!!Con West 2020 - Breanne Boland: You can put WHAT in DNS TXT records?!?!

Happy leap day. We are living on bonus time. So I wanted to talk about a little bonus space within DNS. And let’s start by talking about what DNS is. It is the domain name system. People like to use the phone book metaphor to explain DNS. It makes sense because it’s immediately understandable by a lot of people, though I suspect less and less as time goes on. (laughter) The full picture of it, if you’re really going with the metaphor, though, is more complicated. Like Mario 3 Level 8 complicated. (Mario noises) Got it. So let’s go back over that.

01:06 - You start by typing a URL in your browser and hitting enter. You move further onto the map with the recursive resolver. Often it’s provided by your ISP, but you might opt to use something else, like Google’s quad 8. Your nearby resolver will also have some DNS information cached. If it doesn’t find your record there, it’ll start a greater journey onto the map. First it’ll move to the root server and figure out what top level domain server to send the query through. At this point it’s more of a short list that says root at the top than a full on thick phone book. Then you go to the TLD server, which looks at your.horse domain, and it finds the nameserver that’s holding the specific record that you’re seeking. So next is the nameserver, which tells you which IP you can find your extremely important domain at.

01:52 - Then your well traveled query returns to you, asserting that endless.horse is at 104.236.181.76. At last your princess is not in another castle. Big dynamic DNS as we know it replaced the old convention of static hosts.txt files, which were closer to the literal definition of a phone book. They were maintained by the Stanford research institute for the ARPANET membership. These static files were periodically updated and sent out weekly-ish, and were retrieved or replaced as needed. DNS was described in 1983 and started to be implemented in 1984, which exchanged this file that explained the small proto-internet for lots and lots of individual queries. So the internet could scale more gracefully and people wouldn’t be stymied by stale hosts.txt files. Hosts.txt gave way to /etc/hosts, which is on your computer by default, and includes things like your preferred IP for localhost, but you can edit them to override – via DNS too. It’s handy for local networks, but maybe if you’re distractible, and you want to redirect Twitter.com to something more related to your job.

03:06 - Let’s have a moment of obligatory Zen, because we’re talking about DNS. The great and terrible thing about DNS is that so many things rely on it. If DNS is having a bad day, a much used recursive server is down, for instance, it can ruin a lot of things. That means it can also be used to do all kinds of interesting stuff. For instance, there’s one kind of server attack that involves many, many sources, making DNS queries and spoofing the source IP so all those queries go back to one source and can possibly take it out.

03:39 - Just because you wanted to get the IP for a URL. There are ten DNS record types. The one you see if you use dig in your terminal with no flags is A record, which returns the IPv4 address for a URL, but we’re here to talk about only one. TXT records! They can have basically anything in them. They’re constrained by length and you’re restricted to the original set of ASCII characters, that’s the original 128. Emoji, alas, are right out. Beyond that, I quote from RFC1035: the semantics of the text depends on the domain where it is found. (laughter) I know that feel.

04:21 - These are the grab bag of DNS, and that why I love them. RFC1464 presents the idea of a key value format, which is pretty often what you’re gonna find when you look these up. But they’re not required, like so many internet standards – it’s just an optional format that’s become normal. But you can do what you want with them. Some common ones you’re likely to see if you dig at domains TXT records include domain ownership verification for different services, marketing, web hosting things. It’s also where you’re going to see DKIM and DMARC and SPF for encrypted emails and spam handling. Stuff like that.

04:57 - The most creative still generally on brand use I saw – I read about a university that put lat and lon in the text records for their server so they could more quickly figure out where the server lived on their campus. There’s also this one. Let’s see how fuzzy this is. A bit small. All right. So it’s a dig text for DNS.Google. You have an SPF record. But there’s also an XKCD URL. Because someone at Google got cute. So maybe you’re with me. And you’re already envisioning some of the weird stuff you can get up to with this. I’m gonna tell you about a few more. The classic one – DNS tunneling. It’s a bit more than 20 years old, so far as we can officially tell, presented at Black Hat in 2004 by Dan Kominski, which if you like DNS shenanigans, he’s an excellent Google. There are a few ways to do this, but the cenral part is always about smuggling things that are not supposed to be there in a DNS packet. They’re not monitored in the same way as regular HTTP traffic and that permissiveness of their movement makes it a great vector for exfiltrating data or getting malware into places that otherwise it would be hard to get to.

06:18 - With this method, data is sometimes smuggled via nonexistent subdomains in the URLs the packet seems to be querying for, long random string.evil.com, but if your packet is designed to return a nice chunk of text records, you can really stuff some information or code in there. DNS queries: they smuggle stuff and evade firewalls! Awesome. Then there is sidestepping internet censorship. The most common way of doing this involves sidestepping – usually government DNS poisoning by setting your resolver to quad 8.

06:56 - This is getting less useful as more sophisticated technology is put to monitoring and controlling the tech we all rely on. However, there is another way. Like David Ledbetter’s 2008 project, which put truncated Wikipedia articles in projects. Like this one. So sadly, they’re not up anymore. But there’s no reason that we can’t exploit what David referred to as basically a huge associative array for great good. Right? Then there’s this one. DNS FS. So a British programmer found DNS resolvers that were open to the public internet, and used text records to cache a blog post on servers all around the world. He used 250 character base 64 strings that came out to 187 bytes each to accomplish this and worked out that the caches would be valid for at least a day. This is probably my favorite.

07:54 - I linked to the post in the blog post about this. He has an animation of proof of concept and I actually yelled in my apartment when I saw it. It is glorious. So naturally, I wanted to play. I found some interesting things when I was experimenting for this presentation, and there’s stuff I still want to dig into. Different providers handle uncommon numbers of DNS TXT records differently. I found this just working with Dreamhost and AWS.

08:22 - Dreamhost has a clunky UI for it that I haven’t gotten to yet. They also have an API that I didn’t get to use yet. They’re content to make tons of text records. I topped out at 50. AWS will let you make a single one per domain or subdomain, but still has some of those limits, the 255 characters, the length, that kind of thing. Adding a ton of these records does seem to cause some delays on DNS propagation.

08:49 - When I was experimenting with it, I was finding stale things fully an hour later after clearing cache and resetting things. Yeah. I had the unique pleasure of constipating the internet. (laughter) Although honestly, vanilla DNS is enough to be responsible for all of that, minus adding 50 records to a single domain. So I toyed with lots of ideas, but I made what I hope is an unsticking tool for when you’re trying to think through something. So it’s connected to maybethiscould.work. There are subdomains from 0 to 50, and each one includes a little messages that I’m hoping will get you to rethink things if you’re trying to finish a project or thought or a writing thing, just to help you change your perspective or alter your reality a little bit so that maybe you can keep moving forward..

09:33 - I wanted it to be 0 to 49, but Dreamhost for reasons that I do not know yet does not let you do a subdomain that’s just a zero. It just blanks it out. It allowed double zero, though! So… Hm. You can go and start doing some digging, and find all of them, or they’re all in a gist, that’s linked in my blog post for this. Thank you very much! .