this post was submitted on 13 Aug 2024
124 points (97.7% liked)

No Stupid Questions

35807 readers
1864 users here now

No such thing. Ask away!

!nostupidquestions is a community dedicated to being helpful and answering each others' questions on various topics.

The rules for posting and commenting, besides the rules defined here for lemmy.world, are as follows:

Rules (interactive)


Rule 1- All posts must be legitimate questions. All post titles must include a question.

All posts must be legitimate questions, and all post titles must include a question. Questions that are joke or trolling questions, memes, song lyrics as title, etc. are not allowed here. See Rule 6 for all exceptions.



Rule 2- Your question subject cannot be illegal or NSFW material.

Your question subject cannot be illegal or NSFW material. You will be warned first, banned second.



Rule 3- Do not seek mental, medical and professional help here.

Do not seek mental, medical and professional help here. Breaking this rule will not get you or your post removed, but it will put you at risk, and possibly in danger.



Rule 4- No self promotion or upvote-farming of any kind.

That's it.



Rule 5- No baiting or sealioning or promoting an agenda.

Questions which, instead of being of an innocuous nature, are specifically intended (based on reports and in the opinion of our crack moderation team) to bait users into ideological wars on charged political topics will be removed and the authors warned - or banned - depending on severity.



Rule 6- Regarding META posts and joke questions.

Provided it is about the community itself, you may post non-question posts using the [META] tag on your post title.

On fridays, you are allowed to post meme and troll questions, on the condition that it's in text format only, and conforms with our other rules. These posts MUST include the [NSQ Friday] tag in their title.

If you post a serious question on friday and are looking only for legitimate answers, then please include the [Serious] tag on your post. Irrelevant replies will then be removed by moderators.



Rule 7- You can't intentionally annoy, mock, or harass other members.

If you intentionally annoy, mock, harass, or discriminate against any individual member, you will be removed.

Likewise, if you are a member, sympathiser or a resemblant of a movement that is known to largely hate, mock, discriminate against, and/or want to take lives of a group of people, and you were provably vocal about your hate, then you will be banned on sight.



Rule 8- All comments should try to stay relevant to their parent content.



Rule 9- Reposts from other platforms are not allowed.

Let everyone have their own content.



Rule 10- Majority of bots aren't allowed to participate here.



Credits

Our breathtaking icon was bestowed upon us by @Cevilia!

The greatest banner of all time: by @TheOneWithTheHair!

founded 1 year ago
MODERATORS
 

I should clarify I wasn't a upper level sys admin managing those servers, I just used them or maintained accounts being a rank and file technician

While I get the fundamental concept of DNS as a phonebook for your IPs. I am not sure why it is joked around if something goes haywire or someone breaks something.

Is it because if you get no DNS, people can't log in through their AD accounts, browse the Internet?

Afaik DNS is a bit of a rabbit hole topic, maybe that's why people joke about it due to DNS being this "No one really knows how this magic name matching box works"?

Please correct me, I'd genuinely like to know why this is prevalent from you guys.

top 50 comments
sorted by: hot top controversial new old
[–] [email protected] 124 points 3 months ago* (last edited 3 months ago) (1 children)

There’s even a haiku:

It’s not DNS
There’s no way it’s DNS
It was DNS

[–] [email protected] 4 points 3 months ago (1 children)

(And if it's not DNS it's NTP oh yeeh) (But that kills the Haiku)

[–] [email protected] 3 points 3 months ago* (last edited 3 months ago)

Or bgp

But bgp is just sparkling dns

[–] [email protected] 87 points 3 months ago (3 children)

100% of the internet depends on it, and 90% of technical people can't be bothered to learn how it works and understand it. Partly because they only touch it once every 5 years. They get what they need done but don't understand why it worked, so it ends up feeling like black magic to them.

[–] thermal_shock 5 points 3 months ago* (last edited 3 months ago) (1 children)

used to feel this way about dns until I setup my pihole. I love how dns controls so much behind the scenes.

[–] stupidcasey 5 points 3 months ago (17 children)

DNS isn’t supposed to control that much PIhole is a hack, it would be more accurate to say PIhole controls so much behind the scenes. DNS is supposed to do exactly this domain.com->1.2.3.4 nothing more and nothing less anything else is a hack when cloud flair runs all your traffic traffic through a proxy that is them hacking the system domain.com->change-1.2.3.4

[–] [email protected] 2 points 3 months ago

Does Pi Hole do anything Ad Guard's Public DNS servers can't? https://adguard-dns.io/en/public-dns.html seems easier this way which is why I ask.

load more comments (16 replies)
load more comments (1 replies)
[–] [email protected] 43 points 3 months ago

I can speak to Windows DNS and AD.

Yes, the basis of DNS is to match IP addresses with hostnames. But there are plenty of other kinds of DNS records. SPF, DKIM, DMARC use DNS for email validation; AD uses SRV records to point clients to find domain resources. There are also reverse zones, where you send a query for an IP address to learn the hostname(s) associated with it. There are CNAME records that associate a hostname with whatever IP address another hostname is using.

Point being, there are a lot of different interconnected layers, and if some entry is wrong, it can easily have a cascading effect that creates a problem with something entirely different.

I would also extend the "It's always DNS" trope to "It's always name resolution." In a Windows environment, at least, DNS name resolution is only used when a FQDN (fully qualified domain name) is being queried. If your application is only looking for [ServerName], NetBIOS name resolution is used.

When NetBIOS name resolution is used, that is querying a WINS server (if one is specified and exists). In the absence of a WINS server, the query is sent to the "master browser" on your network segment. What machine is the "master browser"? By default, all machines on a network segment (subnet) have a browser election behind the scenes to choose the master browser, based in large part on the machines' hardware capabilities.

This means that any machine on the segment (again, by default) can become the master browser and respond to NetBIOS queries. Laptop, desktop, server, doesn't matter. There are registry entries that can be manipulated to have manual control over what machine is master browser, what machines are and are not allowed to participate in elections, but it is rare that those are configured.

Why do I know all this? Because about 25 years ago, I came across a situation where different machines were configured with different overlapping subnet masks, and users were trying to browse \\servername\share, and getting only partial results. It took a long time to narrow that down to the misconfigured subnet masks. At the company I'm currently at, the developers still use NetBIOS names instead of FQDNs in applications.

Always use FQDNs in any in-house development. Always use FQDNs when accessing resources by hostname. And if "some weird, inexplicable, possibly intermittent issue" is happening, check name resolution.

[–] shalafi 28 points 3 months ago (2 children)

I got a story that perfectly illustrates the meme.

Had done a solid job of setting up my first domain, from scratch. Everything was tooling along nicely for months until my administrator account kept locking itself, every few minutes.

Logged in with another admin account and hunted for the issue for a month. Since it was affecting only my account, none of the users had issues. Finally found a single sentence in an obscure forum that pointed me. My DNS issue was buried deep in the DHCP settings.

Despite knowing better, I had used my personal account to authorize interactions between the DNS and DHCP services. When I changed my password, DNS was still trying to use the old credentials, over and over again, locking my account.

HOLY SHIT! If you google "dns haiku" my image is in the front page twice! Love it!

[–] [email protected] 2 points 3 months ago

For me it was Square Space marking my domain as being owned by me but it actually being for sale. RIP Google Domains.

[–] bfg9k 2 points 3 months ago

This is hanging on our wall at work lol

[–] [email protected] 25 points 3 months ago (2 children)

When it is the cause of a problem it's not always obvious at first so you spend hours troubleshooting the broken app until you look at DNS and a simple DNS issue

[–] qaz 3 points 3 months ago

I've had a problem like this yesterday. I couldn't access my paperless instance. I eventually figured out I could access it with an IP + port combination and the DNS lookup failed.

load more comments (1 replies)
[–] bfg9k 17 points 3 months ago (1 children)

DNS failure can manifest in strange ways and have a sysadmin scratching their head as to why some devices are working fine (statically configured/running from DNS cache), but others cannot access the internet or any of their work services.

It's usually the last thing you suspect, because DNS always just works, right?

[–] [email protected] 9 points 3 months ago

You'd think so until you have dealt with a few DNS problems. At some point, the mantra of "It's always DNS" stays in your head when troubleshooting. It's often the first thing I try nowadays.

[–] IphtashuFitz 15 points 3 months ago (1 children)

I never would have thought of it but I recently saw a novel use of DNS to exfiltrate data from a compromised server.

My employer takes security very seriously. Our public facing web servers are very thoroughly locked down, or so we thought. We contract with companies like HackerOne to perform penetration testing etc. One of their white hat hackers managed a remote command attack, and copied data off of the server via a string of DNS queries.

Suppose the hacker owned the domain example.com, and he had his own authoritative nameserver for it. He just ran a series of commands that took, for example, a password file, and ran DNS queries for line1.example.com, line2.example.com, line3.example.com and so on for each line in the file. As a result the log file on his DNS server collected each line of the password file as it responded to each query.

[–] [email protected] 4 points 3 months ago (3 children)

I'm trying to digest this

You're saying he was stealing data from the target server by appending it line-by-line to dns requests sent to his nameserver? Wouldn't he have needed to both be on the target server and already have access to the data?

[–] IphtashuFitz 7 points 3 months ago (1 children)

Our web servers are locked down in such a way that you can’t copy data off of them using standard protocols like scp, ftp, and even http, etc. Our firewall blocks all such outbound traffic.

This hacker found a bug in a framework used on our web servers that let him execute commands remotely. When commands to copy data off the server failed using those more typical methods he switched to a more novel (and difficult) method of leveraging DNS instead. He discovered we weren’t locking DNS down the same way we were locking other protocols down and used that as a way to extract data from our server.

[–] [email protected] 7 points 3 months ago

Ah, ok, that makes sense! So there was a separate bug in the framework that granted him limited remote access, but because the server had tight control over outbound connections he had to use a novel way of getting the data back out

Basically: He crawled in through the sewer and then robbed the bank one stack of bills at a time via pigeon courier.

[–] [email protected] 4 points 3 months ago

Yes, but it's not necessarily as simple as having full ssh access or something like that. Plus getting data out by DNS queries is probably much harder to detect than something like sftp or http posts.

[–] [email protected] 2 points 3 months ago

Could be used to exfiltrate data when you only can make commands, but not see their output. There might be other and easier exfiltration possibilities then, but this is a creative solution that uses a very common protocol and will probably be available on any machine.

[–] JustARegularNerd 13 points 3 months ago

Only a support tech chiming in, so far I've found when it goes wrong, it causes errors or behaviours that are unusual and could be hard to trace back. Clients might be confused as to why their laptop isn't connecting to some services but their co-worker still can.

I've currently got an infuriating issue where the DNS on my modem just dies at seemingly random intervals. I set up a monitor using Uptime Kuma to let me know when it goes down, and ever since it just hasn't been a problem yet so I have no idea why it's going down. I might just set up a pihole and just work around the problem.

[–] brygphilomena 12 points 3 months ago (1 children)

Because so few understand it and so many things use it.

If you read a guide on setting up a website. They might have you change a DNS record and you might not realize it's doing something else. Web developers frequently want to make changes to DNS and will change the name servers away to theirs but not migrate any of the records for anything besides the website. They'll break EVERYTHING but hey, the website will load.

If you read a guide on connecting some service like hubspot. They will have you add spf records. But those need to be included with the existing ones and not just replacing what's already there. Mess it up and every single email you send will get sent to spam folders.

[–] [email protected] 3 points 3 months ago (1 children)

clueless dev who very rarely touches web apps here, what things would break if you dont touch other records besides those for tour website?

[–] brygphilomena 5 points 3 months ago (1 children)

A records are usually fine for web dev, and some cname records. But if you move DNS to different name servers it doesn't take the MX, srv, or txt with you.

Name servers are where all the DNS records are hosted. It tells every computer who is the authority on the information. If you change those without moving all the DNS records to the new location. All the old ones are no longer used at all. Even if they still exist on the old system.

Also spf records might also reference the websites a record to allow the website to send email without getting flagged as spam. If the site moves, but emails are still sent from the old IP address for a myriad of reasons it would break email. Like if they used some provider that hosted the site and emails on the same system, which used to be more common than it is today.

[–] [email protected] 2 points 3 months ago

Some dumb shit I see is setting SPF so Google is a trusted origin for email "to solve issues with sending to Gmail addresses" when what you're supposed to do is add your mail servers as trusted origin.

Directionality, how does it work?

[–] [email protected] 12 points 3 months ago

Might be related to long TTL on DNS entries making it hard to connect one failure to a thing you changed days ago.

[–] [email protected] 12 points 3 months ago

Sorry this doesn't explain anything, cause I think others have already put in the work. At my old job, there was a slack icon for "Is it DNS?" because it's often DNS. You already know and that's why you asked, but I'm just reinforcing that this is how common it is.

[–] tomkatt 9 points 3 months ago* (last edited 3 months ago)

DNS is often misconfigured.

On the linux side of things, people like to manually edit /etc/resolv.conf when it's actually a symlink and changes to it don't persist on boot (the real file location varies, but it's usually in something like /etc/system/resolve). And forget bind9, if it's not MS DNS it's not DNS to some folks.

On the Windows side, people love to ignore that reverse DNS exists, even though so many things use it. They also freaking love CNAME aliases and break stuff in interesting ways (for example, a "load balanced" configuration that's all just the first node acting as all three nodes of a cluster or pool).

Many people only know enough DNS to be dangerous and come up with really jank workarounds to get things running because they don't understand the proper solutions.

[–] [email protected] 9 points 3 months ago

In addition to the other comments which more directly address your question, DNS has been / can be used to exfiltrate data from "secure" networks. Search "dns data exfiltration" in your favourite search engine and you'll get several high quality articles. Typical mitigations might be to limit which DNS servers your network can contact, restrict packet sizes to the bare minimum which valid use would have and so forth.

[–] [email protected] 4 points 3 months ago* (last edited 3 months ago) (1 children)

What's an example of a joke? Because that's not what I experienced... In my world people make similar jokes if you mess up any aspect of networking. Same if you break the routing. Or mess up the servers, replication or virtualization infrastructure. DNS is one aspect and people will crack a similar amount of jokes as they do with any other f...-up. (It's a way to cope with a stressful day or whatever. Or to get some relief.)

[–] [email protected] 8 points 3 months ago
[–] [email protected] 2 points 3 months ago

Because it's a fucking unauthoritative clown show that is necessarily decentralized which leads to all sorts of difficult to diagnose (and sometimes impossible to quickly fix) issues.

It's like 100% footguns.

load more comments
view more: next ›