jm + dns   35

Spotify’s Love/Hate Relationship with DNS
omg somebody at Spotify really really loves DNS. They even store a DHT hash ring in it. whyyyyyyyyyyy
spotify  networking  architecture  dht  insane  scary  dns  unbound  ops 
16 days ago by jm
How and why the leap second affected Cloudflare DNS
The root cause of the bug that affected our DNS service was the belief that time cannot go backwards. In our case, some code assumed that the difference between two times would always be, at worst, zero. RRDNS is written in Go and uses Go’s time.Now() function to get the time. Unfortunately, this function does not guarantee monotonicity. Go currently doesn’t offer a monotonic time source.


So the clock went "backwards", s1 - s2 returned < 0, and the code couldn't handle it (because it's a little known and infrequent failure case).

Part of the root cause here is cultural -- Google has solved the leap-second problem internally through leap smearing, and Go seems to be fundamentally a Google product at heart.

The easiest fix in general in the "outside world" is to use "ntpd -x" to do a form of smearing. It looks like AWS are leap smearing internally (https://aws.amazon.com/blogs/aws/look-before-you-leap-the-coming-leap-second-and-aws/), but it is a shame they aren't making this a standard part of services running on top of AWS and a feature of the AWS NTP fleet.
ntp  time  leap-seconds  fail  cloudflare  rrdns  go  golang  dns  leap-smearing  ntpd  aws 
january 2017 by jm
Service discovery at Stripe
Writeup of their Consul-based service discovery system, a bit similar to smartstack. Good description of the production problems that they saw with Consul too, and also they figured out that strong consistency isn't actually what you want in a service discovery system ;)

HN comments are good too: https://news.ycombinator.com/item?id=12840803
consul  api  microservices  service-discovery  dns  load-balancing  l7  tcp  distcomp  smartstack  stripe  cap-theorem  scalability 
november 2016 by jm
World’s first vanity gTLD goes live
".richardli". TLDs are now officially beyond a joke
tld  absurd  fail  gtlds  domains  dns  vanity  richard-li 
may 2016 by jm
How IFTTT develop with Docker
ugh, quite a bit of complexity here
docker  osx  dev  ops  building  coding  ifttt  dns  dnsmasq 
october 2015 by jm
Netty's async DNS resolver
'Can do ~1M queries to ~3K public DNS servers within ~3 minutes with just a few threads.'

via Trustin Lee. Netty is the business
netty  dns  async  crawlers  resolver  benchmarks  scanning 
june 2015 by jm
HTTP/2 is here, let's optimize! - Velocity SC 2015 - Google Slides
Changes which server-side developers will need to start considering as HTTP/2 rolls out. Remove domain sharding; stop concatenating resources; stop inlining resources; use server push.
http2  http  protocols  streaming  internet  web  dns  performance 
june 2015 by jm
Why We Will Not Be Registering easyDNS.SUCKS - blog.easydns.org
If you're not immersed in the naming business you may find the jargon in it hard to understand. The basic upshot is this: the IPC believes that the mechanisms that were enacted to protect trademark holders during the deluge of new TLD rollouts are being gamed by the .SUCKS TLD operator to extort inflated fees from trademark holders.


(via Nelson)
shakedown  business  internet  domains  dns  easydns  dot-sucks  scams  tlds  trademarks  ip 
april 2015 by jm
OS X doesn't support 'ndots' DNS resolution
"ping foo.bar" will not append the "search" domains configured in /etc/resolv.conf. Apparently this has been broken since OS X Lion, no sign of a fix. Nice work Apple
apple  fail  bugs  resolv  dns  domains  osx 
november 2014 by jm
Zonify
'a set of command line tools for managing Route53 DNS for an AWS infrastructure. It intelligently uses tags and other metadata to automatically create the associated DNS records.'
zonify  aws  dns  ec2  route53  ops 
october 2014 by jm
Consul
Nice-looking new tool from Hashicorp; service discovery and configuration service, built on Raft for leader election, Serf for gossip-based messaging, and Go. Some features:

* Gossip is performed over both TCP and UDP;

* gossip messages are encrypted symmetrically and therefore secure from eavesdropping, tampering, spoofing and packet corruption (like the incident which brought down S3 for days: http://status.aws.amazon.com/s3-20080720.html );

* exposes both a HTTP interface and (even better) DNS;

* includes explicit support for long-distance WAN operation as well as on LANs.

It all looks very practical and usable. MPL-licensed.

The only potential risk I can see is that expecting to receive config updates from a blocking poll of the HTTP interface needs some good "best practice" docs, to ensure that people don't mishandle the scenario where there is a network partition between your calling code and the Consul server/agent. Without any heartbeating protocol behind the scenes, HTTP is vulnerable to "hung connections" which would result in a config change being silently missed by the client until the connection eventually is timed out, either by the calling code or the client-side kernel. This could potentially take minutes to occur, which in some usage scenarios could be a big, unforeseen problem.
configuration  service-discovery  distcomp  raft  consensus-algorithms  go  mpl  open-source  dns  http  gossip-protocol  hashicorp 
april 2014 by jm
DNS results now being manipulated in Turkey
Deep-packet inspection and rewriting on DNS packets for Google and OpenDNS servers. VPNs and DNSSEC up next!
turkey  twitter  dpi  dns  opendns  google  networking  filtering  surveillance  proxying  packets  udp 
march 2014 by jm
Chinese Internet Traffic Redirected to Small Wyoming House
'That address — which is home to some 2,000 companies on paper — was the subject of a lengthy 2011 Reuters investigation that found that among the entities registered to the address were a shell company controlled by a jailed former Ukraine prime minister; the owner of a company charged with helping online poker operators evade an Internet gambling ban; and one entity that was banned from government contracts after selling counterfeit truck parts to the Pentagon.'
china  internet  great-firewall  dns  wyoming  attacks  security  not-the-onion 
january 2014 by jm
Amazon Route 53 Infima
Colm McCarthaigh has open sourced Infima, 'a library for managing service-level fault isolation using Amazon Route 53'.
Infima provides a Lattice container framework that allows you to categorize each endpoint along one or more fault-isolation dimensions such as availability-zone, software implementation, underlying datastore or any other common point of dependency endpoints may share.

Infima also introduces a new ShuffleShard sharding type that can exponentially increase the endpoint-level isolation between customer/object access patterns or any other identifier you choose to shard on.

Both Infima Lattices and ShuffleShards can also be automatically expressed in Route 53 DNS failover configurations using AnswerSet and RubberTree.
infima  colmmacc  dns  route-53  fault-tolerance  failover  multi-az  sharding  service-discovery 
november 2013 by jm
DNS registrars that complied with "shakedown" anti-piracy requests may now be in violation of ICANN Transfers Policy
According to EasyDNS:
Any registrar that has taken one of these sites offline that now impedes the registrants of those domains from simply getting their domain names out of there and back online somewhere else will then be subject to the TDRP – Transfer Dispute Resolution Policy and if they lose (which they will) they will be subject to TDRP fees assesed by the registry operator, and to quote the TDRP itself "Transfer dispute resolution fees can be substantial".
This is why it is never a good idea to just react to pressure in the face of obnoxious bluster – in the very act of trying to diffuse any perceived culpability you end up opening yourself to real liability.
tdrp  easydns  dns  registrars  domains  piracy  law  due-process 
october 2013 by jm
Whatever Happened to "Due Process" ?
Mark Jeftovic is on fire after receiving yet another "take down this domain or else" mail from the City of London police:
We have an obligation to our customers and we are bound by our Registrar Accreditation Agreements not to make arbitrary changes to our customers settings without a valid FOA (Form of Authorization). To supersede that we need a legal basis. To get a legal basis something has to happen in court. [...]

What gets me about all of this is that the largest, most egregious perpetrators of online criminal activity right now are our own governments, spying on their own citizens, illegally wiretapping our own private communications and nobody cares, nobody will answer for it, it's just an out-of-scope conversation that is expected to blend into the overall background malaise of our ever increasing serfdom. If I can't make various governments and law enforcement agencies get warrants or court orders before they crack my private communications then I can at least require a court order before I takedown my own customer.
city-of-london  police  takedowns  politics  mark-jeftovic  easydns  registrars  dns  via:tjmcintyre 
october 2013 by jm
Setting up FamilyShield
OpenDNS's simple DNS-based blocking of dodgy content. Will need to set this up on the home router now that the kids are surfing...
opendns  dns  blocking  filtering  home  porn  familyshield 
july 2013 by jm
transparent DNS proxies
Ugh. low-end ISPs MITM'ing DNS queries:

Some ISP's are now using a technology called 'Transparent DNS proxy'. Using this technology, they will intercept all DNS lookup requests (TCP/UDP port 53) and transparently proxy the results. This effectively forces you to use their DNS service for all DNS lookups.
If you have changed your DNS settings to an open DNS service such as Google, Comodo or OpenDNS expecting that your DNS traffic is no longer being sent to your ISP's DNS server, you may be surprised to find out that they are using transparent DNS proxying.


(via Nelson)
via:nelson  dns  isps  proxying  mitm  phorm  attacks 
april 2013 by jm
Spamhaus victim of BGP route hijacking
Pretty major hi-jinks. Neil Schwartzman says it didn't go on for long, but still, this is crazy antics.

As can seen from the BGP output, we were using a /32 route going over AS 34109. This was highly suspicious for two reasons. First, a /32 route refers only to a single IP address. Except in special cases, routes are normally /24 (256 hosts) or larger. Second, the AS 34109 belongs to CB3ROB which is an Internet provider that has actually been in conflict with Spamhaus (see: spamhaus; allspammedup; theregister). Certainly they weren’t running a legitimate Spamhaus server. It seems clear that the CB3ROB network hijacked one (or more) of the IP addresses of Spamhaus, and installed a DNS server there which incorrectly returns positive results to every query. The result causes harm to Spamhaus users and their customers, making Spamhaus unusable for anyone unable to correct the problem as we did, and perhaps even undermining the credibility of Spamhaus itself.
spamhaus  security  bgp  peering  internet  routing  hacking  dns  dnsbls  cb3rob  as-34109 
march 2013 by jm
Confusion reigns over three “hijacked” ccTLDs
This kind of silliness is only likely to increase as the number of TLDs increases (and they become more trivial).
What seems to be happening here is that [two companies involved] have had some kind of dispute, and that as a result the registrants and the reputation of three countries’ ccTLDs have been harmed. Very amateurish.
tlds  domains  via:fanf  amateur-hour  dns  cctlds  registrars  adamsnames 
march 2013 by jm
Denominator: A Multi-Vendor Interface for DNS
the latest good stuff from Netflix.

Denominator is a portable Java library for manipulating DNS clouds. Denominator has pluggable back-ends, initially including AWS Route53, Neustar Ultra, DynECT, and a mock for testing. We also ship a command line version so it's easy for anyone to try it out.
The reason we built Denominator is that we are working on multi-region failover and traffic sharing patterns to provide higher availability for the streaming service during regional outages caused by our own bugs and AWS issues. To do this we need to directly control the DNS configuration that routes users to each region and each zone. When we looked at the features and vendors in this space we found that we were already using AWS Route53, which has a nice API but is missing some advanced features; Neustar UltraDNS, which has a SOAP based API; and DynECT, which has a REST API that uses a quite different pseudo-transactional model. We couldn’t find a Java based API that grouped together common set of capabilities that we are interested in, so we created one. The idea is that any feature that is supported by more than one vendor API is the highest common denominator, and that functionality can be switched between vendors as needed, or in the event of a DNS vendor outage.
dns  netflix  java  tools  ops  route53  aws  ultradns  dynect 
march 2013 by jm
UnoDNS
'Watch Netflix USA, Hulu, Pandora, BBC iPlayer, and more in [sic] anywhere you live!' -- seems to use similar techniques to tunlr.net, looks like it works for my Netflix
netflix  dns  tv  tunnelling  drm  networking  spotify  hulu 
february 2013 by jm
DuckDuckGo Architecture - 1 Million Deep Searches a Day and Growing
thumbs-up for DNSMadeEasy's Global Traffic Director anycast-based geographically-segmented DNS service, in particular
dns  architecture  scalability  search  duckduckgo  geoip  anycast 
january 2013 by jm
Tunlr
'uses DNS witchcraft to allow you to access US/UK-only audio and video services like Hulu.com, BBC iPlayer, etc. without using a VPN or Web proxy.' According to http://superuser.com/questions/461316/how-does-tunlr-work , it proxies the initial connection setup and geo-auth, then mangles the stream address to stream directly, not via proxy. Sounds pretty useful
proxy  network  vpn  dns  tunnel  content  video  audio  iplayer  bbc  hulu  streaming  geo-restriction 
january 2013 by jm
Verisign seizes .com domain registered via foreign Registrar on behalf of US Authorities.
'at the end of the day what has happened is that US law (in fact, Maryland state law) as been imposed on a .com domain [specifically gambling site bodog.com] operating outside the USA, which is the subtext we were very worried about when we commented on SOPA. Even though SOPA is currently in limbo, the reality that US law can now be asserted over all domains registered under .com, .net, org, .biz and maybe .info (Afilias is headquartered in Ireland by operates out of the US). This is no longer a doom-and-gloom theory by some guy in a tin foil hat. It just happened.'
via:joshea  internet  legal  policy  public  sopa  domains  dns  verisign  seizure 
february 2012 by jm
Gunnar Kreitz, _Spotify - Behind The Scenes_
the innards of Spotify's client, server fleet, and P2P layer, from the dev team themselves. good stuff
spotify  streaming  servers  networking  music  mp3  dns  p2p 
may 2011 by jm
U.S. Government Shuts Down 84,000 Websites, ‘By Mistake’ | TorrentFreak
DHS/ICE domain seizures suffer a serious false positive problem, resulting in the seizure and shutting down of 84,000 subdomains of a free DNS provider, replacing them with a banner accusing the site of trafficking in child porn. whoops!
dhs  ice  censorship  internet  domains  dns  seizure  false-positives  child-porn  from delicious
february 2011 by jm
The Background Dope on DHS Recent Seizure of Domains
according to this, the US Dept of Homeland Security is "seizing" domains through a back-channel to Verisign, since they directly control the .com TLD's nameservers. Expect to see dodgy sites start using non-US TLDs, names in multiple TLDs a la Pirate Bay, and eventually IPs instead of DNS records
tlds  dns  security  dhs  seizure  domains  cctlds  filesharing  icann  immixgroup  from delicious
december 2010 by jm
Changes at dnswl.org
DNSWL will charge for subscriptions to "heavy" users and anti-spam vendors
dnswl  dns  whitelists  dnsbls  filtering  anti-spam  from delicious
october 2010 by jm
DNS Pre-fetch Exposure on Thunderbird and Webmail
Ugh, very bad idea indeed. A backchannel for spammers/phishers/attackers from the mail reader is something we definitely do not want to provide. This is why we chose to cut URLs at the registrar boundary for URIBL lookups in SpamAssassin
privacy  email  dns  mozilla  thunderbird  prefetching  urls  abuse  security  spam  from delicious
january 2010 by jm

related tags

absurd  abuse  adamsnames  amateur-hour  anti-spam  anycast  api  apple  architecture  as-34109  async  attacks  audio  aws  backend  bbc  benchmarks  bgp  blocking  brian-krebs  bugs  building  business  cap-theorem  cb3rob  cctlds  censorship  child-porn  china  city-of-london  cloudflare  coding  colmmacc  configuration  consensus-algorithms  consul  content  crawlers  dev  dhs  dht  discoveryd  distcomp  dns  dnsbls  dnsmasq  dnswl  docker  domains  dot-sucks  dpi  drm  duckduckgo  due-process  dyn  dynamic-dolphin  dynect  easydns  ec2  email  event-processing  fail  failover  false-positives  familyshield  fault-tolerance  filesharing  filtering  geo-restriction  geographical  geoip  go  golang  google  gossip-protocol  great-firewall  gtlds  hacking  hadoop  hashicorp  home  http  http2  hulu  icann  ice  ifttt  immixgroup  infima  insane  internet  ip  iplayer  isps  java  l7  law  leap-seconds  leap-smearing  legal  linux  load-balancing  mac  mark-jeftovic  mdnsresponder  microservices  mitm  mozilla  mp3  mpl  multi-az  music  netflix  netty  network  networking  not-the-onion  ntp  ntpd  open-source  opendns  ops  osx  p2p  packets  peering  performance  phorm  piracy  police  policy  politics  porn  prefetching  privacy  protocols  proxy  proxying  public  raft  registrars  reputation  resolv  resolver  resolvers  richard-li  route-53  route53  routing  rrdns  scalability  scams  scanning  scary  scott-richter  search  security  seizure  servers  service-discovery  shakedown  sharding  smartstack  sopa  spam  spamhaus  spotify  streaming  stripe  surveillance  systemd  takedowns  tcp  tdrp  thunderbird  time  tld  tlds  tools  trademarks  tunnel  tunnelling  turkey  tv  twitter  udp  ultradns  unbound  unix  urls  vanity  verisign  via:fanf  via:joshea  via:nelson  via:tjmcintyre  video  vpn  web  whitelists  wyoming  zeromq  zonify 

Copy this bookmark:



description:


tags: