Simon Willison's Weblog: dns

DNS Lookup

2026-03-22T19:16:30+00:00

TIL that Cloudflare's 1.1.1.1 DNS service (and 1.1.1.2 and 1.1.1.3, which block malware and malware + adult content respectively) has a CORS-enabled JSON API, so I had Claude Code build me a UI for running DNS queries against all three of those resolvers.

Tags: dns, cors, cloudflare

SSH has no Host header

2026-01-22T23:57:50+00:00

SSH has no Host header

exe.dev is a new hosting service that, for $20/month, gives you up to 25 VMs "that share 2 CPUs and 8GB RAM". Everything happens over SSH, including creating new VMs. Once configured you can sign into your exe.dev VMs like this:

ssh simon.exe.dev

Here's the clever bit: when you run the above command exe.dev signs you into your VM of that name... but they don't assign every VM its own IP address and SSH has no equivalent of the Host header, so how does their load balancer know which of your VMs to forward you on to?

The answer is that while they don't assign a unique IP to every VM they do have enough IPs that they can ensure each of your VMs has an IP that is unique to your account.

If I create two VMs they will each resolve to a separate IP address, each of which is shared with many other users. The underlying infrastructure then identifies my user account from my SSH public key and can determine which underlying VM to forward my SSH traffic to.

Via lobste.rs

Tags: dns, hosting, ssh

Quoting AWS

2025-10-23T04:49:59+00:00

For resiliency, the DNS Enactor operates redundantly and fully independently in three different Availability Zones (AZs). [...] When the second Enactor (applying the newest plan) completed its endpoint updates, it then invoked the plan clean-up process, which identifies plans that are significantly older than the one it just applied and deletes them. At the same time that this clean-up process was invoked, the first Enactor (which had been unusually delayed) applied its much older plan to the regional DDB endpoint, overwriting the newer plan. [...] The second Enactor's clean-up process then deleted this older plan because it was many generations older than the plan it had just applied. As this plan was deleted, all IP addresses for the regional endpoint were immediately removed.

— AWS, Amazon DynamoDB Service Disruption in Northern Virginia (US-EAST-1) Region (14.5 hours long!)

Tags: aws, dns, scaling, postmortem

Cloudflare Radar: AI Insights

2025-09-01T17:06:56+00:00

Cloudflare Radar: AI Insights

Cloudflare launched this dashboard back in February, incorporating traffic analysis from Cloudflare's network along with insights from their popular 1.1.1.1 DNS service.

I found this chart particularly interesting, showing which documented AI crawlers are most active collecting training data - lead by GPTBot, ClaudeBot and Meta-ExternalAgent:

Cloudflare's DNS data also hints at the popularity of different services. ChatGPT holds the first place, which is unsurprising - but second place is a hotly contested race between Claude and Perplexity and #4/#5/#6 is contested by GitHub Copilot, Perplexity, and Codeium/Windsurf.

Google Gemini comes in 7th, though since this is DNS based I imagine this is undercounting instances of Gemini on google.com as opposed to gemini.google.com.

Via Hacker News

Tags: crawling, dns, ai, cloudflare, generative-ai, llms

A Sneaky Phish Just Grabbed my Mailchimp Mailing List

2025-04-04T15:05:39+00:00

A Sneaky Phish Just Grabbed my Mailchimp Mailing List

In further evidence that phishing attacks can catch out the most sophisticated among us, security researcher (and operator of ';--have i been pwned?) Troy Hunt reports on how he fell for an extremely well crafted phishing attack against his MailChimp account which then exported his full list of subscribers, including people who had unsubscribed (data which MailChimp stores and continues to make available).

This could happen to any of us:

I've received a gazillion similar phishes before that I've identified early, so what was different about this one? Tiredness, was a major factor. I wasn't alert enough, and I didn't properly think through what I was doing.

Troy's account was protected by authenticator app 2FA, but the phishing site (on the realistic sounding mailchimp-sso.com domain) asked for that code too and instantly proxied it through to MailChimp - somewhat ironic as Troy had been promoting phishing-resistant passkeys on his trip to London, a technology that MailChimp doesn't offer yet.

There are a bunch of interesting details here. I appreciated this point about how short-lived authentication sessions can reduce account security by conditioning users to expect constant login requests:

I also realised another factor that pre-conditioned me to enter credentials into what I thought was Mailchimp is their very short-lived authentication sessions. Every time I go back to the site, I need to re-authenticate and whilst the blame still clearly lies with me, I'm used to logging back in on every visit. Keeping a trusted device auth'd for a longer period would likely have raised a flag on my return to the site if I wasn't still logged in.

It looks like MailChimp preserve the email addresses of unsubscribed users to prevent them from being re-subscribed by future list imports. Troy discusses this issue at length in further updates to the post.

Also interesting: this article by DNS forensics company Validin which tracks down the responsible group using DNS records and other hints such as title tags and favicon hashes.

Via Bruce Schneier

Tags: dns, phishing, security, passkeys, troy-hunt

OpenAI's postmortem for API, ChatGPT & Sora Facing Issues

2024-12-13T05:29:10+00:00

OpenAI's postmortem for API, ChatGPT & Sora Facing Issues

OpenAI had an outage across basically everything for four hours on Wednesday. They've now published a detailed postmortem which includes some fascinating technical details about their "hundreds of Kubernetes clusters globally".

The culprit was a newly deployed telemetry system:

Telemetry services have a very wide footprint, so this new service’s configuration unintentionally caused every node in each cluster to execute resource-intensive Kubernetes API operations whose cost scaled with the size of the cluster. With thousands of nodes performing these operations simultaneously, the Kubernetes API servers became overwhelmed, taking down the Kubernetes control plane in most of our large clusters. [...]

The Kubernetes data plane can operate largely independently of the control plane, but DNS relies on the control plane – services don’t know how to contact one another without the Kubernetes control plane. [...]

DNS caching mitigated the impact temporarily by providing stale but functional DNS records. However, as cached records expired over the following 20 minutes, services began failing due to their reliance on real-time DNS resolution.

It's always DNS.

Via @therealadamg

Tags: dns, devops, kubernetes, postmortem, openai, chatgpt

Ask HN: What happens to ".io" TLD after UK gives back the Chagos Islands?

2024-10-03T17:25:21+00:00

Ask HN: What happens to ".io" TLD after UK gives back the Chagos Islands?

This morning on the BBC: UK will give sovereignty of Chagos Islands to Mauritius. The Chagos Islands include the area that the UK calls the British Indian Ocean Territory. The .io ccTLD uses the ISO-3166 two-letter country code for that designation.

As the owner of datasette.io the question of what happens to that ccTLD is suddenly very relevant to me.

This Hacker News conversation has some useful information. It sounds like there's a very real possibility that .io could be deleted after a few years notice - it's happened before, for ccTLDs such as .zr for Zaire (which renamed to Democratic Republic of the Congo in 1997, with .zr withdrawn in 2001) and .cs for Czechoslovakia, withdrawn in 1995.

Could .io change status to the same kind of TLD as .museum, unaffiliated with any particular geography? The convention is for two letter TLDs to exactly match ISO country codes, so that may not be an option.

Tags: dns, domains, hacker-news

Migrating Mess With DNS to use PowerDNS

2024-08-19T22:12:07+00:00

Migrating Mess With DNS to use PowerDNS

Fascinating in-depth write-up from Julia Evans about how she upgraded her "mess with dns" playground application to use PowerDNS, an open source DNS server with a comprehensive JSON API.

If you haven't explored mess with dns it's absolutely worth checking out. No login required: when you visit the site it assigns you a random subdomain (I got garlic299.messwithdns.com just now) and then lets you start adding additional sub-subdomains with their own DNS records - A records, CNAME records and more.

The interface then shows a live (WebSocket-powered) log of incoming DNS requests and responses, providing instant feedback on how your configuration affects DNS resolution.

Via Hacker News

Tags: dns, go, julia-evans

Where is all of the fediverse?

2024-01-12T18:54:15+00:00

Where is all of the fediverse?

Neat piece of independent research by Ben Cox, who used the /api/v1/instance/peers Mastodon API endpoint to get a list of “peers” (instances his instance knows about), then used their DNS records to figure out which hosting provider they were running on.

Next Ben combined that with active users from the /nodeinfo/2.0 API on each instance to figure out the number of users on each of those major hosting providers.

Cloudflare and Fastly were heavily represented, but it turns out you can unveil the underlying IP for most instances by triggering an HTTP Signature exchange with them and logging the result.

Ben’s conclusion: Hertzner and OVH are responsible for hosting a sizable portion of the fediverse as it exists today.

Via lobste.rs

Tags: dns, hosting, mastodon, fediverse

Implement DNS in a weekend

2023-05-12T18:14:31+00:00

Implement DNS in a weekend

Fantastically clear and useful guide to implementing DNS lookups, from scratch, using Python’s struct, socket and dataclass modules—Julia Evans plans to follow this up with one for TLS which I am very much looking forward to.

Via Julia Evans

Tags: dns, python, julia-evans

Google Public DNS Flush Cache

2021-12-06T23:17:08+00:00

Google Public DNS Flush Cache

Google Public DNS (8.8.8.8) have a flush cache page too.

Via isclever on Hacker News

Tags: dns, google

1.1.1.1/purge-cache

2021-12-06T23:15:08+00:00

1.1.1.1/purge-cache

Cloudflare’s 1.1.1.1 DNS service has a tool that anyone can use to flush a specific DNS entry from their cache—could be useful for assisting rollouts of new DNS configurations.

Via isclever on Hacker News

Tags: dns, cloudflare

MDN: Subdomain takeovers

2021-08-22T05:31:58+00:00

MDN: Subdomain takeovers

MDN have a page about subdomain takeover attacks that focuses more on CNAME records: if you have a CNAME pointing to a common delegated hosting provider but haven’t yet provisioned your virtual host there, someone else might beat you to it and use it for an XSS attack.

“Preventing subdomain takeovers is a matter of order of operations in lifecycle management for virtual hosts and DNS.”

I now understand why Google Cloud make your “prove” your ownership of a domain before they’ll let you configure it to host e.g. a Cloud Run instance.

Via @carboia

Tags: dns, security

I stumbled across a nasty XSS hole involving DNS A records

2021-08-22T05:27:34+00:00

I stumbled across a nasty XSS hole involving DNS A records

Found out today that an old subdomain that I had assigned an IP address to via a DNS A record was serving unexpected content—turned out I’d shut down the associated VPS and the IP had been recycled to someone else, so their content was now appearing under my domain. It strikes me that if you got really unlucky this could turn into an XSS hole—and that new server could even use Let’s Encrypt to obtain an HTTPS certificate for your subdomain.

I’ve added “audit your A records” to my personal security checklist.

Tags: dns, security, xss

nip.io

2018-12-12T18:18:09+00:00

nip.io

"NIP.IO maps <anything>.<IP Address>.nip.io to the corresponding <IP Address>, even 127.0.0.1.nip.io maps to 127.0.0.1" - looks useful. xip.io is a different service that does the same thing. Being able to put anything at the start looks handy for testing systems that handle different subdomains.

Tags: dns

The death of a TLD

2018-07-28T20:07:00+00:00

The death of a TLD

Sony have terminated their .xperia TLD. Ben Cox used Certificate Transparency logs to evaluate the 11 total TLDs that have been abandoned since the gTLD gold rush started—since HTTPS is becoming the default now these logs of issued certificates are a great indicator of which domains (or TLDs) are being actively used. The only deleted TLD with legitimate looking certificates (apparently for a mail server) was .mcdonalds

Tags: certificates, dns, domains, tls

Use a .dev domain? Not anymore

2017-12-06T18:42:04+00:00

Use a .dev domain? Not anymore

Google bought the .dev gTLD a few years ago for their own internal usage and in a few weeks time Chrome will start shipping a HSTS preload list rule that says that .dev must be served over HTTPS. This means that if you’re using a .dev domain in your /etc/hosts file you’ll need to switch to .test or .localhost (or set up a self-signed certificate) or your development environment will refuse to load.

Tags: dns

DNS Prefetching Implications

2011-03-09T22:54:00+00:00

DNS Prefetching Implications

deviantart use a subdomain per user, which meant the DNS prefetching feature in Firefox and Chrome was costing them an extra 10 billion DNS queries per month. Disabling it with a meta tag saves them $1600/month in DNS service charges.

Tags: dns, recovered

jsondns

2009-12-30T17:37:16+00:00

jsondns

A JSONP API for making DNS queries, with a nice URL structure.

Tags: api, dns, json, jsonp

node.js

2009-11-09T23:25:47+00:00

node.js

“Evented I/O for V8 JavaScript”—a JavaScript environment built on top of the super-fast V8 engine which provides event-based IO functionality for building highly concurrent TCP and HTTP servers. The API design is superb—everything is achieved using JavaScript events and callbacks (even regular file IO) and the small standard library ships with comprehensive support for HTTP and DNS. Overall it’s very similar to Twisted and friends, but JavaScript’s anonymous function syntax feels more natural than the Python equivalent. It compiles cleanly on Snow Leopard. Definitely a project to watch.

Tags: dns, eventbasedio, http, io, javascript, nodejs, twisted, v8

Imminent Death of the Net Predicted

2009-03-05T09:50:12+00:00

Imminent Death of the Net Predicted

Well, maybe not, but the way Windows Vista deals with round-robin DNS A records (using a new IPv6 algorithm from RFC3484 backported to IPv4) means that domains that serve up multiple A records to load balance between data centres will find that the IP nearest to the 192.168.* range will get the vast majority of Vista traffic.

Tags: dns, microsoft, networking, vista, windows

Wikipedia over DNS

2009-01-02T11:29:22+00:00

Wikipedia over DNS

Added to my ~/bin/ directory as dns-wikipedia.sh: host -t txt $1.wp.dg.cx

Tags: dns, wikipedia

Secret Geek A-Team Hacks Back, Defends Worldwide Web

2008-12-03T11:10:22+00:00

Secret Geek A-Team Hacks Back, Defends Worldwide Web

Wired’s take on the story of Dan Kaminsky’s breaking-the-internet DNS vulnerability. Horrible headline.

Tags: dan-kaminsky, dns, security, wired

Censoring the Internet at Paraguay

2008-06-13T15:24:40+00:00

Censoring the Internet at Paraguay

The state owned telecommunication company DNS hijacked the opposition party’s domain to point at a porn site during the election back in April. Maybe we don’t want a django.py vanity domain after all...

Tags: censorship, django, dns, paraguay, python

ISPs' Error Page Ads Let Hackers Hijack Entire Web

2008-04-21T06:51:55+00:00

ISPs' Error Page Ads Let Hackers Hijack Entire Web

Earthlink in the US served “helpful” links and ads on subdomains that failed to resolve, but the ad serving pages had XSS holes which could be used to launch phishing attacks the principle domain (and I imagine could be used to steal cookies, although the story doesn’t mention that). Seems like a good reason to start using wildcard DNS to protect your subdomains from ISP inteference.

Via Rafe

Tags: dns, earthlink, isp, security, subdomains, wildcarddns, xss

UK domain registrar 123-Reg crashes and burns, taking its customers with it

2007-11-18T11:24:07+00:00

UK domain registrar 123-Reg crashes and burns, taking its customers with it

I was hit by this yesterday: can anyone recommend an alternative DNS host with a really easy to use interface (I’ve made mistakes modifying DNS in the past) and rock-solid reliability?

Tags: 123reg, dns, domains

Email addresses your OpenID via DNS

2007-09-30T21:36:27+00:00

Email addresses your OpenID via DNS

Sam Ruby has warmed to the idea of making e-mail addresses usable as OpenIDs via a DNS SRV record.

Tags: dns, email, openid, sam-ruby, srv

dnspython

2007-07-01T11:55:34+00:00

dnspython

Python DNS toolkit—seems like the kind of thing that should be in the standard library.

Tags: dns, python

What I did at Hack Day

2007-06-19T10:32:14+00:00

What I did at Hack Day

John McKerrell made a tool for updating your FireEagle location through a DNS query, useful for sneaking around for-pay WiFi nodes.

Tags: dns, fireeagle, hackdaylondon, john-mckerrell, wifi

IE and 2-letter domain-names

2007-02-15T00:33:13+00:00

IE and 2-letter domain-names

IE won’t let you set a cookie on XX.YY, where YY is anything other than .pl or .gr. Other browsers have better exception lists.

Via Mark Pilgrim

Tags: cookies, dns, internet-explorer, mark-pilgrim