Tootfinder

"Hackers exploit a blind spot by hiding malware inside DNS records"
Hah! I predicted years ago that attackers would leverage DNS like this!
My insistence to include DNS requests in anomaly detection and threat detection was on point 😤 so vindicated!
https://

Hackers exploit a blind spot by hiding malware inside DNS records
Technique transforms the Internet DNS into an unconventional file storage system.

from my link log —
Get the location of the ISS using DNS.
https://shkspr.mobi/blog/2025/07/get-the-location-of-the-iss-using-dns/
saved 2025-07-06

Get the location of the ISS using DNS
I love DNS esoterica. Weird little things that you can shove in the global directory to be distributed around the world instantly(ish). Domain names, like www.example.com usually resolve to servers. As much as we think of "the cloud" as being some intangible morass of ethereal Turing-machines floating in probability space, the more prosaic reality is that they're just boxen in data centres. They …

Alright, next step in my #OTEL adventure for @… was to add react/cache|dns|socket so I can trace any potential connection issues. Not sure yet what to do next:
* Event loop
* react/stream
* Just add tests to what you have before adding more

My main bugbear with OVH is that they *still* don't offer "failover IP" (where you can fairly quickly move an IP between different dedicated servers) for IPv4, not IPV6.
And, no, they don't offer "Bring Your Own IP" for IPv6 either, only for IPv4.
So when I recently migrated us to a new server I had to do the DNS TTL dance with the IPv6 side of things.
Oh, and it's still only a /64 per server. Not that anything stops you from just using <…

One of the main setbacks to finish my homelab migration from nomad to k8s has been cert-manager compatibility with some of my domains. I didn't want to migrate everything to cloudflare. I've got 2 domains on easydns.com, which isn't supported by cert-manager, but is supported by dns-lexicon.
I found a cert-manager-webhook wrapper around dns-lexicon. Then I forked a fork so that I could tune the build pipeline to produce multi-arch images quickly.
Anyway here…

"I just want my life back!"
New from Chuck Tingle. This Summer don't stray too far from the standards track, lest you be…
Pounded in the Ass By the RFC Process
https://mailarchive.ietf.org/arch/msg/dane/JPY1_4_KFznrh_sAPUvQc2ig9Cs/

My latest piece for The Register describes my experience turning on DNS security (easy) and the overall progress on securing DNS across the Internet (poor). https://www.theregister.com/2025/07/25/systems_approach_column_dns_security/

DNS security is important but DNSSEC may be a failed experiment
Systems Approach: Nobody thinks of running a website without HTTPs. Safer DNS still seems optional

There's a point here, but it's really narrower than it looks.
Many individuals can self-host to a level that meets their needs. Not everyone needs anti-DDoS on their web server. Not everyone needs 10GB of space for email accessible from any device anywhere. Almost no one needs a global anycast DNS network. https://

So @… blew my mind about how are smart TVs are spying on us with Automatic Content Recognition and other advertising profile scripts. Yikes! Thanks for the heads up!
https://youtu.b…

@… I was having issues accessing social.linux.pizza. After racking my brain for a while as to what could have happened, I remembered the old adage "It's always DNS" and indeed it was so.
More specifically, one of the blocklists that Quad9 DNS (which is what I normally use) uses has classified the site as "Botnet" -

systemd definitely does get many things right. My current favorite is how it sets the system resolver to loopback and provides an own DNS server.
Common Linux tradition was to tell processes to use getaddrinfo, where nsswitch then provides configurable backends. That means that every process goes through loading /etc/nsswitch.conf, but worse, it reduces DNS to a terrible subset. Query SVCB records? tough luck, you're on your own.

Take note my #DNS friends
https://mastodon.social/@pid_eins/114556401535348313

My #CenturyLink DSL Internet is down... except for one computer where I'd previously configured DNS to use Google's Public DNS. I'm assuming this is somehow key to why it still works. I've tried to reproduce this onto another computer, but no luck so far.

And the rabbit hole starts: I had to replace my FritzVPN with Wireguard (Thanks @…, of course not Wire*shark) so that the hostname-resolution in my home network works the way I want/need --- IT'S ALWAYS DNS!!!!

@… I can think of ways you might do it by getting people to set a DNS CNAME, for example, so they own the domain *but* authentication is controlled by a service. In theory, this allows ownership because you can replace it with a competitor.
AP is probably harder, but I don't think it's impossible, based on my cursory reading of the …

Update: I heard back from the people running the system. Apparently it isn’t a geoblock, but the specific IPs my requests were coming from were blocked because of abuse from that CDN (bunny.net). The error has been fixed. (Now I wonder if Fraenk hosts their stuff on Bunny.net, or if it’s the DNS resolver I am using 🤔)
Anyway, in the future, access to the warnings should be possible.
Also, they saw this toot and referenced it in their reply 😅.

I was wondering why my SMTP configuration wouldn't work. DNS zone looked fine, SSL/TLS settings correct, authentication enabled, yet it wouldn't budge.
Then I had a moment of enlightenment about the mail subdomain having one lone A record instead of two NS records as it should have been.
It's. ALWAYS. DNS. Dammit.

This week I have (a) enabled DNS security extensions (first documented in 1997 in RFC 2065) on a domain I control and (b) enabled IPv6 (first documented in 1995 in RFC 1883) on my home router, so I think it's time to break out "The Dream of the '90s" from Portlandia: https://youtu.be/TZt-pOc3moc…