DNS is dangerous knowledge to have.
Yes, it's a wonderful, amazing way to solve many problems.
Unfortunately, once you know how it works, you begin to realize how fragile the underpinnings for a lot of other things are.
Worse, once -other- people realize you know it, you get their well-meaning plans to do things that, yes, -can- work, but really oughtn't to see the light of day.
No offense to the fellow who wrote this, but this?
https://github.com/aniruddhas/DNSrouter
This is one of those ideas that, well meaning though it is, really oughtn't to be implemented.
Please do not rewrite your routing tables based on DNS responses.
[ A solution for the apparent problem this is intended to solve - routing different priority traffic to different gateways - would be to use a pair of SOCKS proxies; whitelist the traffic for the one on an internal resolver & dump the rest to the other; then have your routes send one proxy to one gateway and the other to the other.
This will keep your ops staff from screaming about randomly changing routes. ]
@geofurb Nah, you just have a single configuration, and pass the requests between the two proxies depending on whether it's in the good group or the other group.
One of the many reasons not to do this his way is that you can screw up your routes -hard- very quickly if you try to do clever dynamic routing like this.
[There are also security problems, but the basic usability one should suffice in most cases]
@munin I don't understand the first part of your message, you're gonna have to use more words and be more specific.
What does it mean to screw up your routes? Hard?
@geofurb What happens when you get a race condition on DNS-initiated routing changes?
I don't know, but it's not going to result in a usable network configuration.
Yeah...this is one of those situations that I'd be much happier never knowing the answer ;-)
@geofurb @maiyannah And, honestly, these "control work computer use" situations are usually just wrongheaded to begin with.
Either trust your employees to get their work done in a timely manner or get rid of them.
Intrusive web stuff? That's just going to be a lot of cost for no actual benefit - and encourages juvenile behavior.
Pretty much, yeah. Also - if you treat people like children, they will act like children; if you treat them as adults, they will act as adults.
@maiyannah @geofurb Oof, yes.
Not to mention management always seems to be exempt from any of these little disciplinary matters.
Or security ones :-/
Yeah, can definitely tell...
Let's say I hit refresh on worksite.work and playsite.play at the same time. Both DNS requests go out, but the order they come back in is indeterminate - so the order in which the routing changes show up will differ. Now how long does it take for the ipconfig changes to propagate? How many TCP sessions are affected by this?
What happens when you try to apply multiple iptables configs at the same time? :-/
@maiyannah Oh yes, definitely. It's a good thing, IMO.
I just get nervous if I can't put something back together.
@maiyannah @munin "ultimately the working group concluded that significant migration to the SPF RR type in the foreseeable future was very unlikely and that the best solution for resolving this interoperability issue was to drop support for the SPF RR type from SPF version 1."
Munin, Keeper of Lore
George Furbish❎
Maiyannah Bishop
sungo_enothere
terribleplan
🏴☠️🏴☠️KODO🏴☠️🏴☠️