if you haunt them enough to do so the same broken process that added it in the first place will just add it again. Any browser that enables this list by default is actively making the web a worse place an engaging in mass-defamation.
[0] Example: dgVoodoo2 downloads from http://dege.freeweb.hu/dgVoodoo2/
> It does NOT contain any malware. Use a browser that is free of Google Shit Browsing security service crap (which is based on tons of noname antivirus "engines", look at VirusTotal if interested).
The scenario is that you want to resolve alice.example.com but you don't want the root servers or the .com servers to know any more information than they need to.
Historically you would send the whole query to all servers. Even the root servers would see the entire fully-qualified domain name (alice.example.com) even though all they're going to do is refer you to the .com servers. With QNAME minimization the root servers only know that you want something under .com and the .com servers only know you want something under .example.com and so on.
Now suppose the root servers don't do any kind of encryption but example.com supports DNSCurve or some other opportunistic encryption and so do you. Your ISP used to see the query going to the root servers or the .com servers and know the FQDN even if the query to example.com was encrypted. Now they don't.
Likewise, if someone is sitting on the root servers watching all the queries from everyone, they used to see FQDNs, now they only see top level domains.
I didn't have in mind that an ISP could have their own map of all zones where they simply map observed specific DNS traffic to the zones themselves because they know which server is responsible as well.
Thanks for the explanation! :)
In practice your recursive resolver either is your ISP (in which case this helps nothing) or is outside of your ISP (and your ISP can't see its queries). The only realistic privacy leaks that is addresses is leaking subdomains to the root servers and other delegating servers higher up the chain an their network operators.