The story of a little DNS easter egg

[+] simias|12 years ago|reply

It reminded me of this clever hack used to store the source code of DeCSS (CSS descrambler that let you bypass the DVD DRM) in DNS records: http://decss.zoy.org/ (method 9).

"Mark Baker noticed that you could do the request to any nameserver. Which means for instance that the DeCSS source code is available from the DVDCCA's nameservers !"

Classic.

[+] Fuxy|12 years ago|reply

Wish they would open source it. I would have preferred if they would have contributed to PowerDNS instead of reinventing the wheel. Was PowerDNS so awful it required a compete rewrite if so fair enough.

[+] jgrahamc|12 years ago|reply

The other day CloudFlare's CEO stated the plan is to open source RRDNS: http://blog.cloudflare.com/cloudflares-new-waf-compiling-to-...

"We're planning on open sourcing RRDNS, the authoritative DNS server we built, when it gets to a state where it could be used by others."

[+] chrisdew|12 years ago|reply

+1 for open sourcing

[+] jackalope|12 years ago|reply

One of the reasons they originally chose PowerDNS was that "it seamlessly allowed us to add new records without rebooting."

Can someone explain? What DNS server requires a reboot (or even restart) instead of a simple reload?

[+] thaumaturgy|12 years ago|reply

(I also chose PowerDNS years ago.)

I'm not sure about "rebooting" -- if this was just a language error -- but PowerDNS can run with a MySQL or Postgres backend with instant updates to records. i.e., no reload or other configuration re-read required.

With DB replication up and running, you can get a fairly robust domain name server pool going without the usual headaches associated with copying updates to multiple servers.

[+] ck2|12 years ago|reply

I'm curious if cloudflare will ever just sell its anycast dns as a service.

Don't really need the other stuff but from what I can see their dns performance is on par with dnsmadeeasy/dyn/ultra

[+] gwu78|12 years ago|reply

Wouldn't that obviate the need for third party CDN's?

[+] pjbringer|12 years ago|reply

While playing these kinds of games on security sensitive services might not seem like a good idea, it lets someone take ownership of its development, and gain experience with its codebase.

[+] kevinbowman|12 years ago|reply

I imagine the switch over to TCP is more because the response is likely to be larger than a UDP packet (which IIRC is why DNS-over-TCP exists) (looks to be the case [1]), as opposed to stopping an amplified reflection attack, but it's a nice side effect.

[1] http://serverfault.com/questions/404840/when-do-dns-queries-...

[+] makomk|12 years ago|reply

Nope. Normal DNS behaviour is to send the first few records over UDP and set the response truncated flag, which would still allow amplified reflection. They're intentionally sending no records at all in order to protect against this.

[+] anotherevan|12 years ago|reply

I remember listening to a podcast where Steve Gibson mentioned that he uses a DNS TXT record to publish the current version of SpinRite. That way the program just does a DNS look-up to see if there is a newer version available.

Thought that was a clever trick. Saves a centralised server getting hit all the time (although you then miss out of usage information I guess.)

[+] 9ac345a5509a|12 years ago|reply

"For an even more useless, albeit fun Easter Egg, try querying for the CH record for whois.cloudflare against one of our name servers."

    $ dig ch whois.cloudflare @emma.ns.cloudflare.com
    whois.cloudflare.    86400    CH    TXT    "                                  IIIIIIIIIIIII                              "
    whois.cloudflare.    86400    CH    TXT    "                               IIIII,,,,,,,,,IIIII                           "
    whois.cloudflare.    86400    CH    TXT    "                             III?::::::::::::::::III    I                    "
    whois.cloudflare.    86400    CH    TXT    "                            III:::::::::::::::::::::III I      I             "
    whois.cloudflare.    86400    CH    TXT    "                           III~~~~~~~~~~~~~~~~~~~~~~~III II I I   I          "
    whois.cloudflare.    86400    CH    TXT    "                         II?=======IIIIIIIIIII========III? ???I  I           "
    whois.cloudflare.    86400    CH    TXT    "                 III    III+++++IIIIIIIIIIIIIIIII++++++II????????   I        "
    whois.cloudflare.    86400    CH    TXT    "              IIIIIIIIIIII????IIIIIIIIIIIIIIIIIIIII????III?????? ??I         "
    whois.cloudflare.    86400    CH    TXT    "             III,::~=++IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII???????? ?III     "
    whois.cloudflare.    86400    CH    TXT    "            III:~=+IIIIIIIIIIIIIIIIIIIIIII?IIIIIIIIIIIIIIII??????????        "
    whois.cloudflare.    86400    CH    TXT    "            II==+IIIIIIIIIIIIIIIIIIIIIIIIIIIII???IIIIIIIIII++++????????II    "
    whois.cloudflare.    86400    CH    TXT    "            II??IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII????IIII~:~++????         "
    whois.cloudflare.    86400    CH    TXT    "        IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII+=:,.IIIIIIIII?II        "
    whois.cloudflare.    86400    CH    TXT    "       IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII??++++~~=+I~~::,IIII     "
    whois.cloudflare.    86400    CH    TXT    "     IIII=====++IIIIIIIIIIIIIIIIIIIIIIIIIIIII??????IIIIIIIII???+===~~::III   "
    whois.cloudflare.    86400    CH    TXT    "   III======IIIIIIIIIIIIIIIIIIIIIIIIIII???IIIIIIIIIIIIIIIIIIIII?III++==~III  "
    whois.cloudflare.    86400    CH    TXT    "  III===IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII?IIIII+++III "
    whois.cloudflare.    86400    CH    TXT    "  II==777777777777777777777777777777777777777777777777777777777777I77777??II "
    whois.cloudflare.    86400    CH    TXT    " II=777777777777777777777777777777777777777777777777777777777777777777777III "
    whois.cloudflare.    86400    CH    TXT    " II$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$II "
    whois.cloudflare.    86400    CH    TXT    " IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII "

[+] chris_wot|12 years ago|reply

Easter eggs? In something as crucial as an authoritative DNS server? Is that wise?!?

[+] hexedpackets|12 years ago|reply

There are easter eggs in many of the crucial services on the Internet. The HTTP status codes are the first that come to mind.

After all, what's the point of running a massive service if you can't have fun with it?

[+] gwu78|12 years ago|reply

Are you implying web browsers[1] are not "crucial"?

1. Browsers were/are a prime location for Easter eggs.

[+] hypnotist|12 years ago|reply

I'm wondering how RRDNS compares to Unbound (unbound.net) ?

[+] zx2c4|12 years ago|reply

You're probably thinking of NSD, not unbound. RRDNS is an authoritative DNS server.

http://www.nlnetlabs.nl/projects/nsd/

24 comments