Hacker News with Generative AI: DNS

Is BIND9 suitable as a recursive resolver in 2025? (szafka.net)
Recently, we have been engaged in consulting work and providing DNS training for a major IT corporation, boasting an employee count exceeding 10,000. Thankfully, not every staff member attended the course.
HTTPS RR in Curl (haxx.se)
RFC 9460 describes a DNS Resource Record (RR) named HTTPS. To highlight that it is exactly this DNS record called HTTPS we speak of, we try to always call it HTTPS RR using both words next to each other.
.arpa, rDNS and a few magical ICMP hacks (sdomi.pl)
Through Project SERVFAIL, I became aware that there are a few individuals, not just ISPs, who host their own in-addr.arpa. and ip6.arpa. zones. It never occurred to me that I could ask bgp.wtf, my beloved ISP, to delegate me a zone like this - until one faithful late-night chat.ARPA zones are usually totally out of reach for individuals, so I was absolutely hyped when one of our netadmins agreed to delegate me the ip6.arpa. zone for my whole /48 IPv6 range.
iCloud Mail has DNS misconfigured? (mail-tester.com)
Good stuff. Your email is almost perfect
Quad9 – A public and free DNS service for a better security and privacy (quad9.net)
Quad9 is a free service that replaces your default ISP or enterprise Domain Name Server (DNS) configuration.
DNS Speed Test (dnsspeedtest.online)
Optimize your internet experience by finding the fastest DNS server for your location. Just click the button below to start the test.
Understanding DNS Resolution on Linux and Kubernetes (jpetazzo.github.io)
I recently investigated a warning message on Kubernetes that said: DNSConfigForming ... Nameserver limits were exceeded, some nameservers have been omitted. This was technically a Kubernetes event with type: Warning, and these usually indicate that there’s something wrong, so I wanted to investigate it.
Italy demands Google poison DNS under strict Piracy Shield law (arstechnica.com)
Italy is using its Piracy Shield law to go after Google, with a court ordering the Internet giant to immediately begin poisoning its public DNS servers.
Italian Court Orders Google to Poison Public DNS to Prevent IPTV Piracy (torrentfreak.com)
A decision issued by the same court now requires Google to poison its Public DNS to prevent access to pirate sites.
More mysterious DNS root query traffic from a large cloud/DNS operator (2022) (apnic.net)
With so much traffic on the global Internet day after day, it’s not always easy to spot the occasional irregularity.
Kubernetes Home – what do you do if your ISP changes your IP addresses? (priv.no)
In my last blog post I described external-DNS, which is a way to have Kubernetes create and update DNS entries for its services. But as I mentioned, it got me thinking a bit on ways to extend this concept to handle other external aspects of my Kubernetes environment.
NIH.gov DNS servers down, making PubMed, BLAST, etc. unreachable [fixed] (nslookup.io)
DNS Nerds Don't Control the Internet (2016) (sockpuppet.org)
You’re reading this page because you’ve suggested that “14 people control the Internet through the DNSSEC root keys”. If you’re unlucky, you might be a journalist preparing a story about those people. Stop!
An illustrated guide to the Kaminsky DNS vulnerability (2008) (unixwiz.net)
The big security news of Summer 2008 has been Dan Kaminsky's discovery of a serious vulnerability in DNS. This vulnerability could allow an attacker to redirect network clients to alternate servers of his own choosing, presumably for ill ends.
Zns: CLI tool for querying DNS records with readable, colored output (github.com/znscli)
zns is a command-line utility for querying DNS records, displaying them in a human-readable, colored format that includes type, name, TTL, and value.
I ditched my Pi-hole but still block ads with NextDNS (mattsayar.com)
I love the idea behind the Pi-hole: block ads at the DNS layer so ads never even reach your devices. No ads, no trackers, and no worries about your extensions breaking! Works network-wide! Unfortunately, it caused me more grief than joy.
Decentralized Naming and Certificate Authority (handshake.org)
Handshake is a decentralized, permissionless naming protocol where every peer is validating and in charge of managing the root DNS naming zone with the goal of creating an alternative to existing Certificate Authorities and naming systems.
Hickory DNS Is Moving Toward Production Readiness (memorysafety.org)
The Domain Name System (DNS) is a foundational part of the Internet. It stores data associated with domain names, like web server addresses and mail server addresses. Almost all network connections are preceded by a DNS lookup. The most popular DNS server implementations are written in C, and as a result, they have been affected by a series of memory safety vulnerabilities. These vulnerabilities can put DNS infrastructure at risk, as well as any system that depends on DNS.
Getaddrinfo sucks. everything else is much worse (gosu.se)
DNS is one of the critical building blocks of the internet and of the modern web. For the longest time the only way for Firefox to resolve a DNS domain was by using getaddrinfo. What's remarkable about this function is that it's implemented on Linux, Windows, MacOS - even Android. It has the same signature, and works in roughly the same way, even though the implementation in these operating systems doesn't share the same code base.
Invalid Niger Nameservers in the com zone (0xda.de)
A recent post by Krebs On Security about a mastercard mistake in their nameservers got me thinking. I recently got access to the .com zone file, I could just… grep for this common type of mistake.
Mastercard DNS error went unnoticed for years (krebsonsecurity.com)
The payment card giant MasterCard just fixed a glaring error in its domain name server settings that could have allowed anyone to intercept or divert Internet traffic for the company by registering an unused domain name.
Preventing conflicts in authoritative DNS config using formal verification (cloudflare.com)
Over the last year, Cloudflare has begun formally verifying the correctness of our internal DNS addressing behavior — the logic that determines which IP address a DNS query receives when it hits our authoritative nameserver.
DNS Nameservers (potaroo.net)
It's common folklore in the Domain Name System that a delegated domain name must be served by 2 or more nameservers.
Breaking down OpenAI's outage: a hidden DNS dependency in Kubernetes (render.com)
OpenAI recently experienced an hours-long, platform-wide outage after a newly-deployed telemetry service overloaded their Kubernetes (K8s) control planes.
The secret life of DNS packets (2019) (stripe.com)
French Piracy Blocking Order Goes Global, DNS Service Quad9 Vows to Fight (torrentfreak.com)
In an ongoing escalation of its fight against online sports piracy, media giant Canal+ secured court orders compelling DNS providers Quad9 and Vercara to block access to pirate streaming sites in France. Quad9 says that it's determined to appeal what it sees as an absurd application of copyright law. For now, however, it will block the targeted domain names globally.
Reachability Analysis of DNS (arxiv.org)
The high complexity of DNS poses unique challenges for ensuring its security and reliability.
Parsing Millions of DNS Records Per Second (github.com/NLnetLabs)
Fast and standards compliant DNS zone parser.
Who controls the Internet? A survey of authoritative DNS server diversity (netmeister.org)
Why yes, the internet is resting on a foundation of duct tape and WD40 - it is known. And the DNS is the mother of all corner stones that, if knocked out, would quickly lead to the fall of western civilization. (And yes, it is a hard requirement to use this XKCD cartoon to illustrate this.) But at least it's not quite as fragile as, say, whois, so yay!
cli53 – Command line tool for Amazon Route 53 (github.com/barnybug)
cli53 provides import and export from BIND format and simple command line management of Route 53 domains.