Because DNS is the user-facing part of the whole system. There is plenty of trouble with everything else, but you usually don’t see that as a user. Also it’s a hierarchical system with big providers/governments giving and taking names as they see fit, so there is always the possibility to get screwed.
Because it’s the least-likely position to be staffed by a company. It’s the “least important” person to have… until it breaks. Often a company relies on routing-switching engineers to do DNS instead of hiring a dedicated DDI engineer (DNS, DHCP, IPAM). It saves money in the short term, but when shit hits the fan… no one knows how to fix it because DNS is really easy until it’s not. DNS is super simple at a basic level. But it goes way deeper than most people realize.
What’s the point of alternative DNS roots? Can they be a thing to mitigate DNS related failures (though lemmy.ml is back online, so I guess that wasn’t it)?
An alternative DNS root is where someone other than IANA sets up a root zone. At the end of the day, root zone authority is technically not “hard coded”. It’s a terrible idea to set up an alt root or to use one for these reasons:
Security. This is the biggest one. DNSSEC works via setting up Trust Anchors with the root zone and chaining down the tree all the way to the recursive DNS server. DNSSEC doesn’t work if anyone in there doesn’t have a trust anchor for the root zone. Additionally, if that root zone is untrustworthy, you can effectively have DNS poisoning happen at the root level. Imagine having two google.com’s based on which root zone (and therefore walking two separate trees) you ask.
It encourages dividing the internet. The two largest Alt zones are Russia’s (RNDNS) and China’s (.chn). RNDNS exists as a continuity plan in case the rest of the world decides to cut them off of the internet. China’s is part of a hare-brained plan to “reinvent the internet under IPv9” (an idiotic plan that sounds even more crazy than Iran’s supposed “quantum computer”)
Pointing to a different root zone can cause a lot of headaches for diagnosing DNS issues when they aren’t coming down from the same root zone. It can cause different answers (and a parallel tree).
To answer your second question, they are not good for acting as a way to mitigate DNS failures. No domain servers are going to be asking them in the first place, meaning no one can get there even if it does have the “correct” answer. If all 13 root servers went down simultaneously, the results would be catastrophic. But that’s also why they’re physically located around the world in many different countries in heavily secure facilities with many High-Availability servers (clone servers that instantly take over if there’s a failure, the ultimate “hot” server)
You wouldn’t want to have a DNS server ask two root zones anyway. If it can’t reach the root zones, then that needs to be addressed. You can’t just ask a “less secure” server in case the primary doesn’t work. That’s just begging for a security breach via cutting off access to the primary root zones so that they “fail over” to the less secure ones.
Well that sounds like my dream job, unfortunately this issue in particular is more of a Lemmy problem, not a DNS problem. See: https://lemmy.nrd.li/comment/190200 for the explanation of why you cant just transfer domains with Lemmy.
Also, if you’re genuinely interested in this field, first you should enter the world of enterprise network engineering. Get Security +, CCNA, and PCNSA. With those certs in hand (and knowledge in your brain), apply to jobs as a network support engineer. Do the work for a few years. Learn BIND. Learn Infoblox. Focus on learning DHCP and subnetting. Learn DNSSEC & IPv6. Experiment with a Pi Hole. Set up a home lab. Apply to jobs with DNS. Start living the good life. This takes about 10 years if you learn fast and are good at interviews.
I only just now saw this post, the last month i have already been going all out to learn everything that i need for my Security+ (then CySec+) i have a 30hr video course im part way thorugh, and ive set up a few VMs with various servers like OWASP Security Shepherd and Dam Vunurable Web App for some more hands on experience as well as testing on my personal production Nextcloud and Jellyfin servers and ive been having alot of fun with it all, i think im pretty solid with DHCP and subnetting already through my home networking adventures. I will look into each of those other Certs and each thing you mention to learn thank you! Ive been deep into various Linux systems since about 2008 and im hoping to leverage that as much as i can(although its left me with a lack of modern Windows experience).
Thank you so much for all the tips! I feel some good things coming as im getting into this as work.
Hi! When DNS servers are launched, they have to be purchased, correct? So in this case, did Mali file for the domain to be reclaimed somehow? Do you have an idea how that might work?
When I was talking my cyber security / ethical hacking class, we learned how to do zone transfer. The concept never stuck and I basically “copy” from my friend. So what exactly is a DNS Zone Transfer?
Friday I was doing a zone transfer! What are the odds?
A zone transfer is like moving houses, except for an authoritative zone.
In DNS, we have what’s called an authoritative zone. That means the device hosting the “resource records” (all the data that DNS passes around) is the “ultimate” answer. I.e, it’s not cached data. It’s not a hosts file. It’s not a recursive answer. It’s the real deal.
When you want to move the authoritative zone to another server, you do a “zone transfer” that means the new server will copy all the resource records over TCP from current authoritative zone. The reason you may want to do this instead of manually hand-jamming it is that many large organizations have, sometimes, hundreds of resource records (last month I coordinated a zone transfer that was over 1000 records!).
Why would a hacker want to conduct a zone transfer? In otherwords, what is the utility or usefulness of a zone transfer for a hacker (black or white hat)?
If you initiate a zone transfer, you can now claim to be authoritative for a zone. That means you can be a ‘bad actor’ DNS server that serves fake records. In practice, this means that you can redirect people to an attack site.
Let’s say you’re Joe the Random Internet User and you want to go to lemmy.world This is what happens in a non-attack (we’re skipping caching & non-authoritative answers for brevity):
You type “lemmy.world” into your browser
Your computer initiates a stub resolution for lemmy.world. (the trailing dot here isn’t a period. It’s the “true” FQDN)
Computer looks at hosts file and doesn’t see anything
DNS packets are sent to your configured DNS server. If you don’t have one configured, DHCP already configured it for you
Your DNS server performs a recursive search for world by asking the root zone where the “world” Name Serer is
root zone resolves world as:
world. 3600 IN NS v0n0.nic.world.
world. 3600 IN NS v0n1.nic.world.
world. 3600 IN NS v0n2.nic.world.
world. 3600 IN NS v0n3.nic.world.
world. 3600 IN NS v2n0.nic.world.
world. 3600 IN NS v2n1.nic.world.
Your DNS server reaches out to one of those Name Server’s (That’s what the NS record is for) and asks it where “lemmy” is
world Name Server responds with:
lemmy.world. 300 IN A 172.67.218.212
lemmy.world. 300 IN A 104.21.53.208
Your DNS server contacts your computer and serves it those IP addresses. (A record’s are domain name to IP Address)
Now lets say there’s a DNS spoof attack:
Before the “world” server can get back to your DNS server, the hackers server interjects with it’s own authoritative claim that lemmy is here:
lemmy.world. 300 IN A [attack site IP]
Your DNS server contacts your computer and serves it that IP address. Your computer then contacts the attack site and you get a virus.
They don’t know unless the DNS server tells them. For example, a very popular webhost Akamai uses a complex DNS + web hosting suite (DNS edgesuit to be exact) to send that type of data to the web servers. It can also allow for many many other features.
Could users set a temporary entry in their hosts file pointing the .ml domains to public IPs in order to regain access to their account if they needed to?
Can Lemmy federate to an IP address directly or will the settings only accept an fqdn?
Will a Lemmy instance work behind a reverse proxy.
There are several problem with this including total lack of SSL without the proper cert for that other domain, also Lemmy.ml’s IP seems to be running a reverse proxy so the internal IP that we would want to connect to is not visible to the world this is common for web security, the owners must set allowed domains and ports in their config file.
Yes. Unless there’s some kind of crazy domain-level hi-jinks involved with Lemmy (I am not versed in Lemmy), pointing directly to the IP will work if you bypass it by spoofing your DNS (Hosts file, for example).
I don’t know how Lemmy federation works, sorry :(
See #2
Sorry that I couldn’t answer more of your questions.
The “.com” and “.org” and all other Top Level Domains are owned/controlled by some organization.
Com and org are your original TLDs, so since they were around first you see them everywhere. At some point countries got their own TLDs so Mali got “ml” for example but Tuvalu got “tv”. (Yes, technically “.tv” has nothing to do with television.) And a few years back there was open bidding for a bunch of new TLDs which is where “.sport” or “.dentist” come from.
Anyone some entity owns/controls them and then can sell any word or domain under it. So if you want “greatgatsby.com” you have to talk to the “.com” owners. If you want “greatgatsby.sport” you talk to the “.sport” owners. Usually there is another company or agreement that groups these together so you can manage all your domains in one place.
So anyways now you own a domain like “greatgatsby.sport”, what do you want to host? Mail at “mail.greatgatsby.sport”? A website at world wide web aka “www.greatgatsby.sport”? Up to you.
Over time, largely by convention “www” became where you put your website.
So say I want a “.travel”, who actually makes and sells these? Is it a private company? A country? An independent entity who’s sole purpose it is to keep domains and the interwebs alive?
The last one, ICANN is the name of the organization. It’s reasonable to argue they are actually the first one. Also they are based in the US, so technically the country answer also apply. HOWEVER they are suppose to be independent.
Also since you want “.travel” that’s a common enough word that it is probably already owned by an entity, so you would probably have to buy it from them.
However let’s say you wanted “.tchotchony” which I feel confident saying doesn’t exist yet. As far as I know ICANN is not regularly taking applications for new TLDs, so you probably can’t have it. Although realistically if you have enough money, you can.
Well, it’s not just a money issue. There’s also the “are you knowledgeable, responsible, and have DNS engineers on staff” problem. If you own your own TLD, it means you can talk directly to the root zone. You could theoretically DDOS the root zone servers and cause them to crash. They would, of course, just revoke your TLD permanently & it wouldn’t really cause any noticeable disruption to the rest of the internet. You could also allow attack domains or shady websites. Maybe it could be used to pretend to be another site. Imagine owning “.conn” that would be a premium attack site TLD because it looks like “com”. There’s lots of other issues too.
To answer your other question: most likely, www.cakefarts.com is now accessible from cakefarts.com for one of three reasons:
Your web browser automatically checks the A record “www” if “cakefarts.com” doesn’t have an A record. A records are the records in a DNS server that says “this domain goes here”
For the ‘record’, www is just a really common record name. There’s nothing special about it. You could have dudebro.cakefarts.com or wwwwwww.cakefarts.com. It’s up to the domain owner.
We had a situation at a shared space here where an OpenWRT client device accidentally somehow managed to announce itself into the network in a way that its v6 local link address (fe80::) got inserted into /etc/resolv.conf as a third DNS option (with the first two being the ones from DHCP) and then served incorrect records when queried. What mechanism is that and were the engineers who designed that feature on drugs? Also, how can I tell my Linux system to not accept such announcements?
So, how some companies get right to sell TLDs? Can I start selling TLDs nowdays? It’s just that they were there first and get all top level domains and now we have to pay for it?
Hi, professional DNS engineer here! if anyone has any questions about the inner workings of DNS or top level domains, ask away! (THIS IS MY MOMENT)
Why is it always DNS?
Because its always DNS
Because DNS is the user-facing part of the whole system. There is plenty of trouble with everything else, but you usually don’t see that as a user. Also it’s a hierarchical system with big providers/governments giving and taking names as they see fit, so there is always the possibility to get screwed.
Because it’s the least-likely position to be staffed by a company. It’s the “least important” person to have… until it breaks. Often a company relies on routing-switching engineers to do DNS instead of hiring a dedicated DDI engineer (DNS, DHCP, IPAM). It saves money in the short term, but when shit hits the fan… no one knows how to fix it because DNS is really easy until it’s not. DNS is super simple at a basic level. But it goes way deeper than most people realize.
What’s the point of alternative DNS roots? Can they be a thing to mitigate DNS related failures (though lemmy.ml is back online, so I guess that wasn’t it)?
An alternative DNS root is where someone other than IANA sets up a root zone. At the end of the day, root zone authority is technically not “hard coded”. It’s a terrible idea to set up an alt root or to use one for these reasons:
To answer your second question, they are not good for acting as a way to mitigate DNS failures. No domain servers are going to be asking them in the first place, meaning no one can get there even if it does have the “correct” answer. If all 13 root servers went down simultaneously, the results would be catastrophic. But that’s also why they’re physically located around the world in many different countries in heavily secure facilities with many High-Availability servers (clone servers that instantly take over if there’s a failure, the ultimate “hot” server)
You wouldn’t want to have a DNS server ask two root zones anyway. If it can’t reach the root zones, then that needs to be addressed. You can’t just ask a “less secure” server in case the primary doesn’t work. That’s just begging for a security breach via cutting off access to the primary root zones so that they “fail over” to the less secure ones.
Thank you for such a detailed and instructive answer!
Well that sounds like my dream job, unfortunately this issue in particular is more of a Lemmy problem, not a DNS problem. See: https://lemmy.nrd.li/comment/190200 for the explanation of why you cant just transfer domains with Lemmy.
Also, if you’re genuinely interested in this field, first you should enter the world of enterprise network engineering. Get Security +, CCNA, and PCNSA. With those certs in hand (and knowledge in your brain), apply to jobs as a network support engineer. Do the work for a few years. Learn BIND. Learn Infoblox. Focus on learning DHCP and subnetting. Learn DNSSEC & IPv6. Experiment with a Pi Hole. Set up a home lab. Apply to jobs with DNS. Start living the good life. This takes about 10 years if you learn fast and are good at interviews.
I only just now saw this post, the last month i have already been going all out to learn everything that i need for my Security+ (then CySec+) i have a 30hr video course im part way thorugh, and ive set up a few VMs with various servers like OWASP Security Shepherd and Dam Vunurable Web App for some more hands on experience as well as testing on my personal production Nextcloud and Jellyfin servers and ive been having alot of fun with it all, i think im pretty solid with DHCP and subnetting already through my home networking adventures. I will look into each of those other Certs and each thing you mention to learn thank you! Ive been deep into various Linux systems since about 2008 and im hoping to leverage that as much as i can(although its left me with a lack of modern Windows experience).
Thank you so much for all the tips! I feel some good things coming as im getting into this as work.
Ah, thanks for the info! I have no idea how Lemmy stuff works. I only became aware of Lemmy last month.
Woot we’re saved.
Hi! When DNS servers are launched, they have to be purchased, correct? So in this case, did Mali file for the domain to be reclaimed somehow? Do you have an idea how that might work?
When I was talking my cyber security / ethical hacking class, we learned how to do zone transfer. The concept never stuck and I basically “copy” from my friend. So what exactly is a DNS Zone Transfer?
Friday I was doing a zone transfer! What are the odds?
A zone transfer is like moving houses, except for an authoritative zone.
In DNS, we have what’s called an authoritative zone. That means the device hosting the “resource records” (all the data that DNS passes around) is the “ultimate” answer. I.e, it’s not cached data. It’s not a hosts file. It’s not a recursive answer. It’s the real deal.
When you want to move the authoritative zone to another server, you do a “zone transfer” that means the new server will copy all the resource records over TCP from current authoritative zone. The reason you may want to do this instead of manually hand-jamming it is that many large organizations have, sometimes, hundreds of resource records (last month I coordinated a zone transfer that was over 1000 records!).
Why would a hacker want to conduct a zone transfer? In otherwords, what is the utility or usefulness of a zone transfer for a hacker (black or white hat)?
If you initiate a zone transfer, you can now claim to be authoritative for a zone. That means you can be a ‘bad actor’ DNS server that serves fake records. In practice, this means that you can redirect people to an attack site.
Let’s say you’re Joe the Random Internet User and you want to go to lemmy.world This is what happens in a non-attack (we’re skipping caching & non-authoritative answers for brevity):
world. 3600 IN NS v0n0.nic.world.
world. 3600 IN NS v0n1.nic.world.
world. 3600 IN NS v0n2.nic.world.
world. 3600 IN NS v0n3.nic.world.
world. 3600 IN NS v2n0.nic.world.
world. 3600 IN NS v2n1.nic.world.
lemmy.world. 300 IN A 172.67.218.212
lemmy.world. 300 IN A 104.21.53.208
Now lets say there’s a DNS spoof attack:
lemmy.world. 300 IN A [attack site IP]
deleted by creator
They don’t know unless the DNS server tells them. For example, a very popular webhost Akamai uses a complex DNS + web hosting suite (DNS edgesuit to be exact) to send that type of data to the web servers. It can also allow for many many other features.
Could users set a temporary entry in their hosts file pointing the .ml domains to public IPs in order to regain access to their account if they needed to?
Can Lemmy federate to an IP address directly or will the settings only accept an fqdn?
Will a Lemmy instance work behind a reverse proxy.
Thanks for taking the time to answer questions.
There are several problem with this including total lack of SSL without the proper cert for that other domain, also Lemmy.ml’s IP seems to be running a reverse proxy so the internal IP that we would want to connect to is not visible to the world this is common for web security, the owners must set allowed domains and ports in their config file.
If none of that was a problem Lemmy itself does not do well with changing domains, as highlighted here: https://lemmy.nrd.li/comment/190200
Sorry that I couldn’t answer more of your questions.
So why do we need the .com or .org or whatever at all? And the www. as well?
I remember when I had to type the whole http://www.cakefarts.com and now just cakefarts.com works. What changed? And what’s next?
The “.com” and “.org” and all other Top Level Domains are owned/controlled by some organization.
Com and org are your original TLDs, so since they were around first you see them everywhere. At some point countries got their own TLDs so Mali got “ml” for example but Tuvalu got “tv”. (Yes, technically “.tv” has nothing to do with television.) And a few years back there was open bidding for a bunch of new TLDs which is where “.sport” or “.dentist” come from.
Anyone some entity owns/controls them and then can sell any word or domain under it. So if you want “greatgatsby.com” you have to talk to the “.com” owners. If you want “greatgatsby.sport” you talk to the “.sport” owners. Usually there is another company or agreement that groups these together so you can manage all your domains in one place.
So anyways now you own a domain like “greatgatsby.sport”, what do you want to host? Mail at “mail.greatgatsby.sport”? A website at world wide web aka “www.greatgatsby.sport”? Up to you.
Over time, largely by convention “www” became where you put your website.
From there you have two options, you can setup a redirect from “http://greatgatsby.sport” to “http://www.greatgatsby.sport” or you can do a little hosting “trick” and just make “http://greatgatsby.sport” return your website.
So say I want a “.travel”, who actually makes and sells these? Is it a private company? A country? An independent entity who’s sole purpose it is to keep domains and the interwebs alive?
The last one, ICANN is the name of the organization. It’s reasonable to argue they are actually the first one. Also they are based in the US, so technically the country answer also apply. HOWEVER they are suppose to be independent.
Also since you want “.travel” that’s a common enough word that it is probably already owned by an entity, so you would probably have to buy it from them.
However let’s say you wanted “.tchotchony” which I feel confident saying doesn’t exist yet. As far as I know ICANN is not regularly taking applications for new TLDs, so you probably can’t have it. Although realistically if you have enough money, you can.
Well, it’s not just a money issue. There’s also the “are you knowledgeable, responsible, and have DNS engineers on staff” problem. If you own your own TLD, it means you can talk directly to the root zone. You could theoretically DDOS the root zone servers and cause them to crash. They would, of course, just revoke your TLD permanently & it wouldn’t really cause any noticeable disruption to the rest of the internet. You could also allow attack domains or shady websites. Maybe it could be used to pretend to be another site. Imagine owning “.conn” that would be a premium attack site TLD because it looks like “com”. There’s lots of other issues too.
Btw, .com is owned by the US Department of COMmerce. .org is owned by a non-profit organization called “Public Internet Registry”
To answer your other question: most likely, www.cakefarts.com is now accessible from cakefarts.com for one of three reasons:
For the ‘record’, www is just a really common record name. There’s nothing special about it. You could have dudebro.cakefarts.com or wwwwwww.cakefarts.com. It’s up to the domain owner.
Why is it always dns
We had a situation at a shared space here where an OpenWRT client device accidentally somehow managed to announce itself into the network in a way that its v6 local link address (
fe80::
) got inserted into /etc/resolv.conf as a third DNS option (with the first two being the ones from DHCP) and then served incorrect records when queried. What mechanism is that and were the engineers who designed that feature on drugs? Also, how can I tell my Linux system to not accept such announcements?Why is it always DNS?
So, how some companies get right to sell TLDs? Can I start selling TLDs nowdays? It’s just that they were there first and get all top level domains and now we have to pay for it?
Thanks in advance.
They paid a huge amount of money to get a TLD