Comment by teddyh

14 hours ago

Having all those TXT records at the domain apex like that makes the TXT query reply huge, which affects, for instance, every mail recipient who merely wants to check the SPF record. This is a bad pattern to follow.

7 comments

teddyh

Bender 11 hours ago

The domains with large numbers of TXT records are also used in DNS DDoS amplification attacks. Spoofed UDP requests to domains that have a large number of TXT records are used to slam other sites. In the past I would transparently strip the TXT records when I ran public DNS recursive resolvers nobody noticed except the botters but some here may be activated. Some domains with a lot of dangling records:

    for i in $(echo "ycombinator.com 500px.com box.com ebay.com google.com hm.com lenovo.com nordstrom.com realtor.com tmz.com wired.com");do echo -en "${i}:  ";dig +short +nocookie -t TXT "${i}"|wc -l;done|sort -rn -k2
    nordstrom.com:  39
    lenovo.com:  38
    realtor.com:  36
    ebay.com:  36
    hm.com:  34
    box.com:  28
    wired.com:  27
    tmz.com:  22
    500px.com:  17
    ycombinator.com:  13
    google.com:  13

Ebay used to be in first place, not sure what changed.

In unbound.conf:

    local-zone: ycombinator.com typetransparent
    local-data: 'ycombinator.com. TXT "[ddos redacted]"'

after the changes:

    dig +short +nocookie -t txt ycombinator.com
    "[ddos redacted]"

somat 9 hours ago
Whee, my chance to be the useless use of cat asshole.
Why the echo? "for" should handle a list of terms just fine.
Pedantic assholery aside, genuine question. Is this some sort of shell expansion injection countermeasure of which I am unfamiliar?
And for the record I quite enjoy employing the useless use of cat. It turns pumping a file into a pipeline from a screwball shell meta command into a command isometric to any other command. I sort of wish tee had a "suppress stdout flag" so it could be used more naturally as cat's counterpart.
- Bender 9 hours ago
  
  Whee, my chance to be the useless use of cat asshole.
  Would it be mean if I said I do that to expose cat rectum? I used to cat to tac to cat but that was too on the nose. Another fun one is mixed case HtMl elements. I miss that old dokimos site from 2001.
  Here's [1] something to play with. not my repo
  [1] - https://github.com/bashfuscator/bashfuscator

inigyou 11 hours ago

The better pattern is to use an underscore prefix like _discord-verification.domain.com

If your site allows user-created subdomains it shouldn't allow leading underscore. This is reserved somehow.

teddyh 2 hours ago

Underscores are not “reserved somehow”. Underscores are simply not allowed in “host names”; i.e. names with either AAAA or A records, or where the record data has a host name target, like CNAME, MX, SRV, SVCB, or HTTPS records (or any similar record types containing host names).
quotemstr 9 hours ago
Why would you want a new prefix over using record types as they were meant to be used?
- teddyh 2 hours ago
  
  Because:
  1. Practically, the process for creating a new DNS record type is bureaucratic and slow.
  2. New record types have a limited number, but names are unlimited as long as they are unique.
  3. If the data you’re storing is perfectly compatible with an existing record type, like TXT, it seems silly to overload semantics into a new, but otherwise identical, record type. You can compare record types to variable types in a programming language. I.e. instead of having
  name_t x = "foo"; /* C */ x: Name = "foo" # Python x IN NAME "foo" ; DNS
  you instead have:
  char *name = "foo"; /* C */ name: str = "foo" # Python _name IN TXT "foo" ; DNS
  Sure, DNS might not have integer types, but it has host names (PTR), IP addresses (AAAA and A), and strings (TXT, which also can work as an array of strings up to 255 bytes in length if you prefer). These, with added semantics of an underscored name prefixed, will get you quite far without having to invent a new record type to contain your specific semantic meaning to, say, a plain TXT record.