Simon Willison’s Weblog

Ask HN: What happens to “.io” TLD after UK gives back the Chagos Islands? This morning on the BBC: UK will give sovereignty of Chagos Islands to Mauritius. The Chagos Islands include the area that the UK calls the British Indian Ocean Territory. The .io ccTLD uses the ISO-3166 two-letter country code for that designation.

As the owner of datasette.io the question of what happens to that ccTLD is suddenly very relevant to me.

This Hacker News conversation has some useful information. It sounds like there's a very real possibility that .io could be deleted after a few years notice - it's happened before, for ccTLDs such as .zr for Zaire (which renamed to Democratic Republic of the Congo in 1997, with .zr withdrawn in 2001) and .cs for Czechoslovakia, withdrawn in 1995.

Could .io change status to the same kind of TLD as .museum, unaffiliated with any particular geography? The convention is for two letter TLDs to exactly match ISO country codes, so that may not be an option.

# 3rd October 2024, 5:25 pm / dns, domains, hacker-news

Migrating Mess With DNS to use PowerDNS (via) Fascinating in-depth write-up from Julia Evans about how she upgraded her "mess with dns" playground application to use PowerDNS, an open source DNS server with a comprehensive JSON API.

If you haven't explored mess with dns it's absolutely worth checking out. No login required: when you visit the site it assigns you a random subdomain (I got garlic299.messwithdns.com just now) and then lets you start adding additional sub-subdomains with their own DNS records - A records, CNAME records and more.

The interface then shows a live (WebSocket-powered) log of incoming DNS requests and responses, providing instant feedback on how your configuration affects DNS resolution.

# 19th August 2024, 10:12 pm / dns, go, julia-evans

Where is all of the fediverse? (via) Neat piece of independent research by Ben Cox, who used the /api/v1/instance/peers Mastodon API endpoint to get a list of “peers” (instances his instance knows about), then used their DNS records to figure out which hosting provider they were running on.

Next Ben combined that with active users from the /nodeinfo/2.0 API on each instance to figure out the number of users on each of those major hosting providers.

Cloudflare and Fastly were heavily represented, but it turns out you can unveil the underlying IP for most instances by triggering an HTTP Signature exchange with them and logging the result.

Ben’s conclusion: Hertzner and OVH are responsible for hosting a sizable portion of the fediverse as it exists today.

# 12th January 2024, 6:54 pm / mastodon, dns, fediverse, hosting

Implement DNS in a weekend (via) Fantastically clear and useful guide to implementing DNS lookups, from scratch, using Python’s struct, socket and dataclass modules—Julia Evans plans to follow this up with one for TLS which I am very much looking forward to.

# 12th May 2023, 6:14 pm / dns, julia-evans, python

Google Public DNS Flush Cache (via) Google Public DNS (8.8.8.8) have a flush cache page too.

# 6th December 2021, 11:17 pm / dns, google

1.1.1.1/purge-cache (via) Cloudflare’s 1.1.1.1 DNS service has a tool that anyone can use to flush a specific DNS entry from their cache—could be useful for assisting rollouts of new DNS configurations.

# 6th December 2021, 11:15 pm / dns, cloudflare

MDN: Subdomain takeovers (via) MDN have a page about subdomain takeover attacks that focuses more on CNAME records: if you have a CNAME pointing to a common delegated hosting provider but haven’t yet provisioned your virtual host there, someone else might beat you to it and use it for an XSS attack.

“Preventing subdomain takeovers is a matter of order of operations in lifecycle management for virtual hosts and DNS.”

I now understand why Google Cloud make your “prove” your ownership of a domain before they’ll let you configure it to host e.g. a Cloud Run instance.

# 22nd August 2021, 5:31 am / dns, security

I stumbled across a nasty XSS hole involving DNS A records. Found out today that an old subdomain that I had assigned an IP address to via a DNS A record was serving unexpected content—turned out I’d shut down the associated VPS and the IP had been recycled to someone else, so their content was now appearing under my domain. It strikes me that if you got really unlucky this could turn into an XSS hole—and that new server could even use Let’s Encrypt to obtain an HTTPS certificate for your subdomain.

I’ve added “audit your A records” to my personal security checklist.

# 22nd August 2021, 5:27 am / xss, dns, security

nip.io. "NIP.IO maps <anything>.<IP Address>.nip.io to the corresponding <IP Address>, even 127.0.0.1.nip.io maps to 127.0.0.1" - looks useful. xip.io is a different service that does the same thing. Being able to put anything at the start looks handy for testing systems that handle different subdomains.

# 12th December 2018, 6:18 pm / dns

The death of a TLD. Sony have terminated their .xperia TLD. Ben Cox used Certificate Transparency logs to evaluate the 11 total TLDs that have been abandoned since the gTLD gold rush started—since HTTPS is becoming the default now these logs of issued certificates are a great indicator of which domains (or TLDs) are being actively used. The only deleted TLD with legitimate looking certificates (apparently for a mail server) was .mcdonalds

# 28th July 2018, 8:07 pm / tls, certificates, dns

Use a .dev domain? Not anymore. Google bought the .dev gTLD a few years ago for their own internal usage and in a few weeks time Chrome will start shipping a HSTS preload list rule that says that .dev must be served over HTTPS. This means that if you’re using a .dev domain in your /etc/hosts file you’ll need to switch to .test or .localhost (or set up a self-signed certificate) or your development environment will refuse to load.

# 6th December 2017, 6:42 pm / dns

DNS Prefetching Implications. deviantart use a subdomain per user, which meant the DNS prefetching feature in Firefox and Chrome was costing them an extra 10 billion DNS queries per month. Disabling it with a meta tag saves them $1600/month in DNS service charges.

# 9th March 2011, 10:54 pm / dns, recovered

jsondns. A JSONP API for making DNS queries, with a nice URL structure.

# 30th December 2009, 5:37 pm / json, dns, jsonp, api

node.js. “Evented I/O for V8 JavaScript”—a JavaScript environment built on top of the super-fast V8 engine which provides event-based IO functionality for building highly concurrent TCP and HTTP servers. The API design is superb—everything is achieved using JavaScript events and callbacks (even regular file IO) and the small standard library ships with comprehensive support for HTTP and DNS. Overall it’s very similar to Twisted and friends, but JavaScript’s anonymous function syntax feels more natural than the Python equivalent. It compiles cleanly on Snow Leopard. Definitely a project to watch.

# 9th November 2009, 11:25 pm / node, javascript, io, v8, eventbasedio, twisted, http, dns

Imminent Death of the Net Predicted. Well, maybe not, but the way Windows Vista deals with round-robin DNS A records (using a new IPv6 algorithm from RFC3484 backported to IPv4) means that domains that serve up multiple A records to load balance between data centres will find that the IP nearest to the 192.168.* range will get the vast majority of Vista traffic.

# 5th March 2009, 9:50 am / vista, dns, windows, microsoft, networking

Wikipedia over DNS. Added to my ~/bin/ directory as dns-wikipedia.sh: host -t txt $1.wp.dg.cx

# 2nd January 2009, 11:29 am / wikipedia, dns

Secret Geek A-Team Hacks Back, Defends Worldwide Web. Wired’s take on the story of Dan Kaminsky’s breaking-the-internet DNS vulnerability. Horrible headline.

# 3rd December 2008, 11:10 am / wired, dan-kaminsky, security, dns

Censoring the Internet at Paraguay. The state owned telecommunication company DNS hijacked the opposition party’s domain to point at a porn site during the election back in April. Maybe we don’t want a django.py vanity domain after all...

# 13th June 2008, 3:24 pm / paraguay, django, python, censorship, dns

ISPs’ Error Page Ads Let Hackers Hijack Entire Web (via) Earthlink in the US served “helpful” links and ads on subdomains that failed to resolve, but the ad serving pages had XSS holes which could be used to launch phishing attacks the principle domain (and I imagine could be used to steal cookies, although the story doesn’t mention that). Seems like a good reason to start using wildcard DNS to protect your subdomains from ISP inteference.

# 21st April 2008, 6:51 am / isp, subdomains, dns, security, earthlink, xss, wildcarddns

UK domain registrar 123-Reg crashes and burns, taking its customers with it. I was hit by this yesterday: can anyone recommend an alternative DNS host with a really easy to use interface (I’ve made mistakes modifying DNS in the past) and rock-solid reliability?

# 18th November 2007, 11:24 am / dns, 123reg, domains

Email addresses your OpenID via DNS. Sam Ruby has warmed to the idea of making e-mail addresses usable as OpenIDs via a DNS SRV record.

# 30th September 2007, 9:36 pm / dns, srv, sam-ruby, openid, email

dnspython. Python DNS toolkit—seems like the kind of thing that should be in the standard library.

# 1st July 2007, 11:55 am / python, dns

What I did at Hack Day. John McKerrell made a tool for updating your FireEagle location through a DNS query, useful for sneaking around for-pay WiFi nodes.

# 19th June 2007, 10:32 am / wifi, dns, john-mckerrell, fireeagle, hackdaylondon

IE and 2-letter domain-names (via) IE won’t let you set a cookie on XX.YY, where YY is anything other than .pl or .gr. Other browsers have better exception lists.

# 15th February 2007, 12:33 am / dns, ie, cookies, mark-pilgrim

MySpace Allegedly Kills Computer Security Website. No need for the allegedly; it’s been confirmed. MySpace got GoDaddy.com to redirect DNS for seclists.org after a list of phished user accounts posted to the full disclosure mailing list list was archived there.

# 26th January 2007, 9:57 am / myspace, dns, godaddy, security, phishing