The online whiteboard of Kristofer Palmvik
Essentially, the attacker crafts a DNS zone with many DNSKEY and RRSIG records, and a standards-compliant DNSSEC validator tries all possible combinations of DNSKEY and RRSIG records in the vain hope of finding the one combination which matches and validates. If the validator does not implement an explicit limit on the amount of work it will do, it can spend an outrageous amount of resources doing useless work.
With only a single DNS packet, the attack can exhaust the CPU and stall all widely used DNS implementations and public DNS providers, such as Google Public DNS and Cloudflare. In fact, the popular Bind9 DNS implementation can be stalled for as long as 16 hours.
Failure to publish DNS records signaling that a parked domain does not send or receive email provides opportunities for third parties to abuse domains of this nature. Domains that are similar to well-known domains are especially vulnerable to such attacks.
Subdomain Sleuth is a new open source project built by the Yahoo DNS team, designed to help you defend your infrastructure against subdomain takeover attacks.
The entire domain name localtest.me—and all wildcard entries—point to 127.0.0.1 and ::1. So without any changes to your host file you can immediate start testing with a local URL.
The main part of the proposal, ServiceMode offers solutions to privacy and performance issues inherent to how service discovery works on the internet. Front and center is the ability to indicate that a service supports HTTPS directly from the result of a DNS query.
The DNS Security TXT standard extends the work done by security.txt to simplify answering this question by taking advantage of DNS, arguably the most ubiquitous system on the Internet.
Test which DS algorithms and DNSSEC signing algorithms are supported by the DNS resolver(s) configured on your system.
the DS is gone from the .com zone, and the DNSKEYs and RRSIGs are also gone. Hence, slack.com is Bogus for a big part of the Internet viewer population.
The new Email Security DNS Wizard can be used to create DNS records that prevent others from sending malicious emails on behalf of your domain.
We found a simple loophole that allowed us to intercept a portion of worldwide dynamic DNS traffic going through managed DNS providers like Amazon and Google.
Mitt projekt handlar kort och gott om att dra ner en lista på våra svenska myndigheter, fråga efter relevanta resource records (RRs), aktuella IP-adresser för dessa. Därefter tänkte jag skapa en baseline som jag sedan jämför framtida ändringar mot.
Det finns en rad åtgärder som kan vidtas för att minska riskerna för att utsättas för ett angrepp mot DNS.
Some resolvers will hold DNS cache entries for a whole week if asked to
Given the incredibly large attack surface I’m surprised that compromise of TLDs/domain extensions isn’t a more frequent event.
Developers have long waged holy wars over whether code indentations should be tabs or spaces. I’ve found that network admins feel similarly about TTL length.
This page helps you set up CAA for your domain. Enter your domain name above and check off which CAs you authorize. You can separately authorize the ability to issue wildcard and non-wildcard certificates.
If you add two nameservers managed by another company into the mix, then it takes a DDoS against two different companies to bring you offline.
The good news is that there are two relatively simple steps we can take make our sites exponentially more resilient
Force the lookup of specific hostnames without providing specific anchors using that hostname by using the rel attribute on the element with a link type of dns-prefetch
The idea behind this experiment is to encode a given file in base64, and then create a NAPTR record for each line of the output.
Service discovery is a fairly large subject but in essence it boils down to answering the question: what servers run this service (given some description or name of a service)? At Spotify we have solved this problem with DNS for a long time. Specifically, we use so called SRV records. A DNS SRV record is a canonical name, typically of the form _name._protocol.site, mapped to a list of hostnames with weight, priority and port number.
Use this simple tool to help you pick a domain name, name a pet, or even name a child! Have fun, and enjoy.
With the new ALIAS record, you can point your domain to a single host name (such as the proxy.heroku.com CNAME record) and we will return the IP addresses associated with that host name as if they were your own.
The name of your startup is critically important to its success, and in this email I am going to help you land an amazing name.Think of Google, Yahoo, EBAY, Mahalo, Meetup, Yammer and Mint – are all six letters or under, generally easy to spell and certainly unique. This is not a coincidence.