We're excited to release NSD 4.8.0. Our authoritative #DNS server now features the PROXY protocol, which was graciously sponsored by the Swedish NREN, Sunet. 🙌🇸🇪 https://nlnetlabs.nl/news/2023/Dec/06/nsd-4.8.0-released/
PowerDNS Recursor 5.0.0-rc1 Released
https://blog.powerdns.com/2023/12/06/powerdns-recursor-5-0-0-rc1-released #dns #dnssec
Sharing an interesting message from our QA Manager about a site deployment erroneously flagged as malicious and how to fix it
#devops #deployment #dns #webdev
after spending a good week moving my #freebsd cloud install over to a more modern #linux cloud install, with all my services and web hosting, naturally today I decided my cloud host sucks and moved over to #hetzner
because I haven't fucked with #DNS enough in the last two weeks, obviously
at least I'm saving some money
I've successfully set up [Mox](https://github.com/mjl-/mox) by Mechiel Lukkien as my new mail server. It handles SMTP, IMAP, SPF, DKIM, and DMARC. It has a built-in spam filter, a web interface, webmail, autoconfiguration and it can show a checklist whether your DNS is set up correctly or not. All in a single binary! Pretty cool stuff. I'm planning to test various other solutions and document it on my blog soon.
#Unbound supports DNS-over-TLS and DNS-over-HTTPS which allows clients to encrypt their communication. In addition, it supports various modern standards that limit the amount of data exchanged with authoritative servers. These standards do not only improve privacy but also help making the DNS more robust. The most important are Query Name Minimisation, the Aggressive Use of DNSSEC-Validated Cache and support for authority zones, which can be used to load a copy of the root zone.
Automation is key!
There's a saying that IT professionals tend to be lazier than others - any maybe there's some truth to it. But is it really a bad character trait? Not necessarily.
Lazy developers and admins automate. They don't repeat the same set of tasks over and over again, but instead come up with an idea to make their lifes easier and more convenient ;-)
As even ZERO GmbH is not safe from lazy developers, we have automated some processes in our IT - including the setup of various software components for our #AMPS nodes and the associated IT infrastructure, such as #VPN and #DNS setup.
This saves us a huge amount of time. A quarter of an hour of manual labour can become a few seconds of waiting time and we have time for more interesting tasks :-)
We mainly use the Ansible configuration tool, which we like because it works without an additional daemon on the target and via a simple SSH interface.
We've set up an internal DNS server that resolves their serial bumber-based FQDN and returns the corresponding VPN IP address. Thus it's easy to find the correct VPN and IP address to start maintenance or troubleshooting :-)
Our requirements on a DNS Server are quite low. We could have picked THE ONE, the only, the allmighty Bind DNS server - but instead we tried something different:
Yadifa is a less-known DNS server implementation by EURid - the nonprofit organization that powers the .eu top level domain!
We were surprised of the simplicity of Yadifa and had our DNS Server up and running in minutes! If you're looking for an easy to configure DNS server, check it out.
The .ing and .meme #domains have their sunrise registration phase ending in about 90 minutes and enter general availability. Get 'em while they're hot!
Configuring CoreDNS is easy, but managing more than one or two zones quickly becomes cumbersome 😓. DNSimple’s CoreDNS integration makes managing zones simple 💪. Once the CoreDNS plugin is installed and connected 🔌 to DNSimple, zone managers can use the DNSimple UI or API to add, edit, and remove #DNS records, including custom DNS records and functionalities, like regional, #ALIAS, #POOL, and #URL records from their #CoreDNS zones. Learn more 👉 👉 https://blog.dnsimple.com/2023/08/coredns-integrated-provider/?utm_source=mastodon&utm_medium=social&utm_campaign=coredns
Cloudflare Applauds Court for Rejecting DNS Piracy Blocking Order
New little test service for fans of #RFC 9460 (#DNS SVCB and HTTPS RRs): Go to https://svcbtest.amsuess.com/ to see whether your browser uses the ports indicated in DNS.
So far it seems like Firefox only uses it when DoH is enabled (no matter whether the network.dns.force_use_https_rr flag is set in about:config or not); I didn't get Chromium to use it yet.
… but for probably 99.9% of Internet users, this is serious “eyes glaze over” territory. 😃
Some of our folks are giving a technical webinar December 13th on SMS Cybercrime -- a DNS perspective. They will cover the malicious link shortener Prolific Puma and how we discovered it, what we see from an MFA phishing perspective, and look at what DNS actors doing all that USPS phishing look like. #dns #cybersecurity #infosec #phishing #prolificpuma #sms #malware #cybercrime #infoblox https://www.infoblox.com/registration-sms-cybercrime-a-dns-perspective/
Chez ARN, on aime @lacontrevoie qui a produit plein de belles choses:
- un résolveur #DNS ouvert compatible #DoH https://lacontrevoie.fr/services/doh/
- des #conferences https://lacontrevoie.fr/activites/conferences/
- de la doc technique pour les autres @ChatonsOrg https://docs.lacontrevoie.fr
Aujourd'hui, cette asso vient de publier sa feuille de route et n'attends plus que vos dons pour les aider à garder le cap.
Je fais un don et je pose mon étoile dans la constellation:
* DNS at IETF 118 https://www.potaroo.net/ispcol/2023-11/dns-ietf118.html
* Renaming the DNS root https://www.sidnlabs.nl/en/news-and-blogs/renaming-the-dns-root-opportunities-pitfalls-and-a-testbed
* Linux hardening guide https://madaidans-insecurities.github.io/guides/linux-hardening.html
* NAT side-channel threats https://arxiv.org/abs/2311.17392
* F-ROOT Southeast Asia performance https://arxiv.org/abs/2311.16545
Thanks to @feistyduck Bulletproof TLS Newsletter I learned the `.et` #ccTLD publishes #CAA records in the #DNS, alone among all TLDs. With at least an error (using `wildcard` property for one instead of `issuewild`) and 0 TTL values. Because of "climb to the root", it impacts transitively any domains under `.et`. I kept this for posterity at https://dnsviz.net/d/et/ZWqfLg/dnssec/ as it should be a fluke that will disappear (seems APNIC in May searched and found 0 TLDs doing that: https://blog.apnic.net/2023/06/28/whose-certificate-is-it-anyway/)
I've updated my @nlnetlabs #unbound #docker image and build environments to #alpine #linux 3.18.5 and optimized the #openssl and image #dockerfiles a bit. The size got reduced, too. The version is 1.19.0-2 now.
It's almost the image's second anniversary, btw! 🥳
Google wants you to bring the laughs with its new .meme domain | TechRadar
> The new top-level #Google .meme domain is here to support lol-worthy content.
Managing multiple AWS accounts? Experiencing DNS or domain sprawl? 😓 Get a clean, simple overview of all your domains and DNS in one place 😉. Manage your Route53 zones in DNSimple with our Domain Control Plane 👉 https://blog.dnsimple.com/2023/06/manage-aws-routes-in-dnsimple/ #aws #route53 #domains #dns
#15yrsago Neil Gaiman explains why he opposes laws banning speech he disagrees with https://journal.neilgaiman.com/2008/12/why-defend-freedom-of-icky-speech.html
#15yrsago Vietnam’s amazing phone-unlockers https://www.cnet.com/culture/unlocking-iphone-3gs-the-vietnamese-way/
#15yrsago UK to punish “publishing police info” with 10 years in jail https://www.indymedia.org.uk/en/2008/11/413023.html
Je pars en retard du boulot, mais j'ai vu passer un mail où les gens se grattaient la tête car il y avait un nom de domaine bizarre commençant par "xn--" dans une de nos applis.
Today, I FINALLY got fed up with the subtle bugs that come with `lvh.me` being such a short domain name; such as Rails' `domains: :all` not working by default (it's documented behavior! This sucks! https://api.rubyonrails.org/classes/ActionDispatch/Cookies.html)
So I registered `local-loopback-wildcard.com`. No matter what you throw, it always resolves to `127.0.0.1`. So you can test against subdomains without TLD hacks. Your testing environment matches production; as it should be.
After a review of suggested companies’ histories, websites, and pricing, I’ve started transferring my domains to #Porkbun. #Google has made it fast to transfer domains out of Google Domains. The transfer was done in an hour, unlike the 7+ days that register.com put me through in 2021.
Great responses! This is what I love about #Mastodon.
I should’ve known Google would kill a decent product.
Fun with #DNS TXT Records
I installed Portmaster on Windows 10 (VM) and blocked Adobe Lightroom Classic. That made the whole software to freeze and become non-responsive.
319 connections so far, 0% blocked. The software talks to some subdomains for adobe.io (photos, lcs-cops, ic, lcs-robs, and a few more) and photoshop.com.
Oh how I wish darktable were just like Lightroom: automated and easy to use.
There's now a mailing list for those interested in the new Registry System Testing system that #ICANN is building for the next round of gTLDs: https://mm.icann.org/mailman/listinfo/subpro-irt-rst
I'll be talking about the new system (fully automated, API driven, machine readable test plans and open source code) on an upcoming call of the SubPro IRT: https://mm.icann.org/pipermail/subpro-irt-rst/2023-November/000000.html
Dzisiaj na #blog o tym jak przeniosłem instancję #WriteFreelyPolska (https://writefreely.pl) z #VPS od #Oracle do @ftdl oraz o tym jak zmieniłem providera #DNS z #Cloudflare na #FreeDNS42 (https://freedns.42.pl). W sumie to bardziej o tym drugim 😉 Taki wpis o tym, że Cloudflare jest złe i pokazanie fajnej alternatywy 😉
I'm not enough of a protocol or encryption wonk to have a firm opinion on the newly published RFC for this alternative to #DNS named #GNS but I sparkleheart the design goals. From a cursory reading, it seems like it isn't a boil-the-ocean solution (unlike so many other GNU initiatives) so perhaps it can gain momentum in niches and work its way out from there.
🐃 #RFC9498: The #GNU Name System
congratulations and thanks you to all involved. urn:ietf:rfc:9498
#DNS #NLnet https://nlnet.nl/project/GNS/ @nlnetlabs @NGIZero @EC_NGI #@djb #@Stallman
The three most popular DNS protocols with transit encryption are DNS-over-HTTPS (DoH), DNS-over-TLS (DoT), and DNS-over-QUIC (DoQ). This should help you choose what to use:
- Do you actually need to override OS DNS support? If not, or if you’re unsure, go to 6.
- Are you ready to implement DNS protocols correctly, or add a dependency that does so? If you’re not, go to 5.
- Does the network filter DNS traffic? If it does, go to 5.
- Do you already have QUIC support? If not, use DoT. If you do, use DoQ.
- Do you have an HTTPS stack? If you do, use DoH.
- Give up and delegate to the OS.
Let your HTTPS stack handle HTTP/1.1 vs. HTTP/2 vs. HTTP/3 support; don’t treat DNS-over-HTTP/3 as a separate protocol. I don’t know enough about DNSCrypt to make an informed recommendation about it, but DoQ and DoH meet my needs well enough.
Originally posted on https://seirdy.one/notes/2023/11/18/choosing-an-encrypted-dns-proto/ (POSSE).
Anyone else seeing random DNS lookup failures from systemd-resolved in #fedora39?
e.g., if you run:
(Random SERVFAIL errors.)
resolvectl --no-pager status; resolvectl query kittens.small-web.org
(Random “'kittens.small-web.org' does not have any RR of the requested type” and SERVFAIL errors. Calls reportedly routed from stub at 127.0.0.53 → my router. DNS on router set to 220.127.116.11 & 18.104.22.168)
It’s always DNS… :neko_roling_eyes:
Erste Empfehlungen des Nachhaltigkeitsrats zur Fortschreibung der #DNS angesichts aktueller Krisen: u.a. mehr parlamentarische Diskussion, ein klares politisches Leitbild, Nachhaltigkeit als Staatsziel im GG und ein nachhaltiger Bundeshaushalt. Hier lesen: https://www.nachhaltigkeitsrat.de/aktuelles/wege-aus-den-aktuellen-krisen-erste-empfehlungen-des-nachhaltigkeitsrats-zur-fortschreibung-der-deutschen-nachhaltigkeitsstrategie/
Still, despite being a just recently finalized RFC, the use of#RFC9460 HTTPS #DNS records has already grown beyond just sporadic.
I do expect CDNs to lead further adoption efforts here. The adoption of #ECH, effectively tied to the HTTPS record, will then hopefully also increase.
I know I'll be keeping an eye on that.
Hey, so #RFC9460 HTTPS/SVCB records are neat, right?
- speed up your time-to-first-packet (by basically stuffing the Alt-Svc HTTP header / ALPN TLS extension into the #DNS);
- let you do redirection on the zone apex without using CNAMEs;
- allow for simple DNS load distribution and failover;
- obviate HSTS and the cumbersone preloading process;
- enable stronger privacy protections via Encrypted Client Hello aka #ECH
If you liked my past #dns research on centralization of the internet with respect to NS, MX, CAA, A/AAA records, you'll probably also enjoy this #apnic blog post by Johannes Zirngibl on parked domains:
Unbound 1.19.0 is now available. This release of our recursive #DNS resolver fixes a number of bugs, and adds some smaller features. The redis-logical-db option and cachedb-no-store option can be used for cachedb configuration. The disable-edns-do option can be used for working around broken network parts. For DNS64 there is fallback to plain AAAA when no A record exists. https://nlnetlabs.nl/projects/unbound/download/#unbound-1-19-0
PowerDNS Recursor 4.9.2 Released
https://blog.powerdns.com/2023/11/08/powerdns-recursor-4-9-2-released #dns #dnssec
I finally got around to repurposing my little Raspberry pwn box into a Pi-hole. And in the first few minutes it's blocked almost 500 requests (mostly to Netflix ichnaea & customerevents). So far I'm pleased with the results 💜
Image is of the Pi-hole web interface on my phone.
Our authoritative DNS nameservers now support DNS-over-TLS (DoT) with authentication via DANE TLSA and/or WebPKI. This allows DNS resolvers to make queries via securely encrypted connections. We're already seeing lots of DoT encrypted connections from multiple DNS providers.
Dites, j'ai une question pour les maître·esse·s es #DNS.
J'ai migré mes mails (adieu #GandiMail 😥 ) vers #Infomaniak. J'ai mis à jour mes DNS (mon NdD restant chez #Gandi tout de même).
Je reçois bien des mails chez Infomaniak, mais en me connectant au webmail gandi, je viens de m'apercevoir que j'en reçois encore chez Gandi !!
Et le nom de domaine en question : jeey.net
Une explication ? (une solution ?)