DNS Toys (2022)

Google and akamai also has a DNS service.

    dig @ns1-1.akamaitech.net ANY whoami.akamai.net +short


    dig @ns1.google.com TXT o-o.myaddr.l.google.com +short

What's more likely to go down. OpenDNS or YouTube.

    curl -4si0A "" https://www.youtube.com|sed -n '/ip=/{s/.*ip=//;s/\.*//p;};'|uniq

What's more likely to go down. OpenDNS or Cloudflare.

This will work with any Cloudflare IP address and it does not even require TLS.

    printf 'GET /cdn-cgi/trace HTTP/1.0\r\nHost: cloudflare.com |nc -vvn  104.18.25.13 80 |sed -n /ip=/p

To get list of Cloudflare IPs

    curl -4si0A ""  https://api.cloudflare.com/client/v4/ips

There are many, many websites that print the client IP address in a webpage or in a HTTP head. Not necessarily "What is my IP" websites. No need to rely on just one source.

Websites that use Cloudlfare to block certain requests are another option. For example, StackOverflow. Just send HTTP request without User-Agent header.

     curl -si40A "" http://stackoverflow.com|sed -n '/cf-footer-ip">/{s/.*">//;s/<.*//p;}'

The success of "What is my IP" websites is quite surprising given that one's IP address is displayed by hundreds of thousands of other websites.

Further reading on utility of DNS

https://www.netmeister.org/blog/dns-rrs.html

You have a good point that most of those HTTP services out there for getting your IP don't seem like they would be particularly reliable in terms of uptime.

Worth noting that Cloudflare run one though, and that seems more likely to be reliable:

https://icanhazip.com/

https://ipv4.icanhazip.com/

https://ipv6.icanhazip.com/

Very nice idea. Seems way simpler than the STUN protocol.

Thanks for sharing these absolute gems!

Oh interesting - those circumferences are actually closer than I assumed they would be!

Don't use the word "abuse" unless it's in the sense of "SOAP and XHR are an 'abuse' of HTTP".

The IN (internet) class is the evolutionary "towering cedar" of the moment, but there were the CH (chaos) and HS (hesiod) classes during the cambrian period; you might review those project's purposes and goals.

Arguably the abuse today is in the form of things like ten millisecond windows for retransmission and qname minimization which optimize specifically for cloud-based web services ("happy eyeballs") at the expense of all else (and seemingly without awareness of e.g. buffer bloat). There's a whole world outside of A / AAAA resolution.

It's not unheard of to see two people with pocket protectors having a knife fight (or at least poking at each other with pencils) in the hallway at an Internet confab. "RFC" stands for "Request For Comments" and BCPs (Best Current Practice) are routinely ignored.

Dog is cross platform and has some nice features, like json output.

https://dns.lookup.dog/

You don't need to use dig. nslookup or host work also.

Surely Windows has some kind of DNS lookup tool!

You're essentially resolving non-existent domains through their custom DNS server. For example:

    dig 100USD-INR.fx @dns.toys

Translates into "resolve 100USD-INR.fx using dns.toys as a DNS server". They then return TXT records containing the actual answer. Since .fx is a non-existent domain, they're not impersonating anyone, and if you switch "@dns.toys" with say "@8.8.8.8", it wouldn't resolve to anything.

Imagine a site like news.ycombinator.com. The browser uses that name to lookup the IP from a specialized server. So for the domain it might have this saved:

A IP = ...1

AAAA IP = ...2

Where 'a' is the type of record. But there are other types of records:

TXT gender = 'male'

So there's a few assumptions here about DNS that are normally true:

1. People are using DNS as a switch board to other services.

2. The values in the switchboard are normally static.

With this setup they're doing something completely different because they're serving back changing values based on the domain. To do this you would need to write a custom DNS server (though the DNS protocol is quite simple.) The reasons this is a clever hack though are as follows:

1. DNS is one of the most widely used and supported protocols. All mainstream programming libraries support it. This includes numerous command-line tools already in operating system. By providing this as a service over DNS it provides an elegant way for command-line tools and libraries to access services with minimal dependencies.

2. It challenges the way the DNS system should be used by tipping the normal assumptions behind its use on its head (direct usage for information, dynamic content for values.) This makes it possible to use DNS directly as an application service rather than as a switch board operator for regular internet services.

3. DNS is so integral that a complex integration wouldn't be needed to add it to existing software. A DNS request is arguably more straight-forwards than a typical web API. Chances are this also has benefits for censorship resistance, too.

All in all a clever hack.

Sure, imagine a DNS server as a specialized type of web server, but it uses a different protocol over a different port. Just like you make requests to a web server using HTTP, you can interact with a DNS server using DNS protocols. Think of it like comparing how you might use telnet to simulate an HTTP or SMTP request; it's about communicating with a specific type of server over a specific set of rules. This server tends to do some computation before yielding its results, unlike most DNS records that you'd expect to be static.

The DNS protocol is just text over udp. When making a DNS request, your system will open a socket, write "google.com" in it and read for a response. The server, if it is properly configured as a DNS server, will reply with the appropriate DNS record, again as text. Google.com is a cname to some subdomain used for load balancing, so the server will simply reply "CNAME blabla.google.com" and may optionally also resolve blabla.google.com to save you the trouble of making another request.

The DNS protocol, defined in some RFC, says that I have to make a request a certain way, and that the server has to respond a certain way. One of these ways is that for top level domains that don't exist (for ex. .time is not a currently existing tld), the server is supposed to reply nxdomain, but in reality there is no technical measure stopping it from replying with anything it wants, such as the current time.

In fact, generally speaking, the expectation that the server operators will not fuck you over is the only thing preventing public (and indeed private) DNS operators from returning you bogus data. This is mitigated somewhat by HTTPS, but DNS records themselves are infinitely fakeable with no recourse.

If you used default nameservers, you'd be introducing all the usual DNS complications, e.g. caching.

Almost. Every domain (or rather “zone”) has an authoritative name server that maintains the dns records for that zone. When you perform a lookup from your device, it will ask your configured name server (from your ISP or 8.8.8.8 and friends), which will then look up the authoritative server and contact it to resolve the answer and send back the result (which it caches).

You can tell dig to bypass the normal way of things and ask a specific name server instead. This can be useful to bypass caches and debug DNS issues.

DNS is designed for caching. You can use DNS for anything that is public, idempotent, and immutable (or at least, slow-changing).

Usually if a response is greater than 512 bytes the DNS server will renegotiate on TCP 53. Note some DNS servers might not do this, but every normal implementation does that I’m aware of.

DNS can switch to tcp for this reason

> How does this actually work? Finding it hard to believe someone bought domains for all combinations of those unit conversions

dns.toys runs a (custom) DNS resolver. The example dig commands are asking this resolver. They are not using your configured (public) resolver. The custom resolver can return whatever it wants depending on the request. You could also ask the resolver what the IP (A-record) of e.g. "google.com" is and it could answer with whatever it wants.

Therefore, they actually just use one domain: dns.toys.

It works by querying a specific DNS resolver (dns.toys):

  dig +short TXT mumbai.weather @dns.google
  # NXDOMAIN
 
  dig +short TXT mumbai.weather @dns.toys  
  "Mumbai (IN)" "30.90C (87.62F)" "45.90% hu." "clearsky_day" "15:30, Sun"
  "Mumbai (IN)" "28.10C (82.58F)" "56.00% hu." "fair_day" "17:30, Sun"
  ...

DNS is everywhere. It offers massive caching potential. It is well-understood and there are multiple, interoperating, implementations. It is a data diode, which is to say read-only, which can simplify some risk assessments related to attack surface.

The README for this project may explain some of the general benefits (my project): https://github.com/m3047/rkvdns

HTTP is everywhere. I think SOAP sucks, but it's everywhere and it works well enough. (For that matter XHR sucks, but even I use it occasionally.)

(This is not the first time DNS Toys has shown up on Hacker News, there's a link in another comment.)

Often passed through firewalls or effectively proxied through resolvers

For fun.

Because it is fun.

dns clients come preinstalled on virtually any os