Dan Kaminsky Suggests Having Fun with DNS

← Back to Stories (view on slashdot.org)

Dan Kaminsky Suggests Having Fun with DNS

Posted by timothy on Monday June 21, 2004 @10:38AM from the bits-is dept.

boogahsmalls writes "A few weekends ago Dan Kaminsky of scanrand fame presented some pretty cool ideas involving DNS that made plenty of heads spin at the LayerOne Technology Conference. Some of his concepts included Voice over DNS and storing Knoppix in a DNS cache. He's also apparently got a couple new tools in the pipe including a scanrand based DNS scanner and a visualization suite. Could another version of Paketto Keiretsu be in the works?" (OpenOffice.org does a great job of opening the PowerPoint slideshow.)

23 of 212 comments (clear)

No thanks, by Anonymous Coward · 2004-06-21 10:39 · Score: 5, Insightful

I'd rather my dns just work.
Nice ideas by Anonymous Coward · 2004-06-21 10:40 · Score: 5, Funny

but who doesn't have Knoppix in the DNS cache already anyway? Welcome to the 21st century buddy.
use the DNS to store presentations by Anonymous Coward · 2004-06-21 10:42 · Score: 4, Funny

I'd rather read his slides in binary from IN A records than open powerpoint.
RTFPP? by Nethead · 2004-06-21 10:43 · Score: 4, Funny

Now we have to Read The Fsckin' Power Point?

--
-- I have a private email server in my basement.
Great Article by Anonymous Coward · 2004-06-21 10:44 · Score: 5, Insightful

It's a pity most of the slashdot crowd won't understand any of its technical merits at all.
Mark this as flamebait if you will, but come back in a while and read the comments, I promise there will be hardly any discussion of the paper.

Dan is obviously a very smart guy, I like his ideas about using http tunnel (it's a great program), I'm going to have to give some of these ideas a work out!

Bob
1. Re:Great Article by wwest4 · 2004-06-21 10:50 · Score: 4, Insightful
  
  The presentation is intriguing, but like any typical slideshow, lacking in specifics (things like "stuff=cool" aren't terribly telling). Unless you already know the DNS pretty well, it would be hard to infer the nitty-gritty of the talk from this ppt without thinking pretty hard about it, and you shouldn't fault a diverse group of geeks from different nerd realms for not being DNS power users.
2. Re:Great Article by magefile · 2004-06-21 12:04 · Score: 4, Informative
  
  I'd suggest Open Office. If you're on a dialup, and don't want to install several hundred megs, then look at the google cache - it'll have an HTML-ized version.
3. Re:Great Article by jovetoo · 2004-06-21 12:31 · Score: 5, Interesting
  
  His techniques allow someone to set up a cryptographically secure network that most likely completely ignores firewalls. It features high bandwidth-high latency connection, low bandwidth-low latency connections and is virtually untraceable, even to both parties involved in the connection. An initial hostname and time would act as the 'phonenumber'. (By keeping a certain request alive, one can even implement a dailing service with TTL delay.) A message service is freely included.
  It is virtually impossible to shut these networks down without replacing/patching dns. Not an easy task.
  The bandwidth available to this network most likely exceeds that of most irc-botnets. Especially since the root servers are defending themselves against DDoS attacks.
  The tools he's still developing might be able to trace these things but it will still require cooperation of dns server administrators (to get their logs). You will never get them all and you'll have a LOT data to process. Accorfing to this the ICS root server continuosly handles almost 8Mbps (and can handle upto 80Mbps) of traffic. I seriously doubt they can log that... (if so, transferring the logs would continually consume a healthy percent of the servers bandwidth.)
  Pretty smart man indeed and very idealistic or shortsighted. Both the right and the wrong sort of people would pay a lot of money for that...
Search Service by OzPhIsH · 2004-06-21 10:45 · Score: 4, Funny

Gee, maybe they could make the results of any unresolved queries forward users to a handy search page, instead of returning an appropriate 'not found' response!

--
"To lead the people, you must walk behind them"
Another pointless piece of information: by YouGotServed · 2004-06-21 10:45 · Score: 5, Funny

Microsoft Powerpoint also does a great job of opening the PowerPoint slideshow.
1. Re:Another pointless piece of information: by cgenman · 2004-06-21 13:30 · Score: 4, Funny
  
  I can see where this is going:
  
  1: Funny retort about clippy, modded +5 insightful
  2: Serious post defending Power Point, modded -1 Flamebait
  3: Humorous post about necessary height of a post to go over one's head, modded +2 interesting
  4: Serious post questioning the connection between wooden posts and the stability of Microsoft Software, modded +2 Funny
  Meta comment about the rediculousness of it all: Priceless.
  
  --
  The ______ Agenda
Crazy! by chill · 2004-06-21 10:46 · Score: 5, Insightful

Most people are lucky if DNS just works without major headaches.

I could swear BIND and its config file is considered, along with Sendmail, one of the most convoluted programs in Internetdom. It, again along with Sendmail, is historically also one of the most bug-ridden and exploited.

And now someone is suggesting futzing around with it?! Why not just change your domain to "rootmeplease.com" and get it over with?

-Charles

--
Learning HOW to think is more important than learning WHAT to think.
1. Re:Crazy! by MerlynEmrys67 · 2004-06-21 11:24 · Score: 4, Funny
  
  My favorite joke from years ago was
  Q: What is the difference between a sendmail.conf file and modem noise
  A:
  
  --
  I have mod points and I am not afraid to use them
Nasty Nasty HTML Version by OverlordQ · 2004-06-21 10:46 · Score: 5, Informative

Enjoy

Note: Was converted with *gasp*powerpoint so yes it is horrible :)

--
Your hair look like poop, Bob! - Wanker.
SPF and SPF+ work over DNS by ideut · 2004-06-21 10:57 · Score: 4, Informative

Dan isn't the first one to suggest novel new applications for the DNS. Many will also be familiar with SPF, the "spam permitted from" framework for defining permitted email senders. Microsoft have recently taken over the standard process and are proposing for the sender permission rules to be sent in XML format over DNS!
The open source community's response so far has been SPF+, which is essentially a technique of encoding the rules in TCL, which is served over DNS and executed on the mailserver. For obvious reasons, SPF+ will probably define the future of spam control on the internet.

--
--
Some of this stuff really makes alot of sense by mcrbids · 2004-06-21 11:08 · Score: 4, Interesting

Forget the current legal nightmare of this proposal - just roll with me...

This guy proposes putting content (eg Knoppix) into DNS.

Why is DNS particularly not well suited for this kind of distribution mechanism?

Seems to me that if the RIAA wanted to distribute their movies via broadband providers (an inevitability, I'm afraid) the biggest problem would be dealing with BANDWIDTH.

I always figured that ISPs would have to have some way to cache content locally so their Internet pipes don't get absolutely HAMMERED by all the people viewing the latest flick...

DNS already has a mature, stable, and lightweight caching mechanism in place. Why not use it?

Honestly, caching content a la DNS might provide a MUCH more efficient content distribution mechanism than, say, BitTorrent.

Where's the bad part of this idea?

--
I have no problem with your religion until you decide it's reason to deprive others of the truth.
1. Re:Some of this stuff really makes alot of sense by kryptkpr · 2004-06-21 11:33 · Score: 4, Informative
  
  Where's the bad part of this idea?
  
  1) I think the requirement for caching sets of 4 byte IP addresses and 4 GB movies are quite different. Just because a system is good at one, doesn't mean it will automatically be good at the other. When I RTFA, the author made it quite clear that there was a 512-byte packet size limit, of which only around 50% could be useful for actual data. By the author's own estimation, it would take 35,000 DNS servers to host a single 700mb Knoppix image.
  
  2) DNS is already an overloaded system, and his idea uses recursion, so it would place even more load on top of it.
  
  If you think this is going to replace BitTorrent, you're off your rocker.
  
  --
  DJ kRYPT's Free MP3s!
2. Re:Some of this stuff really makes alot of sense by Bagheera · 2004-06-21 11:48 · Score: 4, Interesting
  
  Forget the current legal nightmare of this proposal - just roll with me...
  
  Were that we could...
  
  Why is DNS particularly not well suited for this kind of distribution mechanism?
  
  Because DNS is designed to handle its hierarchical data, not massive amounts of content? The extra fields available in DNS are there fo, well, DNS related stuff.
  
  Seems to me that if the RIAA wanted to distribute their movies via broadband providers (an inevitability, I'm afraid) the biggest problem would be dealing with BANDWIDTH.
  
  I know you meant the MPAA, not the RIAA, but I think their biggest problem will be letting go of their deep seated need for control, rather than bandwidth. They can afford the pipe. And I, for one, would be incredibly pissed off to find the RIAA (or any other commercial service) caching their stuff on MY name server.
  
  I always figured that ISPs would have to have some way to cache content locally so their Internet pipes don't get absolutely HAMMERED by all the people viewing the latest flick...
  
  Like, say, USENET?
  
  DNS already has a mature, stable, and lightweight caching mechanism in place. Why not use it?
  
  We do. Millions of times a day. We use it every time we translate a name to an IP number. Looking up, say www.slashdot.org
  
  Honestly, caching content a la DNS might provide a MUCH more efficient content distribution mechanism than, say, BitTorrent.
  
  Highly unlikely. A highly effecient system dedicated to caching content will almost certainly be better than trying to do the same thing with DNS. It's simply not made for it.
  
  Where's the bad part of this idea?
  
  Inefficiency. Load on already stressed servers. Better existing solutions. Should I go on?
  
  Dan's come up with some brilliant ideas over time. Definately A Geek's Geek. But this one sounds a lot more like one of his thought experiments than an actual proposal. Like directly burning CD's over an SSH tunnel...
  
  --
  Never attribute to malice what can as easily be the result of incompetence...
3. Re:Some of this stuff really makes alot of sense by strabo · 2004-06-21 12:09 · Score: 4, Insightful
  
  DNS already has a mature, stable, and lightweight caching mechanism in place. Why not use it?
  
  What part of the word lightweight don't you understand?
4. Re:Some of this stuff really makes alot of sense by Effugas · 2004-06-21 12:49 · Score: 4, Insightful
  
  It is indeed a thought experiment -- but one that's led to some interesting stuff. Voice over DNS was actually a really surprising hack -- here you have a globally deployed caching system, sometimes several levels deep, that actually has the capacity to host the minimal bitrate for a minimally compressed voice link.
  
  There's millions of servers out there that we can interface with -- what's the impact of that? If nothing else, it's fun to be playing with something other than TCP headers :-)
  
  --Dan
  
  P.S. A broom can be used to sweep the floor -- or to knock something out of a tree, or to scare off a wild animal, or to burn for heat. There's something to be said for separating common uses from "inherent purposes". HTTP was certainly never designed to host as much dynamic content as it does now!
PDF Link by kryptkpr · 2004-06-21 11:08 · Score: 4, Informative

PDF Conversion of powerpoint presentation

On my ISP's very fast webspace, but please post mirrors in case they decide to pull the plug.

--
DJ kRYPT's Free MP3s!
anybody remember DNS MUDs? by andrewagill · 2004-06-21 11:36 · Score: 5, Informative

You used to be able to play a text adventure game with DNS:
]$ nslookup - hastur.rlyeh.net
> set querytype=txt
> set domain=adventure
> 1
Alas, hastur has been down since around 1998, but you can still live the magic if you believe in yourself!
Parent is a troll linking to a troll by jensend · 2004-06-21 15:21 · Score: 4, Informative

If you read the linked email and the replies to it, you will find that the linked post is a troll. For real information about SPF, visit spf.pobox.com.