Mastodawn

Missing from @drscriptt 's list are AAAA, HTTPS, and SVCB records.

AAAA has plenty of obvious choices.

You'll know the . convention for SRV, SVCB, and MX resource record sets, of course.

I shall just drop in my personal experience from earlier this year that an accidentally supplied HTTPS resource record can *definitely* break WWW traffic; because browsers in practice do not obey RFC9460 §2.4.2.

#djbdns
#DomainNameSystem
#SplitHorizon
#ReservedSuperDomains #DNS #HTTPS #SVCB

Show thread

JdeBP Nov 26

@cks @lanodan @drscriptt

There are actually quite a few, nowadays. See RFCs 6762, 7686, and 8375.

example. is not the worst choice, although you could have gone with test. or internal. or intranet. .

Given your objective, any of the further ones that imply a residence or a corporation seem less well suited.

Although home.arpa.'s public delegation to the blackhole-{1,2}.iana.org. names is re-used.

https://github.com/jdebp/nosh/blob/trunk/source/examples/tinydns/split-horizon#L96

#djbdns #DomainNameSystem #SplitHorizon #ReservedSuperDomains #DNS

JdeBP Aug 20, 2025

@schmonz

#pickdns is dropped as of #djbwares 11.

And the packages that get built out of the box, for what it's worth, now have the easter, nowutc, leapsecs, and yearcal utilities in their own taitools package, leaving libtai as just a development package.

Scanning for publicly-reachable proxy DNS servers is old-hat. I've been warning people about such since the turn of the century, and #tinydns is never going to be vulnerable in that way.

The more interesting attack, not least because Bernstein got it right all along, is the people that send queries with huge EDNS0 buffer sizes, asking for ANY against fsf.org (which is nearly 5KiB of response) and direct the responses at the tram port of some victim's router.

The first sentence of the new security chapter that I wrote last week for the Guide for #djbwares :

> Expect any Internet-facing DNS service to be attacked immediately that it is up and running.

It has certainly been my experience.

I looked up one of the attackers, and they actually claimed on a WWW page to be a shadowy organization that works for governments but cannot tell you about it.

#tinydns happily logs dropping all of the queries. (-:

#djbdns

JdeBP Aug 15, 2025

If you've been wondering what has been happening with #djbwares 11, you'll have your answer when you see its manual page for walldns. (-:

And when an AAAA lookup on 7.longchain.alias.test.jdebp.info. works.

I might ask @ermo for another quick build check on #FreeBSD 14, in a couple of days. No reason to think that it will fail, though. (I've been improving some DNS stuff instead of installing #GhostBSD, alas.) Still testing things right now, though.

#walldns #djbdns

Show thread

ermo | Rune Morling Aug 9, 2025

@JdeBP For good measure, the packaging fixes also work on #FreeBSD 14.3 (and therefore likely also #GhostBSD), in case people are wondering. (-:

#djbwares #djbdns

JdeBP Aug 9, 2025

Have something to whet your appetites for #djbwares version 11.

If you don't know #djbdns, you probably won't notice what will make people who do know djbdns take interest. (-:

It's also going to contain the FreeBSD 13 build fixes that @ermo helped with.

#DomainNameSystem
#DomainNameSystem

JdeBP Aug 8, 2025

Looking up www.bing.com. nowadays involves dnscache looking up intermediate domain names in org., com., net., and info.; the cross-dependencies of which regularly exceed dnscache's nested gluelessness limit above which it switches to a slower resolution algorithm.

Some quick tests indicate that raising this limit from 2 to 3 improves matters.

So this will be in #djbwares 11.

#djbdns #dnscache #DomainNameSystem