this post was submitted on 13 Aug 2024
124 points (97.7% liked)

No Stupid Questions

35716 readers
2201 users here now

No such thing. Ask away!

!nostupidquestions is a community dedicated to being helpful and answering each others' questions on various topics.

The rules for posting and commenting, besides the rules defined here for lemmy.world, are as follows:

Rules (interactive)


Rule 1- All posts must be legitimate questions. All post titles must include a question.

All posts must be legitimate questions, and all post titles must include a question. Questions that are joke or trolling questions, memes, song lyrics as title, etc. are not allowed here. See Rule 6 for all exceptions.



Rule 2- Your question subject cannot be illegal or NSFW material.

Your question subject cannot be illegal or NSFW material. You will be warned first, banned second.



Rule 3- Do not seek mental, medical and professional help here.

Do not seek mental, medical and professional help here. Breaking this rule will not get you or your post removed, but it will put you at risk, and possibly in danger.



Rule 4- No self promotion or upvote-farming of any kind.

That's it.



Rule 5- No baiting or sealioning or promoting an agenda.

Questions which, instead of being of an innocuous nature, are specifically intended (based on reports and in the opinion of our crack moderation team) to bait users into ideological wars on charged political topics will be removed and the authors warned - or banned - depending on severity.



Rule 6- Regarding META posts and joke questions.

Provided it is about the community itself, you may post non-question posts using the [META] tag on your post title.

On fridays, you are allowed to post meme and troll questions, on the condition that it's in text format only, and conforms with our other rules. These posts MUST include the [NSQ Friday] tag in their title.

If you post a serious question on friday and are looking only for legitimate answers, then please include the [Serious] tag on your post. Irrelevant replies will then be removed by moderators.



Rule 7- You can't intentionally annoy, mock, or harass other members.

If you intentionally annoy, mock, harass, or discriminate against any individual member, you will be removed.

Likewise, if you are a member, sympathiser or a resemblant of a movement that is known to largely hate, mock, discriminate against, and/or want to take lives of a group of people, and you were provably vocal about your hate, then you will be banned on sight.



Rule 8- All comments should try to stay relevant to their parent content.



Rule 9- Reposts from other platforms are not allowed.

Let everyone have their own content.



Rule 10- Majority of bots aren't allowed to participate here.



Credits

Our breathtaking icon was bestowed upon us by @Cevilia!

The greatest banner of all time: by @TheOneWithTheHair!

founded 1 year ago
MODERATORS
 

I should clarify I wasn't a upper level sys admin managing those servers, I just used them or maintained accounts being a rank and file technician

While I get the fundamental concept of DNS as a phonebook for your IPs. I am not sure why it is joked around if something goes haywire or someone breaks something.

Is it because if you get no DNS, people can't log in through their AD accounts, browse the Internet?

Afaik DNS is a bit of a rabbit hole topic, maybe that's why people joke about it due to DNS being this "No one really knows how this magic name matching box works"?

Please correct me, I'd genuinely like to know why this is prevalent from you guys.

top 50 comments
sorted by: hot top controversial new old
[–] [email protected] 17 points 2 months ago (1 children)

DNS failure can manifest in strange ways and have a sysadmin scratching their head as to why some devices are working fine (statically configured/running from DNS cache), but others cannot access the internet or any of their work services.

It's usually the last thing you suspect, because DNS always just works, right?

[–] [email protected] 9 points 2 months ago

You'd think so until you have dealt with a few DNS problems. At some point, the mantra of "It's always DNS" stays in your head when troubleshooting. It's often the first thing I try nowadays.

[–] [email protected] 1 points 2 months ago (1 children)

I don't know much about much, I'll admit that, but what I have experienced with DNS is that it keeps shitting the bed when I'm trying to connect to my bfs server in the USA while I live in Brazil. Some spectrum node in Miami or something keeps sending my ping to the moon and my packages go from 0% dropped to 100% when I use a program to trace the path (sadly can't recall the name RN, hopefully when someone replies I'll be by my PC again and check it)

I just wish I could tell my DNS "hey, don't use that node specifically" because every other step is going just fine, but as I said before, I don't know much at all so I don't know if that's possible or even if it's a good idea

[–] [email protected] 3 points 2 months ago (1 children)

If you use a VPN there is a chance your connection will route differently.

[–] [email protected] 2 points 2 months ago

I could try, but the only game this is causing issues is minecraft, and the server is mostly dead by now, so I don't want to spend the money for just trying to see if it would help, but I'll def look into it for the next time we play minecraft again

[–] [email protected] 0 points 2 months ago

Dont forget about resolve.d. Did they ever fix a static DNA entry with DHCP allocated ip? I submitted the bug like 5 years ago

[–] [email protected] 9 points 2 months ago* (last edited 2 months ago)

DNS is often misconfigured.

On the linux side of things, people like to manually edit /etc/resolv.conf when it's actually a symlink and changes to it don't persist on boot (the real file location varies, but it's usually in something like /etc/system/resolve). And forget bind9, if it's not MS DNS it's not DNS to some folks.

On the Windows side, people love to ignore that reverse DNS exists, even though so many things use it. They also freaking love CNAME aliases and break stuff in interesting ways (for example, a "load balanced" configuration that's all just the first node acting as all three nodes of a cluster or pool).

Many people only know enough DNS to be dangerous and come up with really jank workarounds to get things running because they don't understand the proper solutions.

[–] [email protected] 15 points 2 months ago (1 children)

I never would have thought of it but I recently saw a novel use of DNS to exfiltrate data from a compromised server.

My employer takes security very seriously. Our public facing web servers are very thoroughly locked down, or so we thought. We contract with companies like HackerOne to perform penetration testing etc. One of their white hat hackers managed a remote command attack, and copied data off of the server via a string of DNS queries.

Suppose the hacker owned the domain example.com, and he had his own authoritative nameserver for it. He just ran a series of commands that took, for example, a password file, and ran DNS queries for line1.example.com, line2.example.com, line3.example.com and so on for each line in the file. As a result the log file on his DNS server collected each line of the password file as it responded to each query.

[–] [email protected] 4 points 2 months ago (3 children)

I'm trying to digest this

You're saying he was stealing data from the target server by appending it line-by-line to dns requests sent to his nameserver? Wouldn't he have needed to both be on the target server and already have access to the data?

[–] [email protected] 2 points 2 months ago

Could be used to exfiltrate data when you only can make commands, but not see their output. There might be other and easier exfiltration possibilities then, but this is a creative solution that uses a very common protocol and will probably be available on any machine.

[–] [email protected] 6 points 2 months ago (1 children)

Our web servers are locked down in such a way that you can’t copy data off of them using standard protocols like scp, ftp, and even http, etc. Our firewall blocks all such outbound traffic.

This hacker found a bug in a framework used on our web servers that let him execute commands remotely. When commands to copy data off the server failed using those more typical methods he switched to a more novel (and difficult) method of leveraging DNS instead. He discovered we weren’t locking DNS down the same way we were locking other protocols down and used that as a way to extract data from our server.

[–] [email protected] 7 points 2 months ago

Ah, ok, that makes sense! So there was a separate bug in the framework that granted him limited remote access, but because the server had tight control over outbound connections he had to use a novel way of getting the data back out

Basically: He crawled in through the sewer and then robbed the bank one stack of bills at a time via pigeon courier.

[–] [email protected] 4 points 2 months ago

Yes, but it's not necessarily as simple as having full ssh access or something like that. Plus getting data out by DNS queries is probably much harder to detect than something like sftp or http posts.

[–] [email protected] 28 points 2 months ago (2 children)

I got a story that perfectly illustrates the meme.

Had done a solid job of setting up my first domain, from scratch. Everything was tooling along nicely for months until my administrator account kept locking itself, every few minutes.

Logged in with another admin account and hunted for the issue for a month. Since it was affecting only my account, none of the users had issues. Finally found a single sentence in an obscure forum that pointed me. My DNS issue was buried deep in the DHCP settings.

Despite knowing better, I had used my personal account to authorize interactions between the DNS and DHCP services. When I changed my password, DNS was still trying to use the old credentials, over and over again, locking my account.

HOLY SHIT! If you google "dns haiku" my image is in the front page twice! Love it!

[–] [email protected] 2 points 2 months ago

This is hanging on our wall at work lol

[–] [email protected] 2 points 2 months ago

For me it was Square Space marking my domain as being owned by me but it actually being for sale. RIP Google Domains.

load more comments
view more: next ›