CrowMar 18
Hey! We’re back. #itsalwaysdns
Gytis RepečkaMar 11

After setting up DNS over HTTPS, got curious how DNS leak test tools, which discover your DNS resolver, such as Browser Leaks, work 

Turns out, it's quite clever setup: while you are visiting browserleaks.com website, in the background it queries a number of hostnames generated especially for you, such as 9d0pafrc5tnu.dns4.browserleaks.net, 0zfannouveb4.dns4.browserleaks.org and so on.

Because the website generates those hostnames specifically for your session, it is able to associate your external IP to the hostnames you attempt to resolve.

Now because site operators controls authoritative name servers behind those generated hostnames - specifically ns2.browserleaks.net and ns1.browserleaks.net (also with .org), from logs they can check what exact DNS resolver asked for those unique hostnames.

Simply matching a resolver DNS that attempted to resolve those unique hostnames is enough to link it to your visit of a website session - it is often going to be the resolver of your internet service or virtual private network provider, unless you've explicitly changed your resolver to something else. Still, easily visible to authoritative DNS server.

Voila! No magic, just simple, nice setup 

Just think of how many fingerprinting schemes can big techs carry out to track you across the internet with vast compute resources available to them... 

#itsalwaysdns #dns #resolver #dnsleak #survelliance #tracking #privacy

Gytis Repečka (@[email protected])

Setting up DNS over HTTPS (DoH) is so much more complicated than DNS over TLS (DoT) :blobcatthinking: Funny enough Mozilla Firefox :firefox: supports DoH and sets it up on application level, while Android :android: uses DoT on operating system level :blobcatnerd: #itsalwaysdns #dns #dot #doh #sysadmin #linuxadmin

social.gyt.is
Gytis RepečkaMar 11

Setting up DNS over HTTPS (DoH) is so much more complicated than DNS over TLS (DoT) 

Funny enough Mozilla Firefox  supports DoH and sets it up on application level, while Android  uses DoT on operating system level 

#itsalwaysdns #dns #dot #doh #sysadmin #linuxadmin

BenjaminMar 6

It's always DNS.
I can not check in to my flight tomorrow because Lufthansa's DNS responds with NXDOMAIN due to denial of existance responses.

#ItsAlwaysDNS

GreenDotGuyMar 5
I'm having an interesting problem. YouTube and other things have been doing this to me a LOT recently, but it appears to be related to what networks I'm on. Regular troubleshooting has yielded no answers. As much as I'd like to think that it's just DNS #itsalwaysdns , I'm wondering if anyone else is experiencing similar wonky activity. I'm probably being paranoid, but I feel like maybe I'm on some sort of 'government list' and my traffic is being mucked with.
HenryFeb 28

#TIL that *.example.com doesn't include example.com

#ItsAlwaysDNS #DNS

Crazypedia won't ComplyFeb 24
Current status

#DNS #ItsNotDNS #ItsAlwaysDNS
Show threadReed MidekeFeb 21

Today in #ItsAlwaysDNS: FT identifies a network of Russian oil sanctions evasion fronts by their MX records

https://www.ft.com/content/4310f010-2b3c-493e-ba0a-26dc6d156b2e

Email blunder exposes $90bn Russian oil smuggling ring

Apparent network of companies using same server includes little-known group that has become country’s largest oil exporter

Financial Times
Jan Wildeboer 😷Feb 15

My mailserver is very German. When your mailserver tries to send a message, it does a reverse lookup on the IP address. If that doesn't deliver a valid hostname, you're out. But we are not done yet. If it gets a valid hostname, it does an A (IPv4) or AAAA (IPv6&) lookup on that hostname. And if it doesn't deliver back the same IP address, you are still out. It is fascinating to observe how often that uncovers that even big names get their DNS wrong. Hello, Spamcop ;)

#ItsAlwaysDNS #MailAdmin

amdFeb 14

Migrating DNS for my infra.

This definitely won’t cause any downtime issues.

#itsAlwaysDNS #selfhosted #homelab