/dev/posts/

DNS rebinding explained

Published:

A quick summary about how DNS rebinding attacks work. The main motivation for this post is to have a diagram to show when explaining DNS-rebinding attacks.

Read more…

GNU/Linux host name resolution

Published:

This post describes different software components involved in host name resolutions and DNS configuration on GNU/Linux systems. It consists of a diagram and some accompanying explanations. The goal is to give some pointers and references to understand how to troubleshoot host name/DNS resolution problems and configuration problems on GNU/Linux systems.

Read more…

Systemd-resolved DNS configuration for VPN

Published:

Some guidance about configuring/fixing domain name resolution with a corporate Virtual Private Network (VPN), especially OpenVPN and with systemd-based Linux systems. This configuration uses the internal/private corporate resolvers for resolving internal/private domain names while using the ISP resolver for general domain names. This might help if your VPN is struggling these days because of the COVID-19 threat 😷.

Read more…

Using dig as a LLMNR or mDNS CLI lookup utility

Published:

I was looking for a LLMNR commandline lookup utility. Actually, dig can do the job quite fine.

Read more…

DNS aggregation over TLS

Published:

In a previous post, I tried different solutions for tunnelling DNS over TLS. One of those solutions was using a dedicated DNS-over-UDP fake service replying to all queries with the truncate flag set: this was causing the stub resolvers to retry the query using a TCP-based virtual-circuit. This solution is interesting because it is dead simple (it fits in a few line of codes) but it is clearly a hack. Here, I am using a dedicated DNS forwarder aggregating all the incoming DNS-over-UDP requests over a single persistent TCP virtual-circuit.

Read more…

Recursive DNS over TLS over TCP 443

Published:

You might want to use an open recursive DNS servers if your ISP's DNS server is lying. However, if your network/ISP is intercepting all DNS requests, a standard open recursive DNS server won't help. You might have more luck by using an alternative port or by forcing the usage of TCP (use-vc option in recent versions of glibc) but it might not work. Alternatively, you could want to talk to a (trusted) remote recursive DNS server over secure channel such as TLS: by using DNS over TLS over TCP port 443 (the HTTP/TLS port), you should be able to avoid most filtering between you and the recursive server.

Read more…

Page 1 of 1 | | | JSON Feed | Atom Feed