In a recent blog post on APNIC, Verisign Principal Engineer Matt Thomas has written about how just a few lines of code in Chromium - the foundation for not only Google’s Chrome but also Microsoft Edge, Opera, Amazon Silk, and Brave, all of which account for about 70% of all browsers used today has affected the root DNS servers.
The "omnibox" feature makes up an estimated whopping 60 billion DNS queries a day, about half of all DNS root queries.
In almost any other scenario, this traffic would be indistinguishable from a distributed denial of service (DDoS) attack.
Chromium has a feature, known as the omnibox in which users can use a single input box to enter all sorts of requests such as a search query, website names and of course full URL's. The problem arises where the user may enter a single word term which could be interpreted as a search query or an Intranet address. For example, should "dns" perform a search query for the term "dns" or navigate to the page "http://dns/"?
This in itself first seems easy, the browser could in the background check to see if a DNS record can be resolved for the hostname or not. If it does, then navigate to the site or if not then perform a search. However, some networks or DNS servers provide a feature in which they fall back to a default address for all non-existent domains, and provide their own page that attempts to provide the user suggestion.
This is where the "Intranet Redirect Detector" comes in to play. The way it works is that it generates random hostnames such as "rociwefoie" each time the browser is started or DNS related system changes are detected. Three of these such hostnames are resolved by a DNS lookup and the results compared. If any two of the results match the same address, then the browser assumes that a redirector is in place so any time this address is resolved, it can be assumed as a redirect response and not a real Intranet site.
Digging into the source code explains the feature as below:
This component sends requests to three randomly generated, and thus likely nonexistent, hostnames. If at least two redirect to the same hostname, this suggests the ISP is hijacking NXDOMAIN, and the omnibox should treat similar redirected navigations as 'failed' when deciding whether to prompt the user with a 'did you mean to navigate' infobar for certain search inputs.
The article goes into details breaking down the likelihood of all queries of which they suspect are due to this feature by comparing them against what the code would generate, comparing it over time to the market share of Chromium based browsers as well as how the feature has evolved over time.
It is a very interesting read and incredible how such a small feature that so many of us use each day has such a large impact. For all the details, with more technical details be sure to check out the full article at APNIC.
The European Commission has released a call for tenders for a study on Domain Name System (DNS) abuse.
The study is set to be a 7-month analysis on the scope, impact and magnitude of DNS abuse. The study will offer a service contract of up to EUR 100,000 to the winning tender.
The study will focus primarily on the European market and any regulations and laws associated. However due to DNS being a global system, it is to assess it in a much broader sense keeping in mind how this may affect any decisions or recommendations put forward.
The analysis will provide an overview of any and all existing policies, laws, and common practices already being followed but will focus on DNS abuse in the form of cyber security threats as well as illegal and harmful content.
Once complete the aim is to provide recommendations on how to address any of the issues discovered in order to help guide future policy development.
Microsoft's latest Windows 10 Insider Preview build 20185 adds improved DNS configuration in network settings.
DNS settings made more accessible
DNS settings have been made more easily accessible and is now a top-level option in your network's properties page. This is sure to be useful when assisting less technical users how to update their DNS servers.
Encrypted DNS improvements
With this release, you can now gain access to encrypted DNS controls for when using DNS over HTTPS in the settings app.
In order to unlock this feature through the UI alone, you must use one of the approved servers from either Cloudflare, Google or Quad9.
If you would like to use a custom DNS over HTTPS server, then you will need to use the netsh command as documented in Microsoft's blog post.
Having encrypted DNS configurable through the UI is a welcome change, as previously this was only possible by a registry change and the command line. No doubt over time, even custom servers will be supported without the need to use the command line.
"We've identified the issue and are working on it. Some of our Domain Name Servers (DNS) used to route your traffic online are experiencing a cyber attack, known as a Denial of Service (DoS). Your info isn't at risk. We're doing all we can to get you back online."
"The massive messaging storm that presented as a Denial of Service cyber-attack has been investigated by our security teams and we now believe that it was not malicious, but a Domain Name Server issue. We're really sorry for getting in the way of your weekend plans."
Like many of Australia's biggest ISP's, TPG's DNS servers can be found in our DNS server database, which contains the most up to date information for configuring DNS settings for TPG.
These DNS servers, or any of the Global DNS servers may be used by customers of TPG Internet so that they get the best browsing experience when they're going to websites online. Using incorrect DNS servers can result in slower DNS lookups which means that it will take longer to get to your favourite websites.
Flushing your DNS cache is a very easy process that is sometimes necessary to do when your computer is not resolving a particular hostname to the correct IP address, this process will clear any locally stored results that may be out of date and not correctly being updated. This sometimes is the reason that you may be seeing messages such as ERR_NAME_NOT_RESOLVED in your web browser.
If you're running Microsoft Windows, then all you need to do is run the command ipconfig /flushdns from the command line. More in depth details and instructions with screenshots on how to flush your DNS on Windows and a variety of other operating systems can be found on our dedicated flush DNS page.
If all else fails, simply rebooting your computer or device will usually flush your DNS cache.
When setting up your devices to connect to the Internet it is important that you configure your computer, tablet, phone or gaming device to connect to the correct DNS server. Using the correct DNS server means that you will get the fastest and most reliable lookups for when you're visiting websites and accessing other services online.
While most routers and modems will automatically assign the correct IP address to your device to use as a DNS server there is some cases in which you may need to configure this manually.
whatsmydns.net provides a DNS Server List that contains of many of the major ISP's throughout the world. When possible you should try and use the DNS server that is provided by your service provider in order to have the fastest possible DNS lookups.
It is also possible to use one of the many Global DNS providers such as Google DNS, or Cloudflare as your DNS server. Many of these providers can often be faster and more reliable than even your own Internet Service Providers servers.
When you make changes to your domain name's DNS settings, by either registering a new domain name and performing the initial setup or by making changes to existing DNS settings it is useful to be able to perform a DNS Check to make sure that your domain name changes have propagated around the world.
whatsmydns.net provides an easy to use interface that allows you to do this DNS check, all you need to do is enter your domain name and choose your record type and a DNS check will instantly be performed which will show you the current state of DNS propagation around the world for your domain name.
The DNS check tool lets you choose from a variety of record types including A for IP address lookups, CNAME for canonical or alias records, MX for Mail Exchanger records as well as many more.