HackerTrans
TopNewTrendsCommentsPastAskShowJobs

Show HN: File distribution over DNS: (ab)using DNS as a CDN(eighty-twenty.org)

72 points·by tonyg·3 lata temu·34 comments
eighty-twenty.org
Show HN: File distribution over DNS: (ab)using DNS as a CDN

https://eighty-twenty.org/2023/07/31/dns-as-a-cdn

35 comments

m3047·3 lata temu
A lot of our current tech stacks are topheavy. I'm all for re-examining foundational internet technologies and objectively examining how stuff can be pushed down the stack as it were; I'm arguably one of the people destroying DNS if that's your mindset, seems like a good key-value store and "data diode" to me.

I think email (SMTP) still hasn't been fully exploited as a job scheduling tool (events... mini batches... SMTP).

Bearing in mind, I don't expect people to burden the public infrastructure with these kinds of activities. I think if you're going to use the DNS for telemetry you need to scale your deployment to handle at least hundreds of requests a second; this isn't hard with DNS, it's just not the mindset of DNS operators intending to use the DNS as it always has been used. There are also some blatantly political considerations which need to be swept away to make it truly seamless.

The gnashing of teeth is obviously suspect when you consider the trajectory of HTTP: from web pages to XHR, SOAP and DoH. However questionable you might find the architectural choices, HTTP continues to work in spite of the abuse. Likewise, the demise of DNS is unlikely.
dvasdekis·3 lata temu
Have a think then about modern encryption and consensus on top of Usenet, which is the SMTP-compatible message queue of your dreams (in terms of available capacity)
m3047·3 lata temu
I have thought about it, and some "modern" encryption but maybe not what you're thinking of.
arjvik·3 lata temu
NSCDN? You missed the chance to name it CDNS!
woleium·3 lata temu
Don't do this. DNS works and continues to work because we don't abuse it.
RockRobotRock·3 lata temu
Pushing limits is how we get innovative technology. It's interesting, if nothing else.
cookiengineer·3 lata temu
Tell that to hackers doing DNS exfil since 10+ years.

Modern ransomware is even able to abuse/imitate apple's airdrop and other DNS-SD services because they're let through by most configurations.
jesprenj·3 lata temu
There's also iodine, a C program that tunnels IPv4 packets over DNS. Useful for bypassing captive portals on wifi, since DNS usually isn't restricted.

https://github.com/yarrick/iodine

Regarding cloudflare DNS over HTTPS: It could be that it tries to server data encoded as JSON, which is impossible in JSON. Some control characters and bytes 128-255 cannot be represented as JSON strings.
OJFord·3 lata temu
IME they block DNS other than their own (not even rewrite, just outright block). Not through experience trying to use iodine, but because I frequently have to drop my explicit DNS server in order to be able to reach the captive portal and connect legitimately.
jesprenj·3 lata temu
Yeah, like a sibling comment replied, the idea of iodine is that you don't use your own resolver but the one that the captive portal provided.

You need a domain name, xxx.example, then you can uplink data yyyyyy through the tunnel by querying yyyyyy.xxx.example and iodined, authoritative for xxx.example, will receive this query by the captive portal's resolver. To downlink data, you read responses (txt, cname or null records) that iodined will send for your queries.

This probably fills up the cache of the captive portal's resolver (:
OJFord·3 lata temu
Oh I see. I'm surprised if they upstream DNS requests though, it doesn't serve any legitimate purpose? The whole point is that they respond 172.16.0.1 or whatever for the CP to everything? (Until MAC address known or however they track.)
jesprenj·3 lata temu
Sometimes they require 3rd party stuff, hotlinked images, js on frontpage, etc.

I was on a ferry ship with paid sattelite wifi internet once and they only faked DNS responses for gstatic.com, google, etc. But they allowed my domain (DNS queries to it) and stripe.com (because that's how you paid) -- so they only faked responses for a small set of popular domains. IP access to the internet was, apart from stripe, blocked.

And because stripe uses FastlyCDN, they allowed all of fastlycdn network ranges (not useful for iodine), so I could browse reddit (they also use fastly) using stripe's CDN (only html, without i.redd.it image hosting, that's elsewhere).

AFAIR Fastly doesn't have a free plan, so I couldn't tunnel at higher speeds (via HTTP) but only via DNS.

But yeah, sometimes they just outright respond to any query with their IP and you are out of luck.
smashed·3 lata temu
Of course. A captive portal can also be more sneaky and mangle the packets to redirect them to their own DNS service, since it's not encrypted.

But that's the beauty of iodine. It will still work because if the captive portal's name servers actually fully resolve requests, it will contact your upstream iodine controlled name servers and forward the response as-is, because that's just how DNS works.

Of course it's also fairly easy to detect/block since your DNS usage will be completely abnormal.
1vuio0pswjnm7·3 lata temu
"Hmm. Promising. Unfortunately, it doesn't seem to like the TXT records having binary data in them (bug? certainly TXT records are allowed to hold binary data, see here and then here), so it might not Just Work."

Aside: IMHO, dnstxt from djbdns is easier for requesting TXT records than dig; it's a much smaller, simpler program.

tinydns from djbdns can store any data in TXT records, i.e., arbitratry bytes specified by octal. Perhaps other authoritative servers can also do this today. At the time djbdns was released AFAIK it was the only one.

"TXT (``text'') record for fqdn. tinydns-data creates a TXT record for fqdn containing the string s. You may use octal \nnn codes to include arbitrary bytes inside s; for example, \072 is a colon."

https://cr.yp.to/djbdns/tinydns-data.html

Thus one could, e.g., store mini-web pages in TXT records. I experimented with this about 15 years ago.
unixfox·3 lata temu
Somewhat related article: https://blog.benjojo.co.uk/post/dns-filesystem-true-cloud-st... (DNSFS. Store your files in others DNS resolver caches - 2018)
tonyg·3 lata temu
Very interesting and relevant! Thank you!
victorbjorklund·3 lata temu
DNS is wild. I really need to dig down and better understand it.
kalupa·3 lata temu
I see what you did there ...
rpastuszak·3 lata temu
wait, who is wild?
tbiehn·3 lata temu
Yet another DNS file delivery thing - wrote a few years ago to get files into restrictive networks and results out: https://dualuse.io/blog/dnspump/
tonyg·3 lata temu
Cool, thanks for sharing!
rpastuszak·3 lata temu
I like that, I use Twitter/X as my CDN: https://sonnet.io/projects#:~:text=Laconic!%20(a%20Twitter%2...
quickthrower2·3 lata temu
CDN? or REST DB?

Potato potato I guess
rpastuszak·3 lata temu
Somewhere between S3 and Glacier depending how you look at it.

> Potato potato I guess

I'd go with potato. I actually own https://potato.horse and now I'm starting to think that I should point cdn.potato.horse to that twitter thread!
derN3rd·3 lata temu
Wouldn't it be simpler and easier for clients to implement when they would use the TXT to store a magnet link and host the file via webtorrents?

Maybe such a solution already exists, but I couldn't find it
whalesalad·3 lata temu
Nope. How could you get any easier than plain DNS? That would require a torrent client and bittorrent protocol. The beauty of this hack is that it exists on top of the ubiquitous DNS system.
dannyobrien·3 lata temu
I think the obvious match here is how IPFS can use a dnslink TXT file to point to the content-addressable top of an IPFS-distributed static web https://docs.ipfs.tech/concepts/dnslink/ . This is how a lot of dweb/web3 websites maintain and advertise a non-http mirror. It works out of the box for sites served using https://distributed.press/ (non-commercial, open source) or https://fleek.co/ (hosted).

If you use Brave, or have the IPFS browser extension, you can access sites like https://ffdweb.org/ as an option, or preferentially.
imoverclocked·3 lata temu
It's not far from OpenAFS which uses SRV records to point to fileservers. It's not magnet/torrent but it's certainly DNS discovery for data on a different protocol.
tonyg·3 lata temu
Well, I'm not sure adding a webtorrent implementation counts as simpler for clients than just TXT record retrieval.
tonyg·3 lata temu
(Has anyone tried the little demo? ... Does it work?)
RockRobotRock·3 lata temu
This is definitely a harder drive.
askiiart·3 lata temu
Context: https://youtu.be/JcJSW7Rprio
WirelessGigabit·3 lata temu
> TL;DR. It works, more or less, so long as your resolver properly upgrades to DNS-over-TCP when it gets a truncated UDP response.

Coincidence that MUSL just added support to DNS-over-TCP fallback? https://news.ycombinator.com/item?id=36933028
tonyg·3 lata temu
Heh, actually yes; the universe trying to tell me something, maybe?
[deleted]·3 lata temu