techhub.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
A hub primarily for passionate technologists, but everyone is welcome

Administered by:

Server stats:

4.7K
active users

#dns

68 posts60 participants2 posts today
Replied in thread

@drscriptt granted, we all want 203.0.113.1¹ to have #SSL / #TLS (even if it's just @letsencrypt ) work than not work or have no #encryption.

  • That is not up for debate!

I just think that this will reward previously standards-violating behaviours when i.e. Xavier Sample Solutions don't get nudged to use i.e. api.solutions.example² but can just use their IP addresses.

¹ Example as per RFC5737
² Example as per RFC2606

1.1.1.11.1.1.1 — The free app that makes your Internet faster.Install the free app that makes your phone’s Internet more fast, private, and reliable.
Replied in thread

@drscriptt Naive question: WHEN does the average #Internet #user ever open up a webpage with an #IP address instead of a #domain or even #FQDN?

  • Seriously, the only cases I saw were either some old, non-public - facing server in some B2B/API setting or a test that #httpd / #ngnix / #ssh / … function properly on like a #VPS and that the #DNS hasn't been updated (yet!) to include said host / FQDN in the records, and even then it's bad cuz you'd rather want to use it's FQDN instead because with #IPv4 shortages on one hand and tools like #Portainer on the other, one should not use an #IPaddress as addressing method because #WAF / #Proxies used to "#MUX" / "#NAT" services under one IP address or #IPv6 block may need that distinction by being queried for a specific FQDN...

The Idea if !SSL / #TLD for #IPaddresses makes me feel like Jeff Goldblum!

DNS Esoterica - Why you can't dig Switzerland

shkspr.mobi/blog/2022/07/dns-e

As part of my new job, I'm learning a lot more about the mysteries of the Domain Name System than any mortal should know I thought possible.

The humble unix dig command allows you to query all sort of DNS information. For example, to see name server records for the BBC website, you can run:

dig bbc.co.uk NS

Which will get you:

;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35614;; flags: qr rd ra; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 17;; OPT PSEUDOSECTION:; EDNS: version: 0, flags:; udp: 1232; COOKIE: 097db2ee4c92b84982083ecf62b5b5f2007906e616035113 (good);; QUESTION SECTION:;bbc.co.uk.         IN  NS;; ANSWER SECTION:bbc.co.uk.      900 IN  NS  ddns1.bbc.com.bbc.co.uk.      900 IN  NS  dns0.bbc.co.uk.bbc.co.uk.      900 IN  NS  ddns1.bbc.co.uk....

And a whole lot more. But you can go further down the DNS tree. What are the nameservers for .co.uk?

dig co.uk NS

And you'll get your answer. You can go one further and see the nameservers for the Top Level Domain:

dig uk NS

Which replies with:

;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54061;; flags: qr rd ra ad; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 17;; OPT PSEUDOSECTION:; EDNS: version: 0, flags:; udp: 1232; COOKIE: 880427eda8ff71de2ab4f43862b5b65f95e317d29cc10a8e (good);; QUESTION SECTION:;uk.                IN  NS;; ANSWER SECTION:uk.         159692  IN  NS  nsc.nic.uk.uk.         159692  IN  NS  dns1.nic.uk.uk.         159692  IN  NS  nsd.nic.uk....

And that works with every TLD. Countries like de, generic names like museum, and internationalised domains like 在线. All of them work!

Except Switzerland.

Switzerland's country code is ch - after the name Confoederatio Helvetica. Let's run the dig on it: dig ch NS

;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 31910;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1;; WARNING: recursion requested but not available

We have been refused and warned. But why does this only happen with Switzerland?

The blame - as with most modern ills - lies in the mid-1970s. The Bee Gees were storming the charts with "Jive Talkin'", the Rocky Horror Picture Show was gathering a cult following, and MIT scientists were causing chaos. Literally.

Chaosnet was an early network protocol designed for local networks. It was technically very clever but, sadly, never really took off.

However, it found its way into DNS records. Let's go back to the answer to dig bbc.co.uk NS:

;; ANSWER SECTION:bbc.co.uk.      900 IN  NS  ddns1.bbc.com.

OK, the first part is the domain name. The number is the TTL. The IN is the class. The NS says this is a nameserver record. And, finally, we get the domain of the nameserver.

But, in the class, what does IN stand for?

"Internet", obviously. Wait... Isn't the DNS on the Internet? Why do we need to specify that these DNS records are for Internet?

Well, isn't it obvious? Because you might want records of a different network. Like, for example, Chaosnet.

And if Internet is abbreviated to IN, what is Chaosnet shortened to? That's right! CH.

So, dig sees you enter ch for Switzerland, but thinks you're asking about CH for Chaosnet. And so it fails.

In order to query the records for ch we need to provide an absolutely fully-qualified domain name. It's as simple as sticking a dot at the end of the domain name:

dig ch. NS

;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64932;; flags: qr rd ra ad; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 11;; OPT PSEUDOSECTION:; EDNS: version: 0, flags:; udp: 1232; COOKIE: e19b9c23cdfa0f7bcf82750462b5c16b47744386c7974ffb (good);; QUESTION SECTION:;ch.                IN  NS;; ANSWER SECTION:ch.         164894  IN  NS  e.nic.ch.ch.         164894  IN  NS  a.nic.ch.ch.         164894  IN  NS  f.nic.ch.

And there we go. A failed 1970s experiment like bell-bottoms and Betamax videos - but with much longer lasting consequences.

You can see some CH records by running like:

dig ch txt @f.root-servers.net version.bind

That will get you something like:

;; ANSWER SECTION:version.bind.       86400   CH  TXT "cloudflare-f-root-20190930"

Of course, DNS doesn't only have IN and CH class records.

There's also Hesiod - HS. But you already knew that, right...?

Glowing computer text showing dot com dot info etc.
Terence Eden’s Blog · DNS Esoterica - Why you can't dig Switzerland
More from Terence Eden

Der #Windows 10 PC von meiner Mutter hat das #Problem nur ca. 50% aller #DNS Auflösungen hinzubekommen.

Dabei ist es egal welche Anwendung die Anfrage stellt.
Egal ob Windows selbst, ein Browser oder "nslookup" in der cmd.

Egal welchen DNS Server ich einstelle, die FritzBox per DHCP, per Hand oder ein alternativer interner oder externer DNS Server.

Der Systemcheck via dism.exe findet keine Fehler.

Was ist da los?!

Ich bin komplett ratlos.

Ideen?

Upgrade auf Win11 ist eine Option?

Kann es sein, dass der "alternative" #DNS Server, der in #Windows einstellbar ist gar nicht alternativ (also wenn der primäre versagt) ist, sondern beide in einem mehr oder weniger zufälligen Verfahren gefragt werden?

Habe hier gerade so einen Fall, der das vermuten lässt...

Ist Windows wirklich so?

#PiHole #DNS #Filter blocks #Discord email verification - what the heck, man!?!

What else do they use clickDOTdiscordDOTcom for?

edit: well, technically that'd be on ME (not on PiHole); i've chosen the filter lists. I mightn't've chosen wisely enough. Over-blocking is totally a thing to be aware of! 😅

edit2: sometimes, other people know more than me - i'll un-whitelist this subdomain - it didn't benefit me

🛰️ ¿Harto de que Google sepa hasta cuándo visitas la web de tu ex?

Prueba RocksDNS, el DNS público que no vende tus datos ni te juzga por tus búsquedas nocturnas.

Cero logs (prometido)
Cifrado hasta las cejas (DoH, DoT, DoQ)
Servidores en España y Alemania
Más rápido que tu excusa del lunes
99,99% uptime (mejor que mi motivación
Aprobado por mapaches exigentes :Racoon_Fingerguns_cool:

rocksdns.ovh

Porque tu privacidad no debería ser el producto.

rocksdns.ovhdns.rocksdns.ovh - DNS Público Seguro y UniversalDNS cifrado y libre. RocksDNS es un servicio público que respeta tu privacidad: sin registros, sin cookies y sin rastreadores. Compatible con DoH, DoT y DoQ.

this #PerfekBlue thing is pretty wild:

and you know i get super excited when #DNS is involved:

> "Establishing a command-and-control (C2) channel over DNS allowed us to maintain a covert, persistent link with the vehicle, enabling full remote control. By compromising an independent communication CPU, we could interface directly with the CAN bus, which governs critical body elements, including mirrors, wipers, door locks, and even the steering."

thehackernews.com/2025/07/perf

The Hacker NewsPerfektBlue Bluetooth Vulnerabilities Expose Millions of Vehicles to Remote Code ExecutionResearchers uncover PerfektBlue flaws in OpenSynergy’s BlueSDK, exposing millions of vehicles to remote code execution