!nostupidquestions is a community dedicated to being helpful and answering each others' questions on various topics.
The rules for posting and commenting, besides the rules defined here for lemmy.world, are as follows:
Rule 1- All posts must be legitimate questions. All post titles must include a question.
All posts must be legitimate questions, and all post titles must include a question. Questions that are joke or trolling questions, memes, song lyrics as title, etc. are not allowed here. See Rule 6 for all exceptions.
Rule 2- Your question subject cannot be illegal or NSFW material.
Your question subject cannot be illegal or NSFW material. You will be warned first, banned second.
Rule 3- Do not seek mental, medical and professional help here.
Do not seek mental, medical and professional help here. Breaking this rule will not get you or your post removed, but it will put you at risk, and possibly in danger.
Rule 4- No self promotion or upvote-farming of any kind.
That's it.
Rule 5- No baiting or sealioning or promoting an agenda.
Questions which, instead of being of an innocuous nature, are specifically intended (based on reports and in the opinion of our crack moderation team) to bait users into ideological wars on charged political topics will be removed and the authors warned - or banned - depending on severity.
Rule 6- Regarding META posts and joke questions.
Provided it is about the community itself, you may post non-question posts using the [META] tag on your post title.
On fridays, you are allowed to post meme and troll questions, on the condition that it's in text format only, and conforms with our other rules. These posts MUST include the [NSQ Friday] tag in their title.
If you post a serious question on friday and are looking only for legitimate answers, then please include the [Serious] tag on your post. Irrelevant replies will then be removed by moderators.
Rule 7- You can't intentionally annoy, mock, or harass other members.
If you intentionally annoy, mock, harass, or discriminate against any individual member, you will be removed.
Likewise, if you are a member, sympathiser or a resemblant of a movement that is known to largely hate, mock, discriminate against, and/or want to take lives of a group of people, and you were provably vocal about your hate, then you will be banned on sight.
Rule 8- All comments should try to stay relevant to their parent content.
Rule 9- Reposts from other platforms are not allowed.
Let everyone have their own content.
Rule 10- Majority of bots aren't allowed to participate here.
Our breathtaking icon was bestowed upon us by @Cevilia!
The greatest banner of all time: by @TheOneWithTheHair!
DNS failure can manifest in strange ways and have a sysadmin scratching their head as to why some devices are working fine (statically configured/running from DNS cache), but others cannot access the internet or any of their work services.
It's usually the last thing you suspect, because DNS always just works, right?
You'd think so until you have dealt with a few DNS problems. At some point, the mantra of "It's always DNS" stays in your head when troubleshooting. It's often the first thing I try nowadays.
I don't know much about much, I'll admit that, but what I have experienced with DNS is that it keeps shitting the bed when I'm trying to connect to my bfs server in the USA while I live in Brazil. Some spectrum node in Miami or something keeps sending my ping to the moon and my packages go from 0% dropped to 100% when I use a program to trace the path (sadly can't recall the name RN, hopefully when someone replies I'll be by my PC again and check it)
I just wish I could tell my DNS "hey, don't use that node specifically" because every other step is going just fine, but as I said before, I don't know much at all so I don't know if that's possible or even if it's a good idea
If you use a VPN there is a chance your connection will route differently.
I could try, but the only game this is causing issues is minecraft, and the server is mostly dead by now, so I don't want to spend the money for just trying to see if it would help, but I'll def look into it for the next time we play minecraft again
Dont forget about resolve.d. Did they ever fix a static DNA entry with DHCP allocated ip? I submitted the bug like 5 years ago
DNS is often misconfigured.
On the linux side of things, people like to manually edit /etc/resolv.conf when it's actually a symlink and changes to it don't persist on boot (the real file location varies, but it's usually in something like /etc/system/resolve). And forget bind9, if it's not MS DNS it's not DNS to some folks.
On the Windows side, people love to ignore that reverse DNS exists, even though so many things use it. They also freaking love CNAME aliases and break stuff in interesting ways (for example, a "load balanced" configuration that's all just the first node acting as all three nodes of a cluster or pool).
Many people only know enough DNS to be dangerous and come up with really jank workarounds to get things running because they don't understand the proper solutions.
I never would have thought of it but I recently saw a novel use of DNS to exfiltrate data from a compromised server.
My employer takes security very seriously. Our public facing web servers are very thoroughly locked down, or so we thought. We contract with companies like HackerOne to perform penetration testing etc. One of their white hat hackers managed a remote command attack, and copied data off of the server via a string of DNS queries.
Suppose the hacker owned the domain example.com, and he had his own authoritative nameserver for it. He just ran a series of commands that took, for example, a password file, and ran DNS queries for line1.example.com, line2.example.com, line3.example.com and so on for each line in the file. As a result the log file on his DNS server collected each line of the password file as it responded to each query.
I'm trying to digest this
You're saying he was stealing data from the target server by appending it line-by-line to dns requests sent to his nameserver? Wouldn't he have needed to both be on the target server and already have access to the data?
Could be used to exfiltrate data when you only can make commands, but not see their output. There might be other and easier exfiltration possibilities then, but this is a creative solution that uses a very common protocol and will probably be available on any machine.
Our web servers are locked down in such a way that you can’t copy data off of them using standard protocols like scp, ftp, and even http, etc. Our firewall blocks all such outbound traffic.
This hacker found a bug in a framework used on our web servers that let him execute commands remotely. When commands to copy data off the server failed using those more typical methods he switched to a more novel (and difficult) method of leveraging DNS instead. He discovered we weren’t locking DNS down the same way we were locking other protocols down and used that as a way to extract data from our server.
Ah, ok, that makes sense! So there was a separate bug in the framework that granted him limited remote access, but because the server had tight control over outbound connections he had to use a novel way of getting the data back out
Basically: He crawled in through the sewer and then robbed the bank one stack of bills at a time via pigeon courier.
Yes, but it's not necessarily as simple as having full ssh access or something like that. Plus getting data out by DNS queries is probably much harder to detect than something like sftp or http posts.
I got a story that perfectly illustrates the meme.
Had done a solid job of setting up my first domain, from scratch. Everything was tooling along nicely for months until my administrator account kept locking itself, every few minutes.
Logged in with another admin account and hunted for the issue for a month. Since it was affecting only my account, none of the users had issues. Finally found a single sentence in an obscure forum that pointed me. My DNS issue was buried deep in the DHCP settings.
Despite knowing better, I had used my personal account to authorize interactions between the DNS and DHCP services. When I changed my password, DNS was still trying to use the old credentials, over and over again, locking my account.
HOLY SHIT! If you google "dns haiku" my image is in the front page twice! Love it!
This is hanging on our wall at work lol
For me it was Square Space marking my domain as being owned by me but it actually being for sale. RIP Google Domains.