Comment by teddyh

11 hours ago

Having all those TXT records at the domain apex like that makes the TXT query reply huge, which affects, for instance, every mail recipient who merely wants to check the SPF record. This is a bad pattern to follow.

5 comments

teddyh

Reply
Bender  7 hours ago

The domains with large numbers of TXT records are also used in DNS DDoS amplification attacks. Spoofed UDP requests to domains that have a large number of TXT records are used to slam other sites. In the past I would transparently strip the TXT records when I ran public DNS recursive resolvers nobody noticed except the botters but some here may be activated. Some domains with a lot of dangling records:

    for i in $(echo "ycombinator.com 500px.com box.com ebay.com google.com hm.com lenovo.com nordstrom.com realtor.com tmz.com wired.com");do echo -en "${i}:  ";dig +short +nocookie -t TXT "${i}"|wc -l;done|sort -rn -k2
    nordstrom.com:  39
    lenovo.com:  38
    realtor.com:  36
    ebay.com:  36
    hm.com:  34
    box.com:  28
    wired.com:  27
    tmz.com:  22
    500px.com:  17
    ycombinator.com:  13
    google.com:  13

Ebay used to be in first place, not sure what changed.

In unbound.conf:

    local-zone: ycombinator.com typetransparent
    local-data: 'ycombinator.com. TXT "[ddos redacted]"'

after the changes:

    dig +short +nocookie -t txt ycombinator.com
    "[ddos redacted]"

  • somat  6 hours ago

    Whee, my chance to be the useless use of cat asshole.

    Why the echo? "for" should handle a list of terms just fine.

    Pedantic assholery aside, genuine question. Is this some sort of shell expansion injection countermeasure of which I am unfamiliar?

    And for the record I quite enjoy employing the useless use of cat. It turns pumping a file into a pipeline from a screwball shell meta command into a command isometric to any other command. I sort of wish tee had a "suppress stdout flag" so it could be used more naturally as cat's counterpart.

    • Bender  5 hours ago

      Whee, my chance to be the useless use of cat asshole.

      Would it be mean if I said I do that to expose cat rectum? I used to cat to tac to cat but that was too on the nose. Another fun one is mixed case HtMl elements. I miss that old dokimos site from 2001.

      Here's [1] something to play with. not my repo

      [1] - https://github.com/bashfuscator/bashfuscator

inigyou  7 hours ago

The better pattern is to use an underscore prefix like _discord-verification.domain.com

If your site allows user-created subdomains it shouldn't allow leading underscore. This is reserved somehow.