Tootfinder

Sweet next year letsencrypt will support a persisting DNS record so these tools don’t need access to DNS for renewal

»Exploit-Code verfügbar — DNS-Einträge unzähliger Bind-Server manipulierbar:
Angreifer können via Cache-Poisoning Datenverkehr auf eigene Domains umleiten. Allein in Deutschland sind laut BSI rund 40.000 DNS-Server anfällig.«
Mist aber auch, dem muss ich wohl nun nachgehen ob ich und/oder Kunden davon ebenfalls betroffen sind und wie behebt mensch das?
🔓

some things that make DNS hard https://lobste.rs/c/3ahld4
https://mastodon.bsd.cafe/@nuintari/115467761984…

I can help but feel this "feature" should raise more concerns than it does alleviate them.
"Accelerated recovery for managing public DNS records addresses this need by targeting DNS changes that customers can make within 60 minutes of a service disruption in the US East (N. Virginia) Region."

Nice, if you use DNS via Tailscale AdGuard/pihole can work even if you have Private Relay turned on!!

Physics-Informed Machine Learning Approach in Augmenting RANS Models Using DNS Data and DeepInsight Method on FDA Nozzle
Hossein Geshani, Mehrdad Raisee Dehkordi, Masoud Shariat Panahi
https://arxiv.org/abs/2510.01091

I really dislike the "it's always DNS" trope because frequently it's something else, but #Kroger's shit was fucked all day and it was definitely #DNS. I think they have it loosely functional now, though there are so many nested CNAMEs the

I write up some of my advice on surviving DNS outages as it seems timely #AWS #DNS https://adrianco.medium.com…

>Me: *setups secondary DNS server in case primary fails*
>Primary: *fails*
>Hosts: *pretend that secondary doesn't exist*
I sure love DNS...

Is it#DNS?
Microsoft Azure outage: Heathrow, Xbox and Minecraft among sites down
https://www.bbc.co.uk/news/articles/c3rj45n4x5eo

I had to migrate my #DNS today, and Hurricane Electric is such a pleasurable return to 90s.
Website obviously designed by a backend engineer. Has only tables and buttons. Buttons work and do things. It's fast. It support features fancy sites do not support. On top of it, free.
12/10

#DNS trivia, especially for those have ever used the "It was DNS" meme. What is wrong with this (real) dig response and what is the likely cause? AI probably won't help you.

dig @1.1.1.1 foobar.gov  norecurse  nocmd  noquestion  noauthority  nostats
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1808
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, A…

Microsoft didn't want to be left out of showing everyone why having everyone and everything depend on the same 3 companies is a bad idea 😂
https://www.bleepingcomputer.com/news/microsoft/microsoft-dns-outage-impacts-azure-and-microsoft-365-services/

"Self-hosting DNS for no fun, but a little profit!" – Morten Linderud
https://linderud.dev/blog/self-hosting-dns-for-no-fun-but-a-little-profit/

@… This is your kinda pun.
https://wuffs.org/@Ninji/115815324741233244

Why am I smelling #DNS again :mortysmile:

Beschwerde: Karlsruhe stoppt umstrittene DNS-Überwachung einstweilig
Das Verfassungsgericht hat die Anordnung eines Amtsgerichts zur Überwachung von DNS-Anfragen auf eine bestimmte Domain nach Beschwerde des Providers ausgesetzt.

On Website Technicals (2025-10) - Tech updates: Sitebulb AdSense fails, RSS description, lite ads, ISSN lookup, micro-opts, DNS broke intensity, SVG inline URL-encoded, CO2 pcm, flock... - https://m.earth.org.uk/note-on-site-technicals-101.html

#AWS goes down due to DNS.
#Azure: hold my beer

from my link log —
The disappearing Windows DNS debug log.
https://nxlog.co/disappearing-windows-dns-debug-log
saved 2019-01-10 https://

Started migrating services off of the RPis and onto the new #Proxmox server. The initial install went fairly smoothly, got the VLANs configured, and then setup the new primary DNS server. That took longer than it should have, but I will say this: the VM is so much more snappy than the Pi. Next up is the secondary DNS server.

regarding AWS' outages yesterady

So I was pretty enthusiastic about #DNS4EU at first.
Then I've discovered it blocklisted some random pastebin. Well, it happens. I mean, pastebins frequently get into trouble because of people pasting random shit. So I've filed an unblock request. I've suddenly got a mail to confirm registration in some random company's system — I suspect it was related to DNS4EU, but no clear indication. I've ignored it.
Then they've blocklisted my mail provider, for no apparent reason. It's still blocked. I've switched to the "unfiltered" version to be able to access my mail again.
Today I've gotten a mail via my backup MX. My main MX is up. My educated guess is that sysadmins using DNS4EU now get my mail redirected to their "site blocked" server. Isn't that great?
PS. Maybe if more people filed unblock requests for "poczta.ftdl.pl", it would help. It's a non-profit e-mail provider.
#DNS #ItsAlwaysDNS

»Amazon Web #Service's — DNS-Problem legte zahlreiche #Online-Dienste lahm:
Wenn es einmal bei einem der großen #Cloud Service #Provider

@… Hey, it is me again 😅
Just to let you know that I receive some 400 Bad Request errors from some DoH servers (dns.quad9.net and ns0.fdn.fr for instance) while some others accept my queries (dns.google and Cloudflare 1.1.1.1).
I am not sure yet if the error is on my use of the library or within the library itself.
Here is the code to run the query:

I switched away from GitHub to host my (so far) boring ass website somewhere else and obviously had DNS issues!
Adjusted DNS records and it worked smoothly everywhere except on my own machine where they could not be found *at all* (not even outdated ones). But waiting it out obviously fixed it in the end. I’m no AWS so nobody noticed or cared. 😵‍💫

Heute hat die Welt mal wieder gemerkt, wie das so ist, wenn man von US-amerikanischer IT abhängig ist, oder?
Wie hoch ist die Chance, dass die Welt nach diesem zichsten Ausfall von großen Anbietern endlich mal etwas lernt?
#Cloud #DNS

This is not the first time for #Microsoft #DNS-related problems. As I recall, the first one I remember from 2001 had something to do with their authoritative name servers residing on the same IP4 /24 that had an access or availability problem.
It was a rookie mistake even then, and they were …

German ministry renames itself, domain expires, is bought by SEO-spammer, expires again, is bought by domain grabber, then later bought by itsec company who now learns that apparently plenty of internal systems of the ministry still try to connect to the domain...
I don't even know where to start how terrible that is and what it tells us about government IT security practices...

from my link log —
Behind the complaints: investigating the suspicious pressure against archive.today.
https://adguard-dns.io/en/blog/archive-today-adguard-dns-block-demand.html
saved 2025-11-15

It's always DNS.
If it isn't, it's BGP. Which is just fancy DNS.
#awsdown #aws

if i would buy a new Phone, with the full freedom what to install and completely without google or Apple bloat, my phone will have the following apps and the size of an iPhone SE 2022. #bringbacknormalsizedphones
Filen - cloud
Ente - auth
Next DNS - DNS
Ice cubes - Mastodon
Proton - Cal, Mail, pass
Deepl - Translation
DuckDuckGO and Fire…

On Website Technicals (2021-02) - Tech updates: image preview tweak for dark mode, DNS secondary fun. - https://m.earth.org.uk/note-on-site-technicals-45.html

NetBSD mail server with Postfix, BIND (for DNS), Dovecot, Pigeonhole (Sieve), SSL, DKIM and SPF
#email

Fun little experiment: block html-load[.]com and error-report[.]com at the DNS level and watch the web become unusable.

»DNS0 ist abgeschaltet. Ein Rückblick auf das kurze Leben des EU-finanzierten DNS-Resolvers.
DNS0 ist Geschichte. Betreiber war eine französische Non-Profit-Organisation, 2022 gegründet von Romain Cointepas und Olivier Poitrey.«
Das in Europa ein freier & offener DNS Dienst was wichtiges ist nimmt so gut wie niemensch ernst. Selbst IT-Techniker ist es mMn dem nicht wirklich bewusst.
🔌

If it's not DNS, it's usually a race condition.
AWS: wheeeeee, we had both!
#AWS #AWSoutage

The standalone Proxmox server is basically done at this point, all three DNS servers are online and secure, the Tailscale VM is online after completely forgetting that it was running on one of the Raspberry Pis, and the `authentik` instance that I'm gonna need to work on tomorrow.
#proxmox #dns

Oh my, @… is fast ! Faster than Cloudflare or Google. With average response time of 12 ms.
Where cloudflare was 22 ms
And Google shited with 232 ms 😆
#dns

AWS says "the underlying DNS issue" is mitigated and most "operations are succeeding normally" after a huge US-EAST-1 outage; some services are still "impacted" (Jess Weatherbed/The Verge)
https://www.theverge.com/news/802486/aws-o

DNS strikes again
"Amazon reveals cause of AWS outage that took everything from banks to smart beds offline"
https://www.theguardian.com/technology/2025/oct/24/amazon-reveals-cause-of-aws-outage

from my link log —
Fuzzing DNS zone parsers.
https://www.cambus.net/fuzzing-dns-zone-parsers/
saved 2019-07-12 https://dotat.at…

@… @… It’s not vanity. It is a kind of identity verification - since in order to use a domain name as an ID you have to have access for the domains DNS records. Which means you have an ICANN registration.

> The underlying problem today was a malfunction at Amazon Web Services, where something called "DNS resolution" was not working
BBC putting quotes around "DNS resolution" there, like it's indecipherable Gen-Z slang.
https://www.bbc.co.uk/news/live/c5y8k7k6v1rt

@… Baukasten für Molekularmodelle, wäre vielleicht eine Idee und dazu zum Lesen der naturwiss. Klassiker:
James D. Watson: Die Doppel-Helix: Ein persönlicher Bericht über die Entdeckung der DNS-Struktur

Nothing beats DNS upgrades on Christmas 😂

you can bring down 20% of the internet with a single-character typo in a regex, but you can also destroy a nearly 50 year old bridge with a single incorrectly placed piece of heatshrink
isn't technology beautiful
https://blog.cloudflare.com/details-of-t…

ASRock Rack giving me some 500 in a popup... funny.
Edit: That was on my laptop, but fine on my phone, and also not occurring to someone else on the same Wi-Fi. It may have been one of those DNS whoopsies.

Is it#DNS?
Microsoft Azure outage: Heathrow, Xbox and Minecraft among sites down
https://www.bbc.co.uk/news/articles/c3rj45n4x5eo

Jag kanske inte ska ropa hej. Något verkar ha ändrats i deras DNS den här morgonen. Jag snubblade över det av en slump(!), tro det eller ej. Kanske har de bara tillfälligt klantat till det så att det kommer tillbaka om några timmar.

Spännande ändå. Och faktiskt helt galet att jag upptäckte det. Satt och pillade med ett eget verktyg för att visa kortlänks-destinationer utan att behöva klicka på kortlänken. Kom ihåg QR-kodlänken och testade med den. Fick felmeddelande direkt. Trodde verk…

3 days ago the RSS feed of planet.ubuntu.com stopped working due to a TLS cert error.
I THINK it's due to them overhauling & moving it to a github-hosted replacement, but as this was done just by redirecting DNS the new host doesn't have a TLS cert with the correct name. If so, this means that people following the old RSS feed can't do so any more and they got no notice that this was going to happen.
I don't know for sure though because my query remains unansw…

@… hey, just reaching out to let you know that https://b.diasp.org seems to go to some spam blog now (i assume DNS records were never updated)
side note: is there an activitypub plu…

@… hey, just reaching out to let you know that https://b.diasp.org seems to go to some spam blog now (i assume DNS records were never updated)
side note: is there an activitypub plu…

PSA: Use the "accounturi" feature of Let's Encrypt CAA!
If you're hosting a safety/security-critical service, there's a way too unknown feature called "accounturi", that allows you to restrict TLS certificate issuance to a single Let's Encrypt account (and account private key).
You simply create a CAA record on your domain and put your LE account ID into it.
This means that attackers cannot issue TLS certificates and pull man-in-the-middle…

I find it really amuzing that IT-departments around the world is just plainly copying the example DNS-records in my blog-posts about DMARC.
Resulting in me getting reports about their domain to my inbox
#dmarc #email

https://defend612.com has been blocked at the domain name level for me and at least two other people over T-Mobile networks (which includes GoogleFi, MetroPCS, and… wait for it… Trump Mobile). For at least all day today.
Seems unlikely to be a technical problem but instead to be Actual Censorship (unless its not …

Looks like Cloudflare DNS is still fine but the proxy that's supposed to protect against DDoS stuff is what's causing everything to be down.

This girl now self-hosts her DNS!!
https://github.com/LuNeder/nixos-config/commit/7c5358fd4de441e4bb5011fb90f182bbbfb6bd28

from my link log —
trustydns: DNS Over HTTPS proxy, server and query programs.
https://github.com/markdingo/trustydns
saved 2019-06-28 https://do…

The penultimate talk at #12Clouds is Akshay M talking about Agent Name Service (ANS), a DNS-like trust layer for AI agent deployments

@… Mam na samym routerze zainstalowany AdGuard Home, jak się podpinam pod WiFi u znajomych to mam taki mindfuck jak wygląda teraz internet zawsze - bez adblockera na DNS nie da się go używać.

Huh… CIRA runs the .ca TLD. Not high-profile but… seem to be OK?
[Tl;dr: They’re offering a free DNS resolver, Canadian-built and -run.]
https://cosocial.ca/@kgw/115503438874192927

In the recent ICANN Registrations Operation Workshop 30th September 2025, the
following data was shared about DNSSEC Validation Rates
- Region / Rate / Increase since 2023
- Asia 32% 4%
- Oceania 54% 11%
- Africa 46% 15%
- Americas 37% 4%
- Europe 48% 8%
#dns #dnssec

@… This is me again 😅
Using DoH, I get a weird EOF error during the dnshttp.Response conversion of the HTTP response.
The response was sent using the dnshttp.ResponseWriter implementation.
Digging into the implementation of the ResponseWriter, I see that you truncate the two leading bytes (response size) of TCP answers:

Our friends at tinfoil-factory recently made the initial release of netfoil - a severely hardended minimal filtering dns proxy written in #golang - Seems very useful for reducing the attack surface of your services. #security https://github.com/tinfoil-factory/netfoil/releases/tag/v0.1.0

DNS stands for “DO NOT meSs with this or you’re going to have a bad time”

On Website Technicals (2025-10) - Tech updates: Sitebulb AdSense fails, RSS description, lite ads, ISSN lookup, micro-opts, DNS broke intensity, SVG inline URL-encoded, CO2 pcm, flock. - https://m.earth.org.uk/note-on-site-technicals-101.html

It's never a good sign when your Monday morning feed is full of #dns and #aws memes. Monday's eh? 🤷

i should put some weird shit into DNS. no, weirder than that

Tao Te Ching: The tao that can be told is not the eternal Tao. The name that can be named is not the eternal Name.
Paul Mockapetris: that's going to make it really hard to issue you a DNS address

Run DNS speed tests and compare different DNS resolvers in your browser.
https://codeberg.org/Stomata/DNSspeedtest
Forked from:https://

Have you noticed that when the blame #DNS meme starts flying the root is perfectly operational, there is rarely a mention of the big registry operators, BIND, Unbound, Knot, and PowerDNS are absent the conversation, and many who can craft a reasonable dig query are getting responses from local and public resolvers to debug?
Even with all the misconfiguration, added complexity on top of it, a…

@… and this is why I ran ad blocking on the DNS level. And browser addons that deal with most of these crappy modals

China-aligned threat actor is conducting widespread cyberespionage campaigns https://therecord.media/china-aligned-threat-actor-espionage-network-devices

from my link log —
Async DNS with Mac OS getaddrinfo_async_start and Rust smol.
https://fnordig.de/2025/11/07/async-dns-in-smol/
saved 2025-11-08 htt…

Boah ey, ich glaube ich gehe mett.
Seit Monaten nehme ich mir vor meinen alten Raspi 3 durch einen 5er zu ersetzen.
Bisher macht der nicht viel außer piHole DNS blocking.
Der Plan war nun unter anderem Home Assistant zu installieren.
Warum? Weil ich diverses ioT Gedöns habe, von diversen Herstellern. Ich hätte das aber gerne mit nur einer App steuerbar.
Gleichzeitig will ich den Pi noch für andere Dinge nutzen,z.B. TimeMachine für Mac Backups, LUKS-Verschlüsselte Ne…

See, not always DNS! Sometimes it's BGP.

This was very welcome news from Let's Encrypt today and more interesting than cert lifetimes.
"This means you can set up the DNS entry once and begin automatically renewing certificates without needing a way to automatically update DNS."
I already do DNS-01 but not having to do the dynamic updates will be appreciated.

Many #Terraform providers using SSH do not check the SSH host key... they just run with ssh.InsecureIgnoreHostKey...
And to be honest, it is partly the fault of the SSH standard library which makes it super easy to ignore the host key and does not provide any useful builtin key verification function. People are lazy. ssh.FixedHostKey is niche.
So I implemented a small library to v…

Maybe all of those people that were laid off were doing some work?
https://www.theregister.com/2025/10/20/aws_outage_amazon_brain_drain_corey_quinn/

Brief Starlink outage (our second ever). Strange that throughout I could ping 1.1.1.1 but not 9.9.9.9 or any other Internet host for which I have the IP saved. I reckon this means Cloudflare has a DNS instance in the same DC/on a peering fabric adjacent to the Starlink "Dublin" (LDNGBR) ground station.

Hey #askfedi one of my family members android device is making these DNS quarries. I can't fine the culprit. I don't see any weird property apps install on it. Any idea who could be doing this?
Edit: I found syncthing is doing this. But why? Why syncthing needs this? And what is stun?
#DNS

chat, what's your favorite DNS-over-HTTPS library on npm that can use fetch() as a backend?

Wrong.
#google #ai #slop

There is an ActivityPub proposal that involves the #DNS.
I have only just discovered it and have not considered it deeply so I am reluctant to make any grand statements. It is not obvious to me why this is useful or better than alternative approaches. It appears to involve the use of TXT RRs, any new de facto use of which makes me skeptical.

from my link log —
Discovering the discovery of designated resolvers (DNS DDR).
https://labs.ripe.net/author/yevheniya-nosyk/discovering-the-discovery-of-designated-resolvers/
saved 2025-11-09

@… I am using dnsv2 to develop a "mock" DNS server for my unit tests.
I noticed that when specifying Server.Listener or Server.PacketConn, you also need to specify Server.Net or you end up with a "bad network" error when calling ListenAndServe.
Specifying the Net property seems redundant when the PacketConn/Listener properties are specifie…

.gov #DNS notes
On 2025-01-19 there were two "biden" names, bidenlibrary and bidenwhitehouse. Not so unusual. Associated names for Obama and Trump were also there and remain still. These are exec branch names but the agency responsible for them is the National Archives and Records Administration (NARA).
As of today, there are four additional "trump" labels in the …

oRANS: Online optimisation of RANS machine learning models with embedded DNS data generation
Daniel Dehtyriov, Jonathan F. MacArt, Justin Sirignano
https://arxiv.org/abs/2510.02982

how to use standard DNS UPDATE in a manner that avoids causing outages like AWS us-east-1 https://lobste.rs/s/mw0pus/summary_amazon_dynamodb_service#c_ux4xlb

No, it's not DNS! It can't be!

back when i was still in school i asked a classmate sitting next to me what should i be calling my machines. being a reenactor (I think? or something adjacent at least, it's been too long) she suggested Elder Futhark runes.
it was at least 5-10 years that passed between that and a realization that someone looking at my DNS zone without context would probably go "hm... is she secretly a nazi". anyway I phased the naming scheme out

I spent the weekend making a fun DevOps pipeline because I felt like it and am now quite pleased.
I'm hosting gitea, n8n and docker registry in my lab. I now have a webhook in gitea for certain repos so that when I push to them, it triggers n8n to pull the repo and build the dockerfile. This image is then pushed to the registry, and watchtower will pull it when it runs.
Naturally have all my own DNS things for these app web guis which go through nginx. All of this is in pro…

Tu sais que t'es en train d'aller trop loin quand pour tester une fonctionnalité de ton programme (un client SSH), tu te retrouves Š implémenter un serveur SSH, un serveur DNS et un serveur HTTP et une PKI pour ton test E2E.
Heureusement, c'est facile Š faire en Go 😅

from my link log —
Route 53 DNS: Amazon’s premier AWS database.
https://www.lastweekinaws.com/blog/route-53-amazons-premier-database/
saved 2021-02-18

Weekend Reads
* EDNS client subnet in practice
https://farrokhi.net/posts/2025/10/edns-client-subnet-in-practice-evaluating-public-resolver-behaviors/
* BGP-based DDoS scrubbing services survey

from my link log —
Can I use HTTPS RRs?
https://www.netmeister.org/blog/https-caniuse.html
saved 2025-12-12 https://dotat.at/…

from my link log —
Eon: a programmable effects-based OCaml DNS server.
https://ryan.freumh.org/eon.html
saved 2025-10-11 https://dotat.at/:/R4QXU.html