Wenn du selber Services im Homelab hostes möchtest du nicht immer http://ip:port im Browser eintragen oder?

hostname.internal mit SSL Warnung nerven auch.

"Your connection is not private"

Wie du SSL-Zertifikate im Homelab über DNS-01 Challenge und Adguard-Home als DNS-Server einrichtest zeige ich dir hier.

https://2tap2.be/lokal-dns/

#homelab #selfhosted #ssl #letsencrypt #dns #AdGuardHome #heimserver

Alt...

Lets Encrypt Logo

Ou d'autres exemples amusant sur du DNS

Le retoot aide la pédagogie ^^

#DNS

bizarre (heureusement pas en "prod")

une recherche rapide m'indique que je suis pas le seul...

Je ne comprends pas pourquoi le site web de cette initiative de fourniture de DNS européens (qui inclut un filtrage enfant + antipub) n'est toujours pas traduite en plusieurs langues européennes 🤔

https://joindns4.eu/

Les DNS Grand Public :

- Protective 86.54.11.1
- Protective + Child Protection 86.54.11.12
- Protective + Ad Blocking 86.54.11.13
- Protective + Child Protection + Ad Blocking 86.54.11.11
- Unfiltered 86.54.11.100

#DNS #AntiPub #ChildCare

Alt...

Logo de DNS4EU, le 4 est en jaune, les lettres en gris.

If you run your own local DNS servers at home, do you: (select all that apply)

Comment with your preferred DNS stack and privacy friendly DNS providers.

#FreeBSD #Linux #selfHosting #DNS

I self-host the DNS for my domains for more than 20 years now.

2026 now finally was the year, where I decomissioned the last BIND server and replaced it with a PowerDNS, containerized in Podman and a SQLite backend.

I already migrated the hidden-primariy to PowerDNS in 2022 (because of the REST API, compatibility with Traefik, easier DNSSEC handling and the higher flexibility) and now my secondaries are also migrated.

Nontheless, BIND was one of the most stable pieces of technology that I've ever used. But it also felt a bit unwieldy and old-fashined ins some ways.

#dns #bind #powerdns #podman #contianer #linux #domain

We released Unbound 1.25.1 just seven days ago and now look at the changelog today. ❤️‍🩹🔥

https://github.com/NLnetLabs/unbound/blob/master/doc/Changelog

#DNS #LLM #Mythos #OpenSource

@danyork Any city (not too small, however). #DNS can do anything.

@h4ckernews

Yes, #p2p gnutella. I remember.

> For most #Gnutella was a file transfer tool. This categorization misses a basic function of the #protocol. At its core, Gnutella is just a peer-to-peer #search engine for blobs.

> We could have used it as a poor man's #DNS system, or a global metadata lookup table for key/value pairs, or a matchmaking service for your Unreal Tournament league, but that never really happened. Gnutella was good at providing file downloads that matched search queries, and that is what history remembers it for.

QOTD
> Technitium DNS Server est un serveur DNS open source complet : autoritaire, récursif, et relais.
@bortzmeyer revenez vite de vacances !
#dns

So question:
"how many authoritative name servers don't support encryption?"

The internet claims that this is >95%.

My personal feeling is that this is lower but this might be my bubble, that we're the 5%.

What's your feeling?

#infoSec #cybersecurity #DNS #encryption

Plz retoot for reach.

🚨 SECURITY RELEASE 🚨
Today we released Unbound 1.25.1, which consolidates security fixes for issues reported over a period of time.

There are fixes for CVE-2026-33278, CVE-2026-42944, CVE-2026-42959, CVE-2026-32792, CVE-2026-40622, CVE-2026-41292, CVE-2026-42534, CVE-2026-42923, CVE-2026-42960, CVE-2026-44390 and CVE-2026-44608.

Please read the release notes carefully and plan to upgrade.

#DNS #DNSSEC #Mythos #LLM #OpenSource

https://community.nlnetlabs.nl/t/unbound-1-25-1-released/3392

Pro tip: set `UseDNS no` in your sshd_config to disable reverse DNS lookups for every single ssh connection to your host.

It provides no filtering or validation purpose, afaik, and seems to only generate excess DNS traffic.

This lesson brought to you by the 66k DNS lookups in the past 24hrs from a single public facing forgejo jail.

#FreeBSD #SSH #DNS

chinamobile.com has four #DNS name servers and they all have the same set of IP addresses.

#OARC46

Nice and clever trick to recover some of the "anonymized" IP addresses in #DNS root name server traffic. ("Anonymization" is often a joke.)

#OARC46

If your employer is an OARC member, you have access to the #DNS data collected by the root name servers. (Talk by Kazunori Fujiwara)

As always, working with data is complicated. For instance, some operators (A, B, D, F, H, I, J and L) blur the IP addresses, and it is not documented. (And they don't use the same algorithm.)

#OARC46

"Gonemaster - A Go implementation of Zonemaster" by Patrik Wallström

Instead of using AI, let's use Go :-) Among the good things: native concurrency [I approve]

https://codeberg.org/pawal/gonemaster

#Go #DNS #OARC46 🐪

@ximon18 @dnsoarc after his talk on stage, Ximon will be at the demo table in the lunch area, where he can show all the other tricks Cascade has learned since OARC 45 in Stockholm.

Also, make sure to bring your zone files so you can for example see how fast parallel #Dnssec signing by @bal4e really is. #DNS #LoveDNS #OpenSource

"It's still broken."

#DNS #OARC46

The NS set and the associated glue MUST be consistent between parent and child domain. If they are not, the result will depend on wether the #DNS resolver is parent-centric or child-centric.

(talk by Petr Špaček)

At a time, it broke the .cd TLD.

#OARC46

Webmin is hardened & clustered w/ three total nodes, ns1, ns2, and ns3 etc. I will eventually add clustered nodes on two other locations so records are still served when one cluster's host is down.

https://tech.haacksnetworking.org/2025/12/29/authoritative-dns-w-bind-9/ feedback welcome.

Added larger tmp directory & source-IPd vhost so webmin won't lock. Obv, make sure you use static, dedicated, & fully hardened external IPs for permitted list.

#selfhosted #homelab #sysadmin #linux #dns #webmin #opensource #freesoftware #networking

Alt...

haack's networking business logo

Funny that #DNS traffic analysis at Salesforce show still a lot of requests for obsolete types like A6, SPF, DLV.

#OARC46 #oldRRtypesNeverDie

Now, let's innovate: about DELEG, the future new system for #DNS delegation.

"Authoritative Enrollment of DELEG" by Libor Peltan

#OARC46

#DNS root zone key rollover under way. (Planned for 11 october.)

"Who in the room has root access to his resolver?" (Lot of hands, this is an OARC meeting.)

#OARC46 #DNSSEC

Wonderful list of things that can go wrong (and therefore, will) in operations.

(Including an error done on friday afternoon and fixed, will you guess, on monday.)

#DNS #DNSSEC #OARC46

DNessie, official #OARC46 mascot.

#DNS

Alt...

A cute Loch Ness monster standing in the front of the room.

"Modeling DNS Queries and Caching to Evaluate the Merits of QNAME Minimization" by Casey Deccio

Great explanation of caching dynamics, by the way.

#DNS #privacy #OARC46

Actually measuring the robustness of the Internet is hard. For instance, for #DNS resolvers (the current talk by Maynard Koch), good resolvers, actually used by people, are typically not publically reachable. The open resolvers which are easy to study are typically misconfigured and not actually used.

#OARC46

Weather at #OARC46 https://mastodon.gougere.fr/@DNSresolver/116583456671651351

#DNS

Did you know that OARC has its own fediverse instance?

#DNS #OARC46

Alt...

Sticker with a mastodon and the domain name mastodns.net

Good morning, Edinburgh! First day of the OARC workshop.

#DNS #OARC46

https://indico.dns-oarc.net/event/56/

Alt...

An old stone building (the Writer's Museum).

Passwort - der Podcast von heise security: KI Fail, Copy Fail, S/MIME Fail

( XXL Folge 2,4 Stunden, leider ohne Kapitelmarker und Folgennummer, aber interessant wie immer. :-* O:-) )

#CopyFail zieht weite Kreise und geht auch am #Podcast nicht vorüber:

Die #Sicherheitslücke in #Linux ist technisch interessant, was Christopher und Sylvester allerdings an die Grenze ihres Wissens um #Kernel-Innereien bringt. Darüber hinaus wirft Copy Fail diverse grundsätzliche Fragen zur #Sicherheit von Linux und zur Handhabung von @Sicherheitslücken auf, die die Hosts diskutieren.

Außerdem geht in dieser Episode um eine löschwütige KI und natürlich um PKI, zumindest ein bisschen. #DNS #Mail

Webseite der Episode: https://passwort.podigee.io/57-ki-fail-copy-fail-s-mime-fail

Mediendatei: https://audio.podigee-cdn.net/2485319-m-32db6ba0613c9c3319703a63e31139a4.mp3?source=feed

@christopherkunz
@syt

[lien] [Dnsmasq-discuss] Security - IMPORTANT #security #gik #dns #net

Averaging 36.6% block rate on my DNS filtering service across all users.

In the age of enshittification it's not hard to believe that 1/3 of all DNS queries request adware, malware, trackers, and other crap you don't need.

#DNS #enshittification

Just realised that #DNS is Internet Standard (STD) 13.

In Western societies it means that DNS brings, obviously, good luck ☝️

https://www.rfc-editor.org/info/std13

Encore un correcteur trop zélé (c'est legarcon.net, pas legarçon.net)

#IDN #DNS

@jpmens As expected, it was not a #DNS problem. :)

[lien] DNS et certificats SSL, les deux clés d'Internet que l'Europe n'a jamais eu en main #politikkills #gik #net #dns #tls

⋅ DNS et certificats SSL : les deux clés d'Internet que l'Europe n'a jamais eu en main

− https://www.clubic.com/dossier-611791-dns-et-certificats-ssl-les-deux-cles-d-internet-que-l-europe-n-a-jamais-eu-en-main.html

#DNS #SSL

.de incident is a good reminder that #DNS resolver operators really should serve stale data (#RFC 8767) when needed.

It helps.

DENIC wrote in their status message that "all DNSSEC-signed .de domains are currently affected in their reachability"
https://status.denic.de/pages/incident/592577eab611ce1e0d00046f/69fa60ef9d12f5057a974f38

But it wasn't just DNSSEC-signed domains! For example, bahn.de was down even though it is not DNSSEC-signed.

It looks like for DNSSEC-signed zones the DS record in de. was incorrectly signed:
https://dnsviz.net/d/nic.de/afpsNg/dnssec/

And for zones that were not signed, the NSEC3 records proving there is no DS record were incorrectly signed:
https://dnsviz.net/d/bahn.de/afpnxQ/dnssec/

#DNS

Please remember that #DNS is innocent until proven guilty. AFAIK DNS is working as expected in the case of .de outage

#DENIC

Alt...

'DNS is innocent' in caps against a yellow background

Here's a thought:

The fact that people are experiencing issues with DE sites and asking if CloudFlare is down speaks volumes about the stability of DE ccTLD and the broader DNS compared to big cloud providers.

#DNS #InfoSec #SysAdmin

DENIC's status page:
https://status.denic.de/

Screenshot below in case you're not able to load it (as I said, stuff is going to be intermittently failing).

#DNS #DENIC #DNSSEC #InfoSec #SysAdmin

Alt...

DNSSEC disruption affecting .de domainsPartial Service Disruption Incident Status Partial Service Disruption Components DNS Services DNS Nameservice May 5, 2026 23:28 CEST May 5, 2026 21:28 UTC INVESTIGATING Frankfurt am Main, 5 May 2026 – DENIC eG is currently experiencing a disruption in its DNS service for .de domains. As a result, all DNSSEC-signed .de domains are currently affected in their reachability. The root cause of the disruption has not yet been fully identified. DENIC’s technical teams are working intensively on analysis and on restoring stable operations as quickly as possible. Based on current information, users and operators of .de domains may experience impairments in domain resolution. Further updates will be provided as soon as reliable findings on the cause and recovery are available. DENIC asks all affected parties for their understanding. For further enquiries, DENIC can be contacted via the usual channels.

Ok, #DNS is innocent. Most of the time. Curious to know what caused .de outage

Am I the only one having #DNSSEC problems with #DENIC?

Unbound is throwing me a lot of DNSSEC bogus on some .de domains 🤔

#DNS

$ dig welt.de
...
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 21366
...
; EDE: 6 (DNSSEC Bogus): (validation failure <welt.de. A IN>: signature crypto failed from 2a02:568:0:2::53 for DS welt.de. while building chain of trust)

At this moment, please send #HugOps to folks at DENIC. They are dealing with a really bad and stressful situation and I am sure they are doing their best to resolve it as soon as possible.

#DNS #DENIC

Edit: issue seems fixed.

Looks like DE ccTLD is unresolvable due to DNSSEC issue:
https://dnsviz.net/d/nic.de/afpsNg/dnssec/

😬

🧵👇

#InfoSec #DNSSEC #DNS #Germany

RE: https://mastodon.social/@jpmens/116522310229612501

IANA has a chance to do the funniest thing ever…

#DNS #DNSSEC #InfoSec

[lien] [FRnOG] [Alert] Compromission de la BDD des domaines chez bookmyname #cageaniel #security #gik #net #dns #db

I am looking for a few more US-based early adopters to provide feedback on a protective DNS service offering aligned with NIST SP 800-81 Rev. 3 (March 2026).

https://csrc.nist.gov/pubs/sp/800/81/r3/final

This service merges Zero Trust and DNS without requiring client-side agents. Supports mobile devices, browsers, server hardware & IoT.

If you're interested in providing feedback on this service as a free beta tester, email me at:

securednsbeta@techliterate.co

#FreeBSD #BastilleBSD #ZTA #DNS #IOT #NIST #Infosec

Can you reach https://crocuda.com ?
(it is #ipv6 only)

#dns

Ah, je viens donc de découvrir que drill a été "abandonné", que le nouvel outil s'appelle "dnsi" ... Et qu'il n'a pas l'air beaucoup plus développé non plus.
Faut en revenir à dig ?

#DNS

We released Unbound 1.25.0. This release of our #OpenSource #DNS resolver includes improvements and fixes resulting from reports by various security researchers.

In the release notes, the word “thanks" appears 32 times. You can expect this trend to continue for the next couple of releases, at least.

Lastly, please note the new signing key we're using since January ‘26.

https://community.nlnetlabs.nl/t/unbound-1-25-0-released/3375

Petite question #administration #DNS pour @bortzmeyer: quand on a plusieurs noms de domaines sur différents TLDs, est-ce qu'il y a un risque à tout garder chez le même registrar ou il est préférable d'en avoir plusieurs ? Si il est préférable d'en avoir plusieurs, quelle est la recommendation pour la distribution ?
La question ne concerne pas la partie technique: juste la partie paperasse et la partie paiements.

#TFW the consultant who maintains your company's #Salesforce sets up #DKIM in Salesforce's sandbox environment and asks you to create the necessary #DNS records for it and doesn't understand why it's a problem that he used the same selectors (i.e., DNS record names) for the sandbox environment that are already being used in production.
(I'm sure he has an expert-level proficiency in Salesforce, but maybe not so much in email security.)

[lien] Updates on Top-Level Domain (TLD) price list #cageaniel #gik #dns #$$$ #tld

Véritable pare-feu de l’Internet, #NextDNS est devenu en quelques années la référence pour reprendre le contrôle sur sa #vieprivée. Pourquoi délaisser les #DNS de votre #FAI au profit de ce fleuron français ? 
https://goodtech.info/nextdns-guide-avantages-avis/

Géopolitique du #DNS : quel est le point commun entre la Grèce et le Kirghizistan ? https://labs.ripe.net/author/yevheniya-nosyk/adox-deployment-in-the-wild/

(Réponse : les deux ont au moins un serveur faisant autorité acceptant DoT - DNS sur TLS.)

To his complete surprise, our colleague Jaap Akkerhuis was awarded Knight of the Order of the Dutch Lion earlier today for Exceptional Contribution to Society. Akkerhuis is a Dutch Internet pioneer, protocol designer and expert on the internet's naming system.

More at https://blog.nlnetlabs.nl/dutch-internet-pioneer-jaap-akkerhuis-knighted-for-exceptional-contribution-to-society/ #internet #dns

[lien] Normalització tipogràfica de la ela geminada — ElaGeminada.CAT #gik #net #dns #txt #es

RE: https://piaille.fr/@shaft/116455327800942801

Procrastination over #DNS

John Shaft » 🌐 2026-04-23
@shaft@piaille.fr

@DNSresolver azathoth.shaftinc.fr TXT

Amusant, un nom de domaine écrit avec un point médian (ping @polylogue ).

#DNS

🚀 #PeerTube passe à la vitesse #S3 !
C'est fait ! Mon instance PeerTube est désormais 100% boostée à l'Object Storage S3.

Le résultat ? Un stockage optimisé et un fonctionnement au top ! ⚡️

Le petit secret de l'installation : pour une rapidité maximale, les échanges entre PeerTube et mon instance #MinIO ne sortent jamais de la maison. Grâce à une configuration #DNS aux petits oignons, tout le trafic reste sur le réseau local 🏠💻

@mediapart @MarieTurcan
Bah coupons les accès a grok.com et x.com depuis les #DNS #Français ça empêchera pas d'y accéder pour ceux qui savent contourner (VPN...) mais ça montrera qu'on agit.

Rappel que grok.com accessible sans contrôle d'accès te sortira du texte 18+++ si tu lui promptes : https://grok.com/?q=10+phrases+trash+et+nsfw

Ce matin ça répond ça sur une IP non #USA :
> Ce modèle est temporairement indisponible Veuillez essayer un modèle différent

Ça répond bien des dingueries sur une IP #USA
#VPN #NSFW

Le 18 avril, le nom de domaine eth.limo a été victime d'un détournement (une attaque où le méchant prend le contrôle du nom et change les informations).

https://www.bortzmeyer.org/eth-limo-detourne.html

#DNS

Petite question nom de domaine, serait-il possible d'enregistrer un .fr mais dont le nom de domaine serait écrit en cyrilique?

#nomdedomaine #dns #afnic

Mein #diday in diesem Monat ist ein wenig nerdi. Ich in meinem Netzwerk einen eigenen #DNS Resolver einzusetzen. #PiHole läuft bereits seit Jahren zuverlässig auf meinem #Proxmox und soll nun mit #Unbound ergänzt werden. Meine derzeitige Frage ist strategisch. Den PiHole #Container erweitern oder Unbound in einem eigenen Container aufsetzen? Wie schauen die Entscheidungen im #Fediverse zu diese Frage aus? #homelab #server #linux

Ça faisait longtemps qu'on n'avait pas eu un nouveau domaine de premier niveau dans le #DNS. https://mastodon.gougere.fr/@DNSresolver/116429766474383558

Quick question for the technical people in Japan.

Do you have any good recommendation for a good (and preferably cheap) DNS hosting provider in Japan?

I have a couple of .net domains that I'd like to move.

#DNS #Japan #hosting

I've been looking a bit around for DNS hosting in Japan...

Does anyone have any experience with Onamae.com?
They do seem pretty cheap (about 1500¥ for a .net if I understood correctly).

Are there any kind of cons?

What do people on #Famichiki use?

#dns #hosting #Japan

RE: https://fosstodon.org/@iscdotorg/116416426577631380

In case you’re wondering: while not as extreme as illustrated by ISC (we don’t offer a bug bounty program), NLnet Labs suffers from a similar situation, in particular for Unbound.

Handling vulnerability reports, both valid ones and false positives, has now become a full time job for the entire Unbound team.

You can argue that it ultimately makes our resolver more secure, it also means we cannot work on building and releasing new features, like:

https://github.com/NLnetLabs/unbound/pulls/wcawijngaards

#DNS #OpenSource #AI

A punchline by @mwl again :)
sanity and self-respect - gregR ☯ - /usr/share/images
https://images.gregr.fr/2023-04-06-sanity-and-self-respect.html
#dns #sysadmin

Logiciel open source, prise en charge de DoH/DoT/DoQ, protections et architecture : j’ai documenté la stack de HostuxDNS ici :
https://dns.hostux.net/stack.html

#DNS #Privacy #OpenSource #SelfHosting #Hostux

#IP, #DNS, #VPN : ce rapport démonte la stratégie anti-piratage en #Europe. Depuis plus de quinze ans, l’Europe s’est engagée dans une lutte de plus en plus offensive contre les sites pirates.
https://www.clubic.com/actualite-609094-ip-dns-vpn-ce-rapport-demonte-la-strategie-anti-piratage-en-europe.html

Now that the #arm64 boards are installed, it was time to use them as redundant #DHCP server and #DNS resolvers; using #dhcpd and #Unbound on both #OpenBSD and #FreeBSD.

https://www.tumfatig.net/2026/redundant-dhcp-server-and-dns-resolver-using-openbsd-and-freebsd/

I had to use ktrace to find the culprit, but now the DNS requests count for a particular PTR record on my LAN is down from ~1133/hour to 2/hour.
-> just a nice -n in syslogd params.
Quite a win.
#dns #ktrace #freebsd #syslog

[lien] DNS History - GuiGui's Show #history #gik #net #dns

On m'a dit que c'était infernal d'héberger son propre serveur d'e-mail.
Du coup j'en ai installé un 😅

Je suis parti sur Stalwart, qui est plus léger que la stack mailcow pour un usage solo.

- Toute la technique : Ok ✅️
- DNS : Ok ✅️
- Test blocklist IP -> 1 sur 60 : Ok ✅️
- Domaine connu : Ok ✅️
- IP additionnelle dédiée : Ok ✅️

- Test sur une adresse Tuta : Reçu ✅️
- Test sur une adresse Infomaniak : Reçu ✅️

- Test sur une adresse Gmail : Spam ❌️
- Test sur une adresse Hotmail : Spam ❌️

😅

Donc je comprends le terme "infernal".

Il y a clairement un monopole de 3 géants (Google, Micorsoft, Apple), qui font la loi sur les e-mails.

Manque de bol, c'est ce que les gens utilisent à 80% du temps.

Je vais faire une vidéo détaillée sur le process.
Et je comprends pourquoi même les plus courageux finissent pas laisser ça en SaaS.

En attendant je vais "warm" mon adresse.

Si vous avez des astuces ?

#stalwart #mailcow #selfhostemail #dns #email

@stalwartlabs

Une campagne d’ #espionnage détourne des milliers de #routeurs dans le monde. Le groupe de hackers #ForestBlizzard pirate des routeurs #SOHO vulnérables pour l'interception des flux #Microsoft 365. Cette opération d'espionnage utilise une manipulation du #DNS pour le vol de jetons d'authentification sans pénétration directe des serveurs de l'entreprise américaine
https://www.clubic.com/actualite-608353-une-campagne-d-espionnage-detourne-des-milliers-de-routeurs-dans-le-monde.html

⋅ Authorities disrupt router DNS hijacks used to steal Microsoft 365 logins

− https://www.bleepingcomputer.com/news/security/authorities-disrupt-dns-hijacks-used-to-steal-microsoft-365-logins/

#InfoSec #DNS

The domain .cn name scam is still ongoing, one more entry added to https://nxdomain.no/~peter/domainnamescam/ (this time addressed to a list owner address).

Also see https://nxdomain.no/~peter/domain_name_scams_are_alive_and_well_thank_you.html #dns #scam #cndomains #chinadomainservice #domainnamescam #cybercrime

[lien] DNS is Simple. DNS is Hard - Hacker News #gik #dns #net #aws

[lien] Blog Stéphane Bortzmeyer: RFC 9432: DNS Catalog Zones #gik #dns #net #rfc

The decision to move away from mailing lists was not taken lightly.

We made several tries in the past to find capable mailing list hosting providers and either they were not ticking all our boxes or we had to migrate back to our own self-hosting situation.

Since we are a small developer-focused team, any IT-like activities, in particular emergency ones, would take focus away from things that actually need priority: maintaining mission critical #DNS and #BGP software.

#OpenSource

@holsta Like that time we literally flipped the script on unbound.net 😅

https://punoqun.net/

#DNS

Soon, #DNS will run out of letters for its various transports (DoC, DoH, DoQ, DoT…) https://www.rfc-editor.org/info/rfc9953

Time to update #DNS jokes!

✋ What's up DoQ?
👉 What's up DoC?

DNS over CoAP (DoC) (publication date is March 2026, so not a joke)
https://www.rfc-editor.org/info/rfc9953

RFC 9953: DNS over the Constrained Application Protocol (DoC)

Le protocole #CoAP est un protocole léger, conçu pour les objets connectés. Ce #RFC décrit comment faire du #DNS au-dessus de CoAP. Si votre brosse à dents a besoin de faire du DNS, c'est ce RFC qu'il faut lire.

@miri64

https://www.bortzmeyer.org/9953.html

Quelle classe, cette mise à jour d'Ubuntu de 22 vers 24.04...

root@XXX:/etc# ls -l resolv.conf
lrwxrwxrwx 1 root root 39 mars 31 19:34 resolv.conf -> ../run/systemd/resolve/stub-resolv.conf

root@XXX:/etc# ls -l ../run/systemd/resolve/stub-resolv.conf
ls: impossible d'accéder à '../run/systemd/resolve/stub-resolv.conf': Aucun fichier ou dossier de ce nom

Ça marche forcément beaucoup, beaucoup moins bien.

#Ubuntu

C'est toujours de la faute du #DNS Cc: @bortzmeyer (vu que du coup, c'est de sa faute à lui, forcément)

"At some point, a reasonable person asked "DNS resolves names to IP addresses, what else can it do?" The answer, apparently, is run DOOM."

https://github.com/resumex/doom-over-dns

#DNS #DOOM #retrogaming #powershell

J'avais écrit un article de râlerie contre cette idée fausse qu'il y aurait « propagation » dans le #DNS mais c'est seulement maintenant que je découvre que je ne suis pas le seul : https://www.e-ontap.com/dns/propagation/harmful-e.html https://www.nslookup.io/learning/dns-propagation-does-not-exist/

Formation d'administrateur #DNS demain. Si vous pouviez casser votre domaine, pour que je donne le déboguage en TP aux étudiants…

I just noticed this DNS graph. The web site I took over in 2019. It's the busiest web site I have. But I really think the huge upswing in #DNS traffic is related to #AI bot scrapers. I have been struggling so hard just to make them go away. My bandwidth, compute, and web service are not for them. They are not welcome. They do not care.

• January 2026: 2,237,399 queries
• February 2026: 4,093,488 queries
• March 2026: 8,893,458 queries (so far)

Literally doubling month on month.

Now, I recently made changes to the DNS for that zone. And I made some screw-ups when I did it. So, I temporarily¹ set the TTL on the NS records to 600 seconds. I kept screwing them up and needing to change them.

Fixing the NS records this morning definitely had a benefit. Yesterday was 325,336 queries. Today was 254,492. So again, some of this is on me. But that whole 13-year DNS graph with a huge surge in the last 2 years is not all me. Stuff has changed.

¹ I remembered this morning when I was like "WTF do I have so much DNS traffic!?"

Alt...

A line graph depicting DNS queries from 2013 to 2026. Traffic starts to pick up in 2024 time frame, and then at the very end of the graph, this month of 2026, there's this massive spike to nearly 10M queries in a month.

We're thrilled that Cascade is among the first projects supported by the Nominet DNS Fund.

With Nominet's support, our new DNSSEC signing solution receives a massive push forward, allowing our team to focus on implementing speed improvements, a reduced memory footprint and essentials such as incremental signing.

We'll be launching a beta in April, followed by an initial production release in June 2026.

Read more: https://nominet.uk/news/nominet-supports-foundations-of-the-internet-with-first-dns-fund-projects-announced/

#OpenSource #rustlang #FOSS #DNS #DNSSEC

Alt...

Nominet DNS Fund banner

@porkbun RDAP is a pretty silly address and I appreciate that.

You never see ‘.horse‘ in IOCs because it’s a $25 domain!

#dns

Alt...

{ "value": "https://cart-before.porkbun.horse/rdap/", "rel": "about", "href": "https://cart-before.porkbun.horse/rdap/", "type": "application/rdap+json” }

Pro tip : quand tu configures un VPN, pense à changer de résolveur #DNS sinon, tu auras du mal à aller voir le site Web de Libération, avec l'adresse IP de Dropbox qu'a renvoyé le réseau d'accès.

System Administration: Week 7: DNS, Part II

In this video, we dissect DNS lookups performed on our EC2 instance, then discuss just how a caching resolver performs the lookup, moving from "magic happens here" to the below visualization.

https://youtu.be/z55ULZcKP8A

#sysadmin #devops #sre #dns

System Administration: Week 7: DNS, Part III

In this video, we try to wrap up our discussion of the Domain Name System by addressing the nature of the root nameservers, looking at various different resource record types, observing reverse lookups, and thinking about how we can have assurance of authenticity and integrity of the DNS results returned to us via DNSSEC.

https://youtu.be/XDJEJFVNoko

#sysadmin #devops #sre #dns

Alt...

World map showing the locations of the root servers.

So, when an old resolver (not knowing DELEG) queries a new server for a domain which has only DELEG (and no NS records), what the answer should be? NXDOMAIN? SERVFAIL? Synthesis of some NS?

#DNS #IETF125

DELEG working group (changing completely the #DNS delegation). Last big issue: how should a new server reply to an old client, when the server has only DELEG records and no NS records?

#IETF125

Good morning, Shenzhen:! Seventh and last day of #IETF125 https://www.ietf.org/meeting/125/

Today, we are going to break/save/restore the #DNS with the new delegation system, DELEG. Also, security area general meeting.

Any good #registar in Europe?

#DNS

Another funny question. After Cisco broke because Cloudflare changed the order of DNS records in the answer (which is perfectly legitimate), should we mandate a specific order in #DNS?

#IETF125

Grosse discussion à la réunion IETF sur la censure via un résolveur #DNS menteur : comment indiquer à l'utilisateur (qui ne fait pas de requête DNS lui-même et ne connait pas dig) qu'il y a eu censure et pas panne ?

After a lively discussion on solutions to depend less on the #DNS root (obviously no consensus, despite a tendency to deny there is a problem to solve), another hot question: DNS #censorship and the need to be transparent about it. https://datatracker.ietf.org/doc/draft-nottingham-dnsop-censorship-transparency/

What to display to the end user? (Not anything got from the resolver: security issues.) Lumen Database entry?

#IETF125

Now, dnsop working group (real-time transcript said "Dina Zop") because the #DNS loves you and we love it, too.

First, a lot of stuff about various ways to be less technically dependent on the root (local caching, local root as in RFC 8806, etc).

RFC 8806, the resolver behaves as if it were authoritative for the root. RootCache is more resolver-traditional.

#IETF125

Expect a lot of AI in #DNS (there were many side meetings at #IETF125 about AI)

Good morning, Shenzhen! Sixth day of #IETF125 https://www.ietf.org/meeting/125/

Today, for me, dconn (helping endusers to configure domain-related services), dnsop (second meeting, all things #DNS) and a talk about chinese involvment in standardization.

Un ami me fait suivre :
"
Retour d'expérience : WireGuard + Livebox Orange = fuite DNS IPv6 silencieuse

Même avec un DNS IPv4 alternatif correctement configuré (Aquilenet, FDN...), un serveur dns Orange continuait à apparaître.

Cause : la Livebox injecte ses DNS via RDNSS dans ses Router Advertisements IPv6.
NetworkManager les accepte en parallèle de notre config — sans prévenir.

Le mécanisme : quand vous visitez un site, votre OS envoie deux requêtes DNS
simultanément — une en IPv4, une en IPv6.
"
1/n

#surveillance #cybersecurite #dns #orange

Même avec DNS IPv4 → Aquilenet, la requête IPv6 partait chez Orange via le
RDNSS annoncé dans les RA de la Livebox...

Résultat : Orange loguait 50% de vos requêtes DNS malgré une config "correcte".

Ce qui ne suffit pas :
- Changer le DNS IPv6 dans NetworkManager → Livebox s'impose quand même en parallèle
- sysctl accept_ra=0 seul → NetworkManager le réinitialise au nmcli connection up
- ip -6 route del → routes réinjectées par le nmcli connection up suivant

2/n

#surveillance #cybersecurite #orange #dns

La vraie solution :
nmcli connection modify "VotreConnexion" ipv6.dns ""
nmcli connection modify "VotreConnexion" ipv6.method "link-local"

ipv6.method "link-local" dit à NetworkManager :
"n'accepte AUCUNE configuration IPv6 venant de l'extérieur"

La Livebox ne peut plus injecter ni routes ni DNS via ses RA.
Tout l'IPv6 utile passe par le tunnel WireGuard uniquement.

Testé sur Debian 12 + NetworkManager + Livebox 5 Orange.

3/n

#surveillance #cybersecurite #orange #dns

Et voilà pourquoi :

Orange a 60% de part de marché pour la fibre et haut débit.

Il est légalement contraint d'héberger des sondes DPI
(Deep Packet Inspection) sur son infrastructure, accessibles
au GIC (Groupement Interministériel de Contrôle) sous tutelle
de la DGSI.

Chaque requête DNS non chiffrée transitant par la Livebox
constitue une métadonnée — quel site, à quelle heure,
depuis quelle IP — collectée en temps réel sans mandat
individuel (loi renseignement 2015, étendue en 2021).

documenté dans les
rapports annuels de la CNCTR (Commission Nationale de
Contrôle des Techniques de Renseignement).

4

#surveillance #cybersecurite #orange #dns

So, previously on post-quantum #DNSSEC: not a lot of action. Standardized post-quantum cryptography algorithms like ML-DSA have keys and signatures which are way too long for the #DNS.

https://mastodon.gougere.fr/@DNSresolver/116241567126448201

TLS can deal with it (they run on TCP or QUIC) but we cannot, with UDP. No obvious solution.

#IETF125

https://datatracker.ietf.org/doc/draft-liu-dnsop-protective-dns/ : "Protective" #DNS resolvers (also called lying resolvers or, more politically correct, "policy-aware resolvers") Everybody disagrees and wants to kill the draft.

#IETF125

dnsop working group at #IETF125, for all those who love #DNS .

(In another room at Shenzhen, the RFC editor is busy publishing new RFCs.)

Good morning, Shenzhen! This is the third day of #IETF125 https://www.ietf.org/meeting/125/ We are preparing the future Internet technical standards.

Today, for me, dnsop (#DNS stuff), aipref (preferences for AI crawlers) and rpp (domain registration protocol).

Ah, a bit of #DNS : observation of infrastructure of attackers. Most of the time, it is short-lived but some are very long-lived, as shown by DNS responses analysis.

#IETF125

@bernardpo @whiteflag Et pour les requêtes #DNS dont parle l'article (suggérant soit dig dans un terminal, soit un service hébergé par un GAFA, en l'occurrence Cloudflare), vous pouvez aussi utiliser le fédivers en envoyant un nom de domaine à @DNSresolver

Agent naming with domain names (AI agents). By the .cn people. SVCB records in the _agents subdomain. #DNS

#IETF125

Avant d'installer un logiciel pour faire du #DNS sur votre machine, pensez à vérifier s'il est équipé d'un lecteur de CD ☝️

#Pardon

Échec et mat !

> Check Point ThreatCloud flags whole cloudfront.net... - Check Point CheckMates
> False positives can happen and do happen from time to time. Normally I would not create a CheckMates post for that.
https://community.checkpoint.com/t5/General-Topics/Check-Point-ThreatCloud-flags-whole-cloudfront-net-as-phishing/m-p/271664#M45533
#dns #sysadmin #infosec

Back in May 2019, we said goodbye to SVN and Bugzilla and migrated to Git and GitHub [1]. Since then, we accumulated 188 repositories. 🙀

We're now making a list to decide which ones we're moving to @Codeberg and which are going to archived and left behind.

While we're doing that, we signed NLnet Labs up as a Codeberg e.V. member!

[1] https://lists.nlnetlabs.nl/pipermail/unbound-users/2019-April/006130.html

#OpenSource #FOSS #DigitalSovereignty #DNS #BGP

Alt...

Screenshot of the unbound-users mailing list announcement on the migration to GitHub in 2019.

Who thought to move away from #Porkbun.com because of the US government right now? If you did, and you are in Europe, what would be you best option? #DNS #Registar

System Administration: Week 7: DNS, Part I

In this video, we are beginning our discussion of the #DNS. We go back to the early days of the internet when copying /etc/hosts from system to system was the way to resolve hosts...

(Hosts file from 1983: https://rscott.org/OldInternetFiles/hosts.19831104.txt)

...and we cover the structure of the domain name space and the creation of the top-level domains.

(Second-level domain inventory from 1987: https://rscott.org/OldInternetFiles/domain-info.19871215.txt)

https://youtu.be/-bpIT7M9i00

#sysadmin #devops #sre

RFC 9848: Bootstrapping TLS Encrypted ClientHello with DNS Service Bindings

Le protocole #ECH (Encrypted Client Hello, normalisé dans le RFC 9849) permet de chiffrer la salutation #TLS (le ClientHello), notamment le nom du serveur auquel on se connecte. Mais pour cela, il faut la clé publique du serveur. Un des moyens de la récupérer est dans le #DNS, comme normalisé dans notre #RFC.

https://www.bortzmeyer.org/9848.html

@shaft Tiens, puisque tu parlais de #SVCB en mode alias : https://lists.dns-oarc.net/pipermail/dns-operations/2024-April/022531.html

#DNS

#IPFire 2.29 Core Update 200: #Linux 6.18 LTS und DBL-Preview | iX Magazin https://www.heise.de/news/IPFire-2-29-Core-Update-200-Linux-6-18-LTS-und-DBL-Preview-11194695.html #OpenSource #OpenSSL #DNS #Verschlüsselung #encryption

With memory prices skyrocketing we're happy to bring you some good news on the #DNS front.

In version 4.14.0 of our authoritative nameserver NSD we vastly reduced the memory footprint by refactoring the RDATA storage, with gains up to 50%.

Overall, relatively large #DNSSEC-signed zones like .nl and .se benefit the most, but being able to bring the memory requirements to serve .com below 64GB is pretty awesome too.

We're eager to hear the improvements you're seeing!

https://blog.nlnetlabs.nl/smaller-faster-nsds-refactored-rdata-storage-and-compile-time-memory-reduction-options/

"I think i should be able to come up with something that improves caching, reduces server load and eliminates some major security gaps while still keeping the decentralized aspect." (He talks about replacing the #DNS …)

(This was in a comment to https://blog.apnic.net/2026/02/25/towards-an-industry-best-practice-for-dnssec-automation/)

Will he have more success than the guy who claimed he could rewrite curl in one week-end?

@joel Disclaimer: I manage a public DNS resolver https://doh.bortzmeyer.fr/policy

There are thousands of open #DNS resolvers (public = on purpose, open = often by accident) so it is quite ridiculous to try to address them one by one. As often, this is security theater (I receive some time stupid "security alerts" written by interns or LLMs). Was there more specific details? ("open relay" is typically used for SMTP, not DNS)

@joel I am not a #DNS guy, but this topic is interesting me.
I follow these two valuable people 🇫🇷@bortzmeyer and @shaft and they provide the same public DNS service you want to build. They share a lot of information on their respective blogs on their public DNS resolvers.
I am pretty sure they already faced the same situation than your.

It's always #DNS. Unless everyone assumes it is DNS then it's not.

well. I think I'm out of optimizations idea for https://codeberg.org/miekg/dns

Happy to be pointed to bottlenecks, but I think _all_ the lowish hanging fruit is gone. Ballpark number: 2x faster than dnsv1

#dns #go

Let’s Encrypt Introduces DNS-PERSIST-01 for Persistent ACME DNS Validation

https://linuxiac.com/lets-encrypt-introduces-dns-persist-01-for-persistent-acme-dns-validation/

#DNS

New 𝗙𝗿𝗲𝗲𝗕𝗦𝗗 𝗠𝗜𝗧 𝗞𝗲𝗿𝗯𝗲𝗿𝗼𝘀 𝗦𝗲𝗿𝘃𝗲𝗿 (FreeBSD MIT Kerberos Server) article on vermaden.wordpress.com blog.

https://vermaden.wordpress.com/2026/02/22/freebsd-mit-kerberos-server/

#verblog #freebsd #mit #kerberos #dns #nsd