Fuzzing DNS zone parsers

In my never-ending quest to improve the quality of my C codebases, I’ve been using AFL to fuzz statzone, the zone parser I use to generate monthly statistics on StatDNS. It helped me to find and fix a NULL pointer dereference. I initially used the .arpa zone file as input, but then remembered that OpenDNSSEC bundles a special zone for testing purposes, containing a lot of seldom used resource records types, and decided to use this one too....

July 11, 2019 · 5 min

Oldest domains in the .com, .net, and .org TLDs

As someone interested in DNS and Internet history, I’ve always been enjoying facts and articles about early registered domain names. Wikipedia has a page on the subject, but the list is extremely short for .net and .org domains. Using the DDN NIC domain summaries, it shouldn’t be too difficult to extract a list of domains, perform whois queries to get registration dates, and sort the results. Let’s find out. For the record, the oldest issue I could find, dating from December 1987, doesn’t list nordu....

June 26, 2018 · 6 min

Distributing files via DNS

After publishing my Storing ASCII art in the DNS post last year, I’ve been thinking about using the same method to distribute files. While transmitting data over DNS is not a new concept, I believe it has never been done using NAPTR records. The well known iodine DNS tunnel uses NULL resource records to transmit binary data, but I wanted something which can be used with standard tools like dig. On this topic, I’ve recently read the Internet Draft defining the SINK resource record and it seems like it could be used and abused for some fun hacks....

August 3, 2015 · 2 min

Fingerprinting DNS servers authoritative for the top 1 million domains

As an experiment, I’ve been using fpdns (version 0.10.0 on FreeBSD/amd64) to fingerprint DNS servers authoritative for the top 1 million domains (according to Alexa). At first, I had plans to use adnshost to resolve name servers first and then feed the resolved list to fpdns, in order to speed up things and avoid fingerprinting the same host several times. Unfortunately, it seems adnshost doesn’t work that well on large batches and I experienced numerous timeouts and crashes....

November 27, 2014 · 3 min

DNSSEC validation at the router level with OpenWrt

Over the past few years, I have been exploring various options for doing local DNSSEC validation. Validating locally is necessary in order to avoid DNS answers being forged on the path from the ISP resolvers (or from open validating resolvers) to the local network. If validating on servers and laptops is a solved problem, doing so on mobile devices such as phones and tablets is still an open question. For these use cases, having a validating resolver running directly on a router is convenient....

November 4, 2014 · 3 min

DNS-OARC Spring 2014 Workshop

Last week, I had the chance to attend the DNS-OARC Spring 2014 Workshop which was held on May 10-11th 2014 in Warsaw (Poland). Given the fact I’m living only 300 km away from Warsaw, there was no way I could miss such an opportunity to enjoy a full weekend entirely focused on DNS. The event was packed with high-quality presentations, friendly people, and the organization was impeccable. I also had the opportunity to meet and discuss DNS topics with Anand Buddhdev from the RIPE NCC and Stephane Bortzmeyer from AFNIC....

May 18, 2014 · 1 min

dnc: a CLI tool to check domain names configuration and statistics

For a long time, I needed a simple and minimalistic tool showing a quick overview of my domain names configuration and statistics. I originally planned to implement it as a shellscript, but Node makes it so easy to write efficient CLI tools and distribute them via npm so it made more sense to go this way. The tool performs asynchronous DNS requests and as a bonus, displays a nice colored Unicode table, thanks to the great cli-tables module....

February 21, 2014 · 1 min

NXDOMAIN Hijacking: Dnsmasq to the rescue!

I’ve been playing a lot with OpenWrt lately (an embedded Linux distribution targeted at routers), which uses Dnsmasq to provide DNS forwarding and DHCP. After reading about Dnsmasq in detail (should you want to do the same, “Alternative DNS Servers” has an entire chapter on it), I discovered a really interesting option: bogus-nxdomain. To illustrate how it works, we are going to configure Dnsmasq to use OpenDNS resolvers, which perform NXDOMAIN hijacking by default....

February 6, 2014 · 2 min

Storing ASCII art in the DNS

From time to time, I like to do some quick DNS related experiments, and storing ASCII art in the DNS had been on my idea list for quite a while. The naive approach to this problem would be to simply use TXT records, but there are a couple of issues with this method. First, it’s not possible to specify the order of priority of TXT records, and results seem to vary depending on implementations....

February 5, 2014 · 3 min

ION Krakow DNSSEC Panel: Challenges and Triumphs of DNSSEC

Last month, I was invited to take part in a DNSSEC panel at the ION Conference, organized by the Internet Society. The conference was held on September 30th 2013 in Krakow (Poland), as part of the Polish Network Operators Group meeting. The panel was moderated by Dan York (ISOC), and the other panelists were Krzysztof Olesik (NASK) and Patrik Wallström (OpenDNSSEC). Below is a video recording of the session, introduction slides are available here....

October 28, 2013 · 1 min