Mastodawn

After setting up DNS over HTTPS, got curious how DNS leak test tools, which discover your DNS resolver, such as Browser Leaks, work

Turns out, it's quite clever setup: while you are visiting browserleaks.com website, in the background it queries a number of hostnames generated especially for you, such as 9d0pafrc5tnu.dns4.browserleaks.net, 0zfannouveb4.dns4.browserleaks.org and so on.

Because the website generates those hostnames specifically for your session, it is able to associate your external IP to the hostnames you attempt to resolve.

Now because site operators controls authoritative name servers behind those generated hostnames - specifically ns2.browserleaks.net and ns1.browserleaks.net (also with .org), from logs they can check what exact DNS resolver asked for those unique hostnames.

Simply matching a resolver DNS that attempted to resolve those unique hostnames is enough to link it to your visit of a website session - it is often going to be the resolver of your internet service or virtual private network provider, unless you've explicitly changed your resolver to something else. Still, easily visible to authoritative DNS server.

Voila! No magic, just simple, nice setup

Just think of how many fingerprinting schemes can big techs carry out to track you across the internet with vast compute resources available to them...

#itsalwaysdns #dns #resolver #dnsleak #survelliance #tracking #privacy

Gytis Repečka (@gytisrepecka@social.gyt.is)

Setting up DNS over HTTPS (DoH) is so much more complicated than DNS over TLS (DoT) :blobcatthinking: Funny enough Mozilla Firefox :firefox: supports DoH and sets it up on application level, while Android :android: uses DoT on operating system level :blobcatnerd: #itsalwaysdns #dns #dot #doh #sysadmin #linuxadmin

social.gyt.is

Gytis Repečka 4d ago

Setting up DNS over HTTPS (DoH) is so much more complicated than DNS over TLS (DoT)

Funny enough Mozilla Firefox supports DoH and sets it up on application level, while Android uses DoT on operating system level

#itsalwaysdns #dns #dot #doh #sysadmin #linuxadmin

Benjamin Mar 6

It's always DNS.
I can not check in to my flight tomorrow because Lufthansa's DNS responds with NXDOMAIN due to denial of existance responses.

#ItsAlwaysDNS

GreenDotGuy Mar 5

I'm having an interesting problem. YouTube and other things have been doing this to me a LOT recently, but it appears to be related to what networks I'm on. Regular troubleshooting has yielded no answers. As much as I'd like to think that it's just DNS #itsalwaysdns , I'm wondering if anyone else is experiencing similar wonky activity. I'm probably being paranoid, but I feel like maybe I'm on some sort of 'government list' and my traffic is being mucked with.

Henry Feb 28

#TIL that *.example.com doesn't include example.com

#ItsAlwaysDNS #DNS

Crazypedia won't Comply Feb 24

Current status

#DNS #ItsNotDNS #ItsAlwaysDNS

Show thread

Reed Mideke Feb 21

Today in #ItsAlwaysDNS: FT identifies a network of Russian oil sanctions evasion fronts by their MX records

https://www.ft.com/content/4310f010-2b3c-493e-ba0a-26dc6d156b2e

Email blunder exposes $90bn Russian oil smuggling ring

Apparent network of companies using same server includes little-known group that has become country’s largest oil exporter

Financial Times

Jan Wildeboer 😷

Feb 15

My mailserver is very German. When your mailserver tries to send a message, it does a reverse lookup on the IP address. If that doesn't deliver a valid hostname, you're out. But we are not done yet. If it gets a valid hostname, it does an A (IPv4) or AAAA (IPv6&) lookup on that hostname. And if it doesn't deliver back the same IP address, you are still out. It is fascinating to observe how often that uncovers that even big names get their DNS wrong. Hello, Spamcop ;)

#ItsAlwaysDNS #MailAdmin