social.dk-libre.fr is a Fediverse instance that uses the ActivityPub protocol. In other words, users at this host can communicate with people that use software like Mastodon, Pleroma, Friendica, etc. all around the world.
This server runs the snac software and there is no automatic sign-up process.
The video of my presentation at DNS OARC 46 about progress on our new Rust based DNSSEC signing software Cascade went online today. It’s always fun to look back and see it from the perspective of the audience! For a higher level introduction to Cascade there’s also a great presentation that @jpmens gave at NLUUG earlier this year. Check them out at https://youtu.be/rQH3dey6kHI?si=0cqZgaMduwcmyKAP and https://youtu.be/HyAwFhIwxHM?si=QJiUIuHuD-o-Qera. @dnsoarc #nlnetLabs #dns #opensource #rustlang
🚁 Can DNS help with remote drone identification?
🔍 At first glance, the connection isn't obvious. Yet the DNS could also help address this challenge.
💡 An innovative approach that shows how Internet infrastructure can support new use cases.
👇 Sandoche Balakrichenan explains how in our latest article: https://www.afnic.fr/en/observatory-and-resources/expert-papers/how-can-the-dns-help-identify-drones-remotely/
🚁 Le DNS peut-il aider à identifier un drone en plein vol ?
🔍 À première vue, le lien n'est pas évident. Et pourtant, cette technologie au cœur du fonctionnement d'internet pourrait relever ce défi.
💡 Une idée originale qui montre que les technologies qui soutiennent les infrastructures du numérique peuvent trouver de nouveaux usages.
👇 Sandoche Balakrichenan nous explique comment https://www.afnic.fr/observatoire-ressources/papier-expert/comment-le-dns-peut-il-aider-a-identifier-les-drones-a-distance/
#validns v0.11.0 released!
New:
- Major work on verbose output to render records and rdata (-1 meow)
- Support for EUI48 and EUI64 records (RFC 7043)
- Detect NSEC3 records with flags, iterations, or salt inconsistent with NSEC3PARAM
- New policies: all-algorithms-signed, occluded-records, missing-glue, no-strict-glue
Fixed:
- Crashes, data races, memory leaks, buffer overflows and more, see CHANGELOG for complete list
#DNS #Zone #Validation #OpenSource
https://codeberg.org/DNS-OARC/validns/releases/tag/v0.11.0
J'étais surpris que les serveurs #DNS faisant autorité pour .ru soient en .net mais apparemment, les Russes sont en train de changer cela : https://mastodns.net/@diffroot/116920437777071977
Well good thing the American federal government doesn’t rely on a single privately-owned third-party digital identity provider operating on .me!
Si vous utilisez le service de messagerie instantanée #Telegram, vous avez sans doute vu aujourd'hui, que des services ne marchent pas, notamment les liens vers des ressources diverses (images, etc). C'est parce que le registre de noms de domaine du Monténégro l'a décidé. Voyons les détails.
cascaded.service -> cascade.service
To rename, or not to rename, that’s the question: https://github.com/NLnetLabs/cascade/issues/895
Would I greatly inconvenience you active testers if this were to change? @jpmens @bortzmeyer @oli #dns
sometimes you have to solve your own problems. had a specific use-case to not open a browser to check stats/issues on #nextdns which is an upstream to #blocky #dns resolver
being more tui/tty oriented, decided to build a tui dashboard. works pretty nicely. also felt it was good to dual-scope the binary so it can run as an optional web front-end that's very lightweight and customized
this is a 20mb #golang binary and all you need to do is feed it an api key and profile id (if not on default)
we live in an age where it's somewhat trivial to solve your own problems. why wait for others to do it? #hack everything.
Un faux outil d'analyse #DNS propage un #malware via 222 dépôts #GitHub. Un module Go imite un outil de scan #DNS et dissimule un chargeur #Windows relié à 222 dépôts #GitHub. Le réseau est actif depuis janvier et diffuse des #chevauxdetroie d’accès distant ainsi que des voleurs de données, selon l’éditeur de #securite Socket
https://www.clubic.com/actualite-620971-un-faux-outil-d-analyse-dns-propage-un-malware-via-222-depots-github.html
#trojan
@bortzmeyer @oli @jpmens For context, we’re now in “signing co.uk on a regular laptop” territory, with more improvements to come. #DNS #DNSSEC
It's still Friday and we're still doing a Cascade release, so here's 0.1.0-beta5 'Got that holiday feeling'. 🏖️
In this release we're giving you more speed improvements by parallelizing sorting and more memory reduction by improving the handling of NSEC(3) in incremental signing. You can also track all of these improvements with newly introduced metrics.
Thanks again to @bortzmeyer, @oli and @jpmens and others for providing valuable feedback!
https://github.com/NLnetLabs/cascade/releases/tag/v0.1.0-beta5
JusProgDNS für Linux
Kinderschutz im Netz ist ein sensibles Thema. Einerseits braucht es Schutzmechanismen, andererseits sollen diese Mechanismen nicht selbst zum Hindernis werden. Genau da setzt JusProgDNS an.
Whether you're trying to:
✓ Triage alerts
✓ Investigate incidents
✓ Hunt adversaries
✓ Defend against emerging campaigns
DNS is now another layer of the Censys Internet Map helping teams decide faster and more accurately across every stage of the security operations workflow: https://censys.com/blog/censys-expands-its-internet-map-to-include-dns-intelligence/
« Souveraineté numérique : l’Afnic désignée pour gérer et développer les extensions Internet des territoires ultramarins » https://www.entreprises.gouv.fr/espace-presse/souverainete-numerique-lafnic-designee-pour-gerer-et-developper-les-extensions
« Transparentes et participatives, avec une gouvernance ouverte et inclusive »
Today, we're happy to launch the NSD 4.15.0. This release of our authoritative #DNS server includes more than 20 fixes for LLM-assisted security reports. It also improves the Prometheus metrics, as a nice bonus.
@bortzmeyer @shaft QOTD
> Yes, following DNS stuff on Mastodon is now part of maintaining DNS...
Petit jeu : qui est l'auteur ?
La réponse
https://mail-archive.com/dns-operations@lists.dns-oarc.net/msg09228.html
#dns #dnssec #ccTLD
Hello, j'ai un domaine dont les NS sont aux US et au Canada. Est ce qu'en soi c'est un problème ? Est ce qu'il existe des NS publics fiables en Europe ? Si je cherche, je tombe bien sur des listes des trucs (genre https://publicdnsserver.com/switzerland/ ). Mais je n'ai aucune idée du sérieux de ce genre de listes, pas plus que de l'utilisabilité de ces serveurs dans ce contexte.
#NameServer #Domaine #NomDeDomaine #DNS
appréciés
Après les #DNS et les #VPN, les ayants droit veulent désormais pouvoir bloquer des réseaux entiers. La lutte contre le piratage pourrait bientôt franchir une nouvelle étape en #europe.
https://www.clubic.com/actualite-620074-apres-les-dns-et-les-vpn-les-ayants-droit-veulent-desormais-pouvoir-bloquer-des-reseaux-entiers.html
The @firstdotorg #DNS Abuse SIG needs YOU! Even if you're not a member of FIRST.
We have members from all over the DNS industry, from all over the world, and we're looking for members of the DNS security community with an operational background to grow the group. For one reason or another meetings are sometimes a little light on attendees, which is a shame because we're doing some really interesting work. And there's the potential for doing even more cool stuff.
We have biweekly meetings every other Thursday at 21:00 JST (12:00 BST, 07:00 ET) which are friendly, informal, comfortably unstructured Zoom calls where we discuss ongoing work and general DNS topics. There's also a mailing list (which is very low-traffic) and a Slack channel (where most communication happens).
Currently we're working on adjustments to the DNS Abuse Techniques Matrix - changes to the work we've already done - and welcome insight from stakeholders on the topic of DNS abuse, its classification, and how it can be detected, mitigated, and prevented. We also cover adjacent topics, like tooling, use of AI for the website and data, and how best to make it all work.
You don't have to know everything - it's fine if you know one thing that everyone else doesn't. Or can ask a question that nobody else thought of.
To explain the process: applications from people outside of FIRST don't need sponsorship or anything, but they are sent to the group first. If there are no objections after a short time, then your application will be accepted. If not, then we'll explain why. And if you're already in FIRST, then your application is just a formality and we invite you straight away.
"My DMs are open" - message me if you'd like any more info! It's slow season right now so a perfect time to get on board.
Apply to join, and find out more, from our homepage on the FIRST website: https://www.first.org/global/sigs/dns/
Found a TUI for handling DNS changes! 🤯
🌐 **dnsglobe** — A global DNS propagation checker
💯 Query 34 DNS resolvers worldwide in parallel, compare results & watch propagation live w/ interactive world map
🦀 Written in Rust & built with @ratatui_rs
⭐ GitHub: https://github.com/514-labs/dnsglobe
Albania's .al was secured for a week or so. Wonder what happened. 🤔
DS added to root zone : https://mastodns.net/@diffroot/116812884301667310
DS removed : https://mastodns.net/@diffroot/116857712875727653
Please note that we have volunteered to have all of our products and libraries analyzed by LLM tooling, so you can expect security releases for pretty much everything, down to libraries like rpki-rs and projects in maintenance mode like ldns.
We have been working incredibly hard on patching all of the LLM-assisted security reports for our authoritative #DNS server NSD.
Today, we're happy to launch the NSD 4.15.0rc1 pre-release so you can test the 20+ fixes that are included. This release also improves the Prometheus metrics, as a nice bonus.
https://community.nlnetlabs.nl/t/nsd-4-15-0rc1-pre-release/3421
@benjojo While we love working in Rust, designing and building a #DNS resolver for the modern era is a massive undertaking.
Simply rewriting Unbound in Rust is a non-starter. We are taking gradual steps in reinventing our DNS stack by putting ldns in maintenance mode and investing in our domain library, and sunsetting OpenDNSSEC by launching Cascade.
Doing an authoritative server in Rust is definitely in the cards. Then, we can imagine putting all puzzle pieces together for a new resolver.
Où vont les e-mails de la presse française ?
On a épluché les DNS de 50 médias : Le Monde, Libération, Ouest-France, Mediapart, Charlie Hebdo, Splann!...
Résultat : une majorité confie sa messagerie à Google ou Microsoft. Sous juridiction américaine, Cloud Act inclus.
Les médias indépendants s'en sortent généralement mieux.
Données publiques, méthodologie ouverte.
Le sachiez-tu ? Le nom de domaine sci-hub.se n'existe plus mais il y a toujours des FAI français qui le censurent sur leur résolveur #DNS (et renvoient 127.0.0.1) https://atlas.ripe.net/measurements/184788556
#JORF #DNS - Désignation officielle de l'Afnic comme registre de .mq, .gp, .gf, .re, .tf, .yt, .pm et .wf
#JORF #DNS - Désignation de l'AFNIC comme office d'enregistrement chargé de la gestion des noms de domaines de premier niveau en :
- « .mq, « .gp », « .gf », « .re » et « .tf » : https://www.legifrance.gouv.fr/jorf/id/JORFTEXT000054310819
- « .yt », « .pm » et « .wf » : https://www.legifrance.gouv.fr/jorf/id/JORFTEXT000054310836
Underrated reason to have proper SPF setup for all of your hosted domain names to hard fail improper sending routes... when you forget to turn off the mail sender on your dev server and you run a batch action that sends out tens of thousands of emails to users.
I saw my inbox fill up with thousands of email notifications since a lot of the notifications were sent to me. The only reason I'm not panicking is because I looked at the mail headers and saw that because the emails were sent from my computer instead of my server, they failed both SPF and DKIM verification checks so any damage should be limited.
Ugh. 😓
vannes.bzh ne réponds toujours pas.
Le domaine à 2 serveurs faisant autorité déclarés dans la zone parente :
- sdns2.ovh.net : Il refuse de répondre (comprendre : il dit ne pas faire autorité)
- sdns.pointbzh.fr : serveur également chez OVH et qui lui ne réponds pas
Cours #DNS jeudi et vendredi. Comme d'habitude, si vous avez des domaines cassés et/ou rigolos, n'hésitez pas à les indiquer, on les fera analyser par les étudiant·es.
Technitium DNS: Mehr als nur ein Werbeblocker
https://linuxnews.de/technitium-dns-mehr-als-nur-ein-werbeblocker/ #technitium #dns #pihole #linux #linuxnews
A: they read about them on AXFR News.
Je dis ça je dis rien... mais le point.final https://client.rdap.org/?type=domain&object=point.final&follow-referral=1 n'est pas encore enregistré
@shaft
#dns #tld #gtld
Cascade supports incremental DNSSEC signing.
It doesn't use a jitter-based mechanism for this like OpenDNSSEC has, but rather a “re-signing schedule” approach.
To help you understand what to expect from the output, and how the associated settings will affect Cascade's behavior, we have documented the functionality here: https://cascade.docs.nlnetlabs.nl/en/latest/incremental-signing.html
On dirait que "ai" et "pn" qui le faisaient avant ne le font plus.
Et je n'ai trouvé que "uz" qui le fasse (mais en https et sans le certificat pour "uz") …
📧 DMARC évolue avec la publication de la RFC 9989.
Nouvelle méthode de découverte des politiques (DNS Tree Walk), évolution de la gestion des sous-domaines et nouvelles recommandations de déploiement : cette mise à jour peut avoir un impact sur la délivrabilité de vos emails et la protection contre l’usurpation.
👉 Découvrez les principaux changements et les bonnes pratiques à adopter lors de notre prochain webinaire : https://webikeo.fr/webinar/dmarc-2026-la-nouvelle-rfc-risque-t-elle-de-bloquer-vos-emails
@firefoxwebdevs Or use the #DNS yourself, may be through a fediverse gateway: https://mastodon.gougere.fr/@DNSresolver/116754611721915909
Le sachiez-tu ? Un nom de domaine peut parfaitement être enregistré (et donc ne plus être disponible) sans pour autant être publié dans le #DNS. Cela peut être un choix du titulaire ou bien une opération par le BE ou le registre mais le résultat est le même : le DNS vous répond NXDOMAIN (No Such Domain) mais le domaine n'est pas libre. Utilisez donc RDAP (ou whois pour les plus de 60 ans comme moi) pour savoir si le domaine est enregistré.
(Testez, par exemple, avec en.fr.)
It still can't do DoH to an upstream DNS server, but it'll at least encrypt DNS queries within the local network now.
Title: Windows Server gets DNS over HTTPS (DoH) support
Subtitle: #Microsoft has finally flipped the switch on a long-awaited #Windows Server security upgrade, bringing encrypted #DNS to enterprise networks.
Link: https://www.neowin.net/news/windows-server-gets-dns-over-https-doh-support/
It’s Friday release day again with Cascade 0.1.0-beta2 'Donde comen dos, comen tres'. Thanks to the amazing feedback from @jpmens and @gryphius and hard work from the team, our DNSSEC signer has a bunch of fixes and improvements.
https://github.com/NLnetLabs/cascade/releases/tag/v0.1.0-beta2
Today we released ldns 1.9.1, which contains a security fix for CVE-2026-10846: Insufficient verification that responses belong to a query. Thanks Pablo Ruiz from ‘codecome.ai’ for the report.
Read more in the release post:
https://community.nlnetlabs.nl/t/ldns-1-9-1-released/3403
#dsc v2.16.0 released!
- Fixed an 8 year old refactor bug in priming query filter, many thanks to @jens for the fix!
- Updated funny class/qtype list, now based on IANA DNS parameters
- Support for reading DLT_LINUX_SLL2 PCAPs
#DNS #Capture #Statistics #OpenSource
https://codeberg.org/DNS-OARC/dsc/releases/tag/v2.16.0
With Cascade 0.1.0 beta1 “Slàinte mhath” we begin our journey to the first production release of our #DNSSEC signing solution.
We rewritten our signer from the ground up using a state machine based architecture, ensuring that each zone pipeline is in a single consistent state at all times.
In addition to built-in pre-signing and pre-publication review hooks, there’s now incremental signing, TSIG support, downstream IXFR, zone persistence, metrics and much more. #DNS
🆕 blog! “How many consecutive hyphens can you have in a domain name?”
A seemingly simple question which sent me down into the murky depths of standards. How many consecutive hyphens can you have in a domain name? It probably isn't sensible to name your online presence a----------hyphen.com - but is there anything technically…
👀 Read more: https://shkspr.mobi/blog/2026/06/how-many-consecutive-hyphens-can-you-have-in-a-domain-name/
⸻
#dns #ICANN #IETF #internet #standards #web
@jpmens Ah yes, this link is a more accurate reflection of the past few days. 😄
TSIG is mentioned 6 times!
With eight issues and one pull request over the weekend, once again we're incredibly thankful for the effort @jpmens is putting into testing Cascade.
Luckily, none of the reports seem to be in the “everything is broken”-category! 😅
With the Cascade beta release, the project now also has a dedicated page on our website:
https://nlnetlabs.nl/projects/cascade/about/
Next up: a logo!
After releasing the Cascade beta, NLnet Labs HQ has a @jpmens vs. @bortzmeyer poll going.
Cascade 0.1.0 beta1 “Slàinte mhath” is out, so this is your opportunity to kick the tires and take it for a spin around your testing grounds!
As we gear up to the production release of our DNSSEC signer, we're eager to hear your feedback so we can incorporate it while we add improvements that we still have in the pipeline which we consider essential for production use.
Read all about it in our blog post!
https://blog.nlnetlabs.nl/cascade-beta1-release/
Mon problème de #wifi merdique à la maison s’est résolu tout seul. Comme c’était arrivé à peu près en même temps que la mise en service de mon #pihole et que les symptômes faisaient clairement penser à un truc lié au #dns, j’ai passé pas mal de temps à faire du diag sur le sujet. Mais sans réussir à reproduire significativement les erreurs.
La seule différence avec aujourd’hui, c’est que les #firetv font genre x100 voir x1000 moins de requêtes dns qu’avant.
> Les SOA quand il y en a un ça va, c'est quand il y en a plusieurs qu'il y a des problèmes…
https://atlas.ripe.net/measurements/176129238/
blaeu blaeu-resolve --type SOA --ipv4 --requested=100 shiabank.com.
…
[ns-2evo.shiabank.com. hostmaster.shiabank.com. 1780405930 3600 600 86400 60] : 1 occurrences
[ERROR: SERVFAIL] : 3 occurrences
[ns-r6gh.shiabank.com. hostmaster.shiabank.com. 1780405930 3600 600 86400 60] : 1 occurrences
Test #176129238 done at 2026-06-02T13:12:51Z
#dns #soa #pouetCommeHortefeux
Given my domain renewal is around the corner, used the opportunity to move this last domain from Gandi to Porkbun.
Served me well over the years, but with all the recent changes, putting my (little) money where my mouth is and move to a better registrar.
boostedMore IDN homograph detection research today. This screenshot is a bit horrifying considering how nearly identical many of the invalid entries visually match the valid entry (top).
Screenshot from my custom (Rust) DNS filtering-forwarder with new experimental runtime IDN homograph detection against a predefined protected domain list.
Screenshot results reflect these punycodes:
xn--ggle-55da.com google.com BLOCK
xn--pypl-53dc.com paypal.com BLOCK
xn--pple-43d.com apple.com BLOCK
xn--fiq228c5hs.cn chinese ALLOW
Ou d'autres exemples amusant sur du DNS
Le retoot aide la pédagogie ^^
bizarre (heureusement pas en "prod")
une recherche rapide m'indique que je suis pas le seul...
Je ne comprends pas pourquoi le site web de cette initiative de fourniture de DNS européens (qui inclut un filtrage enfant + antipub) n'est toujours pas traduite en plusieurs langues européennes 🤔
Les DNS Grand Public :
- Protective 86.54.11.1
- Protective + Child Protection 86.54.11.12
- Protective + Ad Blocking 86.54.11.13
- Protective + Child Protection + Ad Blocking 86.54.11.11
- Unfiltered 86.54.11.100
If you run your own local DNS servers at home, do you: (select all that apply)
Comment with your preferred DNS stack and privacy friendly DNS providers.
#FreeBSD #Linux #selfHosting #DNS
| Forward to ISP's DNS servers.: | 0 |
| Forward to a DNS service (1.1.1.1, 9.9.9.9, etc).: | 6 |
| Recursively resolve from root servers directly.: | 7 |
| Encrypt my DNS using DoH, DoT, etc.: | 7 |
I self-host the DNS for my domains for more than 20 years now.
2026 now finally was the year, where I decomissioned the last BIND server and replaced it with a PowerDNS, containerized in Podman
and a SQLite backend.
I already migrated the hidden-primariy to PowerDNS in 2022 (because of the REST API, compatibility with Traefik, easier DNSSEC handling and the higher flexibility) and now my secondaries are also migrated.
Nontheless, BIND was one of the most stable pieces of technology that I've ever used. But it also felt a bit unwieldy and old-fashined ins some ways.
We released Unbound 1.25.1 just seven days ago and now look at the changelog today. ❤️🩹🔥
https://github.com/NLnetLabs/unbound/blob/master/doc/Changelog
Yes, #p2p gnutella. I remember.
> For most #Gnutella was a file transfer tool. This categorization misses a basic function of the #protocol. At its core, Gnutella is just a peer-to-peer #search engine for blobs.
> We could have used it as a poor man's #DNS system, or a global metadata lookup table for key/value pairs, or a matchmaking service for your Unreal Tournament league, but that never really happened. Gnutella was good at providing file downloads that matched search queries, and that is what history remembers it for.
QOTD
> Technitium DNS Server est un serveur DNS open source complet : autoritaire, récursif, et relais.
@bortzmeyer revenez vite de vacances !
#dns
So question:
"how many authoritative name servers don't support encryption?"
The internet claims that this is >95%.
My personal feeling is that this is lower but this might be my bubble, that we're the 5%.
What's your feeling?
#infoSec #cybersecurity #DNS #encryption
Plz retoot for reach.
| It is our bubble. We're the 5%, noone else cares: | 10 |
| I think it is higher now - a bit, maybe 10% or so: | 5 |
| It is significantly higher - more 25%: | 0 |
| what the hell is DNS query encryption?: | 16 |
Closed
🚨 SECURITY RELEASE 🚨
Today we released Unbound 1.25.1, which consolidates security fixes for issues reported over a period of time.
There are fixes for CVE-2026-33278, CVE-2026-42944, CVE-2026-42959, CVE-2026-32792, CVE-2026-40622, CVE-2026-41292, CVE-2026-42534, CVE-2026-42923, CVE-2026-42960, CVE-2026-44390 and CVE-2026-44608.
Please read the release notes carefully and plan to upgrade.
#DNS #DNSSEC #Mythos #LLM #OpenSource
https://community.nlnetlabs.nl/t/unbound-1-25-1-released/3392
Pro tip: set `UseDNS no` in your sshd_config to disable reverse DNS lookups for every single ssh connection to your host.
It provides no filtering or validation purpose, afaik, and seems to only generate excess DNS traffic.
This lesson brought to you by the 66k DNS lookups in the past 24hrs from a single public facing forgejo jail.
#validns v0.10.0 released!
Added:
- Validate zones signed with Ed25519 and Ed448 (RFC 8080)
- Validate SVCB (TYPE 64) and HTTPS (TYPE 65) records per RFC 9460, including all nine IANA-registered SvcParam keys.
- CAA tag-value validation and RFC 8657 contact tags.
- Support the optional $INCLUDE <domain-name> argument: overrides $ORIGIN for the included file only.
plus many fixes, see changelog for full details!
#DNS #Zone #Validation #OpenSource
https://codeberg.org/DNS-OARC/validns/releases/tag/v0.10.0
If your employer is an OARC member, you have access to the #DNS data collected by the root name servers. (Talk by Kazunori Fujiwara)
As always, working with data is complicated. For instance, some operators (A, B, D, F, H, I, J and L) blur the IP addresses, and it is not documented. (And they don't use the same algorithm.)
#OARC46
"Gonemaster - A Go implementation of Zonemaster" by Patrik Wallström
Instead of using AI, let's use Go :-) Among the good things: native concurrency [I approve]
@ximon18 @dnsoarc after his talk on stage, Ximon will be at the demo table in the lunch area, where he can show all the other tricks Cascade has learned since OARC 45 in Stockholm.
Also, make sure to bring your zone files so you can for example see how fast parallel #Dnssec signing by @bal4e really is. #DNS #LoveDNS #OpenSource
Webmin is hardened & clustered w/ three total nodes, ns1, ns2, and ns3 etc. I will eventually add clustered nodes on two other locations so records are still served when one cluster's host is down.
https://tech.haacksnetworking.org/2025/12/29/authoritative-dns-w-bind-9/ feedback welcome.
Added larger tmp directory & source-IPd vhost so webmin won't lock. Obv, make sure you use static, dedicated, & fully hardened external IPs for permitted list.
#selfhosted #homelab #sysadmin #linux #dns #webmin #opensource #freesoftware #networking
Funny that #DNS traffic analysis at Salesforce show still a lot of requests for obsolete types like A6, SPF, DLV.
Actually measuring the robustness of the Internet is hard. For instance, for #DNS resolvers (the current talk by Maynard Koch), good resolvers, actually used by people, are typically not publically reachable. The open resolvers which are easy to study are typically misconfigured and not actually used.
Averaging 36.6% block rate on my DNS filtering service across all users.
In the age of enshittification it's not hard to believe that 1/3 of all DNS queries request adware, malware, trackers, and other crap you don't need.
Dear Fedi friends,
You know how grateful I am for your help and expertise. I have a burning question and I know some of you may have the correct answer.
Long story short, I had been doing a deep dive into #WSocial. My exposé published on Friday got 830 retweets!
I am working on a follow-up piece and there's something I don't understand.
The homepage of W Social is now redirecting - from wsocial.eu to wsocial.news
If I put wsocial.news in WHOIS databases, I'm finding very little information about when it was registered. And there's some odd stuff, like showing an IP address in Washington DC - but they are very adamant of being hosted in Europe... and they use bunny.net (Slovenia). What gives?
Just realised that #DNS is Internet Standard (STD) 13.
In Western societies it means that DNS brings, obviously, good luck ☝️
DENIC wrote in their status message that "all DNSSEC-signed .de domains are currently affected in their reachability"
https://status.denic.de/pages/incident/592577eab611ce1e0d00046f/69fa60ef9d12f5057a974f38
But it wasn't just DNSSEC-signed domains! For example, bahn.de was down even though it is not DNSSEC-signed.
It looks like for DNSSEC-signed zones the DS record in de. was incorrectly signed:
https://dnsviz.net/d/nic.de/afpsNg/dnssec/
And for zones that were not signed, the NSEC3 records proving there is no DS record were incorrectly signed:
https://dnsviz.net/d/bahn.de/afpnxQ/dnssec/
Am I the only one having #DNSSEC problems with #DENIC?
Unbound is throwing me a lot of DNSSEC bogus on some .de domains 🤔
$ dig welt.de
...
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 21366
...
; EDE: 6 (DNSSEC Bogus): (validation failure <welt.de. A IN>: signature crypto failed from 2a02:568:0:2::53 for DS welt.de. while building chain of trust)
Edit: issue seems fixed.
Looks like DE ccTLD is unresolvable due to DNSSEC issue:
https://dnsviz.net/d/nic.de/afpsNg/dnssec/
😬
🧵👇
RE: https://mastodon.social/@jpmens/116522310229612501
IANA has a chance to do the funniest thing ever…
I am looking for a few more US-based early adopters to provide feedback on a protective DNS service offering aligned with NIST SP 800-81 Rev. 3 (March 2026).
https://csrc.nist.gov/pubs/sp/800/81/r3/final
This service merges Zero Trust and DNS without requiring client-side agents. Supports mobile devices, browsers, server hardware & IoT.
If you're interested in providing feedback on this service as a free beta tester, email me at:
securednsbeta@techliterate.co
Ah, je viens donc de découvrir que drill a été "abandonné", que le nouvel outil s'appelle "dnsi" ... Et qu'il n'a pas l'air beaucoup plus développé non plus.
Faut en revenir à dig ?
We released Unbound 1.25.0. This release of our #OpenSource #DNS resolver includes improvements and fixes resulting from reports by various security researchers.
In the release notes, the word “thanks" appears 32 times. You can expect this trend to continue for the next couple of releases, at least.
Lastly, please note the new signing key we're using since January ‘26.
https://community.nlnetlabs.nl/t/unbound-1-25-0-released/3375
#TFW the consultant who maintains your company's #Salesforce sets up #DKIM in Salesforce's sandbox environment and asks you to create the necessary #DNS records for it and doesn't understand why it's a problem that he used the same selectors (i.e., DNS record names) for the sandbox environment that are already being used in production.
(I'm sure he has an expert-level proficiency in Salesforce, but maybe not so much in email security.)
Véritable pare-feu de l’Internet, #NextDNS est devenu en quelques années la référence pour reprendre le contrôle sur sa #vieprivée. Pourquoi délaisser les #DNS de votre #FAI au profit de ce fleuron français ?
https://goodtech.info/nextdns-guide-avantages-avis/
Géopolitique du #DNS : quel est le point commun entre la Grèce et le Kirghizistan ? https://labs.ripe.net/author/yevheniya-nosyk/adox-deployment-in-the-wild/
(Réponse : les deux ont au moins un serveur faisant autorité acceptant DoT - DNS sur TLS.)
To his complete surprise, our colleague Jaap Akkerhuis was awarded Knight of the Order of the Dutch Lion earlier today for Exceptional Contribution to Society. Akkerhuis is a Dutch Internet pioneer, protocol designer and expert on the internet's naming system.
More at https://blog.nlnetlabs.nl/dutch-internet-pioneer-jaap-akkerhuis-knighted-for-exceptional-contribution-to-society/ #internet #dns
⏳ J-7 avant une opportunité rare pour les organisations
Le 30 avril 2026, l'ICANN ouvre une nouvelle fenêtre pour candidater à votre propre extension internet (.marque).
👉 Une ouverture qui n’a pas eu lieu depuis 2012
🎯 Un levier pour :
• maîtriser votre identité digitale
• renforcer la sécurité
• structurer votre écosystème
📺 Pour aller plus loin : https://webikeo.fr/webinar/du-com-au-marque-comment-renforcer-votre-image-et-securiser-vos-parcours-digitaux#webinar
📺Cas BNP Paribas : https://webikeo.fr/webinar/renforcez-votre-strategie-digitale-avec-une-extension-marque-retour-d-experience-de-bnp-paribas#webinar
Sometimes it is fun to do a manual audit of internet history. I just visited http://info.cern.ch/hypertext/WWW/TheProject.html and paused for a minute. It is literally the first website in the world.
The technical legacy of CERN is mind-blowing. They did not just smash particles! They gave us HTML, the WWW, and a strong culture of digital privacy. @protonprivacy for example, was founded by scientists who worked at CERN (it originally ran on protonmail.ch), and today it is one of the best tools we have to push back against Big Tech.
But then I got curious and went down a WHOIS rabbit hole. The registry shows cern.ch was registered "before 1 January 1996". However, the historically recognized first domain ever, symbolics.com, was registered on March 15, 1985.
I had a brief moment of cognitive dissonance: how could the first domain be six years older than the first website? Then it clicked. DNS and WWW are fundamentally different protocols. The DNS was already routing emails and networks long before Tim Berners-Lee invented hyperlinks.
To take it a step further, the same Tim Berners-Lee did not just invent the Web - he went on to found the W3C to keep it open and standardized, a mission that still continues today.
First domain != first website. It is basic technical logic, but connecting the dots manually gives that satisfying feeling of closing a mental background process.
#WebHistory #CERN #DNS #W3C #TechPhilosophy #InternetHistory #Proton #InfoSec #TechAudit #Blog #Privacy #History #Fediverse
🚀 #PeerTube passe à la vitesse #S3 !
C'est fait ! Mon instance PeerTube est désormais 100% boostée à l'Object Storage S3.
Le résultat ? Un stockage optimisé et un fonctionnement au top ! ⚡️
Le petit secret de l'installation : pour une rapidité maximale, les échanges entre PeerTube et mon instance #MinIO ne sortent jamais de la maison. Grâce à une configuration #DNS aux petits oignons, tout le trafic reste sur le réseau local 🏠💻
@mediapart @MarieTurcan
Bah coupons les accès a grok.com et x.com depuis les #DNS #Français ça empêchera pas d'y accéder pour ceux qui savent contourner (VPN...) mais ça montrera qu'on agit.
Rappel que grok.com accessible sans contrôle d'accès te sortira du texte 18+++ si tu lui promptes : https://grok.com/?q=10+phrases+trash+et+nsfw
Ce matin ça répond ça sur une IP non #USA :
> Ce modèle est temporairement indisponible Veuillez essayer un modèle différent
Le 18 avril, le nom de domaine eth.limo a été victime d'un détournement (une attaque où le méchant prend le contrôle du nom et change les informations).
Petite question nom de domaine, serait-il possible d'enregistrer un .fr mais dont le nom de domaine serait écrit en cyrilique?
Ça faisait longtemps qu'on n'avait pas eu un nouveau domaine de premier niveau dans le #DNS. https://mastodon.gougere.fr/@DNSresolver/116429766474383558
RE: https://fosstodon.org/@iscdotorg/116416426577631380
In case you’re wondering: while not as extreme as illustrated by ISC (we don’t offer a bug bounty program), NLnet Labs suffers from a similar situation, in particular for Unbound.
Handling vulnerability reports, both valid ones and false positives, has now become a full time job for the entire Unbound team.
You can argue that it ultimately makes our resolver more secure, it also means we cannot work on building and releasing new features, like:
boostedA punchline by @mwl again :)
sanity and self-respect - gregR ☯ - /usr/share/images
https://images.gregr.fr/2023-04-06-sanity-and-self-respect.html
#dns #sysadmin
#IP, #DNS, #VPN : ce rapport démonte la stratégie anti-piratage en #Europe. Depuis plus de quinze ans, l’Europe s’est engagée dans une lutte de plus en plus offensive contre les sites pirates.
https://www.clubic.com/actualite-609094-ip-dns-vpn-ce-rapport-demonte-la-strategie-anti-piratage-en-europe.html
Weekend Reads
* FreeBSD and TCP reordering
https://freebsdfoundation.org/wp-content/uploads/2026/04/stewart-adventures.pdf
* NTP Pool DNS geoloc tampering
https://community.ntppool.org/t/dns-configuration-tampering-on-one-of-our-geodns-servers/4300
* MacOS TCP timestamp clock bug
https://photon.codes/blog/we-found-a-ticking-time-bomb-in-macos-tcp-networking
* TLD and file extension collisions
https://arxiv.org/abs/2604.04805
* VPN provider infrastructure deconstructed
https://codamail.com/articles/vpn_exposed.html
Une campagne d’ #espionnage détourne des milliers de #routeurs dans le monde. Le groupe de hackers #ForestBlizzard pirate des routeurs #SOHO vulnérables pour l'interception des flux #Microsoft 365. Cette opération d'espionnage utilise une manipulation du #DNS pour le vol de jetons d'authentification sans pénétration directe des serveurs de l'entreprise américaine
https://www.clubic.com/actualite-608353-une-campagne-d-espionnage-detourne-des-milliers-de-routeurs-dans-le-monde.html
🖐 Le rapport 2024-2025 du service de médiation de l'Afnic est disponible !
Ce service complète les procédures SYRELI et PARL Expert.
📊 Bilan :
✅ En plein essor → +36,6 % de demandes entre 2024 et 2025
✅ Efficace → 63 % des médiations ouvertes ont abouti à un accord
✅ Rapide → 3 jours ouvrés en moyenne pour parvenir à un accord
📄 Rapport complet : https://www.afnic.fr/observatoire-ressources/actualites/le-service-de-mediation-de-lafnic-confirme-son-efficacite/
#Afnic #InternetMadeInFrance #NomDeDomaine #DNS #Cybersécurité #Phishing #Cybersquatting #SouverainetéNumérique
A pretty significant change in resolver behavior is proceeding:
"[...] BIND 9 is switching to a parent-centric model of delegations. [...] The NS records in the child domain will be treated as normal DNS records and returned as authoritative data, but they will no longer overwrite the delegation data for the domain."
https://lists.isc.org/pipermail/bind-users/2026-April/110552.html
So much of what you may have learned about how #DNS works around the turn of the century is now out of date.
The domain .cn name scam is still ongoing, one more entry added to https://nxdomain.no/~peter/domainnamescam/ (this time addressed to a list owner address).
Also see https://nxdomain.no/~peter/domain_name_scams_are_alive_and_well_thank_you.html #dns #scam #cndomains #chinadomainservice #domainnamescam #cybercrime
The decision to move away from mailing lists was not taken lightly.
We made several tries in the past to find capable mailing list hosting providers and either they were not ticking all our boxes or we had to migrate back to our own self-hosting situation.
Since we are a small developer-focused team, any IT-like activities, in particular emergency ones, would take focus away from things that actually need priority: maintaining mission critical #DNS and #BGP software.
🏆 853 000 noms de domaine en .fr ont été enregistrés en 2025, confirmant le dynamisme du numérique français.
Mais cette croissance s’accompagne d’un enjeu clé : la lutte contre les abus : #phishing, #cybersquatting, #usurpation
👉 L’Afnic lance une “vitrine des abus” pour renforcer la #transparence et mieux comprendre les tendances, avec des données trimestrielles sur les abus liés aux NDD en .fr.
Pour consulter ces éléments 🔗 https://www.afnic.fr/observatoire-ressources/observatoire/vitrine-abus/
Soon, #DNS will run out of letters for its various transports (DoC, DoH, DoQ, DoT…) https://www.rfc-editor.org/info/rfc9953
Time to update #DNS jokes!
✋ What's up DoQ?
👉 What's up DoC?
DNS over CoAP (DoC) (publication date is March 2026, so not a joke)
https://www.rfc-editor.org/info/rfc9953
Quelle classe, cette mise à jour d'Ubuntu de 22 vers 24.04...
root@XXX:/etc# ls -l resolv.conf
lrwxrwxrwx 1 root root 39 mars 31 19:34 resolv.conf -> ../run/systemd/resolve/stub-resolv.conf
root@XXX:/etc# ls -l ../run/systemd/resolve/stub-resolv.conf
ls: impossible d'accéder à '../run/systemd/resolve/stub-resolv.conf': Aucun fichier ou dossier de ce nom
Ça marche forcément beaucoup, beaucoup moins bien.
C'est toujours de la faute du #DNS Cc: @bortzmeyer (vu que du coup, c'est de sa faute à lui, forcément)
"At some point, a reasonable person asked "DNS resolves names to IP addresses, what else can it do?" The answer, apparently, is run DOOM."
J'avais écrit un article de râlerie contre cette idée fausse qu'il y aurait « propagation » dans le #DNS mais c'est seulement maintenant que je découvre que je ne suis pas le seul : https://www.e-ontap.com/dns/propagation/harmful-e.html https://www.nslookup.io/learning/dns-propagation-does-not-exist/
Formation d'administrateur #DNS demain. Si vous pouviez casser votre domaine, pour que je donne le déboguage en TP aux étudiants…
I just noticed this DNS graph. The web site I took over in 2019. It's the busiest web site I have. But I really think the huge upswing in #DNS traffic is related to #AI bot scrapers. I have been struggling so hard just to make them go away. My bandwidth, compute, and web service are not for them. They are not welcome. They do not care.
Literally doubling month on month.
Now, I recently made changes to the DNS for that zone. And I made some screw-ups when I did it. So, I temporarily¹ set the TTL on the NS records to 600 seconds. I kept screwing them up and needing to change them.
Fixing the NS records this morning definitely had a benefit. Yesterday was 325,336 queries. Today was 254,492. So again, some of this is on me. But that whole 13-year DNS graph with a huge surge in the last 2 years is not all me. Stuff has changed.
¹ I remembered this morning when I was like "WTF do I have so much DNS traffic!?"
We're thrilled that Cascade is among the first projects supported by the Nominet DNS Fund.
With Nominet's support, our new DNSSEC signing solution receives a massive push forward, allowing our team to focus on implementing speed improvements, a reduced memory footprint and essentials such as incremental signing.
We'll be launching a beta in April, followed by an initial production release in June 2026.
Pro tip : quand tu configures un VPN, pense à changer de résolveur #DNS sinon, tu auras du mal à aller voir le site Web de Libération, avec l'adresse IP de Dropbox qu'a renvoyé le réseau d'accès.
System Administration: Week 7: DNS, Part II
In this video, we dissect DNS lookups performed on our EC2 instance, then discuss just how a caching resolver performs the lookup, moving from "magic happens here" to the below visualization.
System Administration: Week 7: DNS, Part III
In this video, we try to wrap up our discussion of the Domain Name System by addressing the nature of the root nameservers, looking at various different resource record types, observing reverse lookups, and thinking about how we can have assurance of authenticity and integrity of the DNS results returned to us via DNSSEC.
Good morning, Shenzhen:! Seventh and last day of #IETF125 https://www.ietf.org/meeting/125/
Today, we are going to break/save/restore the #DNS with the new delegation system, DELEG. Also, security area general meeting.
Grosse discussion à la réunion IETF sur la censure via un résolveur #DNS menteur : comment indiquer à l'utilisateur (qui ne fait pas de requête DNS lui-même et ne connait pas dig) qu'il y a eu censure et pas panne ?
After a lively discussion on solutions to depend less on the #DNS root (obviously no consensus, despite a tendency to deny there is a problem to solve), another hot question: DNS #censorship and the need to be transparent about it. https://datatracker.ietf.org/doc/draft-nottingham-dnsop-censorship-transparency/
What to display to the end user? (Not anything got from the resolver: security issues.) Lumen Database entry?
Now, dnsop working group (real-time transcript said "Dina Zop") because the #DNS loves you and we love it, too.
First, a lot of stuff about various ways to be less technically dependent on the root (local caching, local root as in RFC 8806, etc).
RFC 8806, the resolver behaves as if it were authoritative for the root. RootCache is more resolver-traditional.