HTML over DNS: Serving Blog Content over DNS

xg15 2021-08-19 11:46:32 +0000 UTC [ - ]

The HTML bit is fun, but the more remarkable takeaway for me is that DoH servers accept cross-origin requests from ordinary javascript. This means two things:

- A website can bring its own DoH client and bypass both the OS resolver and the browser's trusted DoH resolver for anything except the initial page request.

- Any website can now access the full DNS information of any domain: Not just A/AAAA records, but also TXT, MX, SRV etc. Record metadata such as TTLs likewise.

All of that without requiring any backend infrastructure or exotic web API. It's literally just a static HTML file and fetch().

That's a genuinely new capability that wasn't available to websites before public DoH servers became available. I'm no security expert, but this smells like it should have some implications for web security.

judge2020 2021-08-19 12:36:33 +0000 UTC [ - ]

> - A website can bring its own DoH client and bypass both the OS resolver and the browser's trusted DoH resolver for anything except the initial page request.

Not sure about that, since it doesn’t sound like simply requesting answers from the DOH server injects the answer into the DNS cache.

And I don’t think this is novel, since anyone could have ran a dns info api before if they really wanted to.

Spivak 2021-08-19 14:09:42 +0000 UTC [ - ]

It shouldn't because this was always possible if someone really cared to just run their own public server with a /dig endpoint. If web security depends on websites not having access to public data that could always be proxied to it then we're already screwed.

xg15 2021-08-19 16:48:29 +0000 UTC [ - ]

> It shouldn't because this was always possible if someone really cared to just run their own public server with a /dig endpoint.

A lot of web features had always been possible by simply running them on your own server: Cross-origin requests, generating images on-demand, rendering vector graphics, etc. Nevertheless, when those features became available in the browser - without any additional effort needed from the developer - it had massive effects on the web ecosystem.

I can't say I have answers, but my suspicion is that it makes a significant difference in friction whether a feature requires you to setup and run your own infrastructure or whether you just need to type in some javascript to use it.

> If web security depends on websites not having access to public data that could always be proxied to it then we're already screwed.

To some extent it does - that's why you cannot access the body cross-origin GET requests or the contents of cross-origin iframes without those sites opting in - even if no cookies or other credentials are sent with the reqest.

globular-toast 2021-08-19 13:13:05 +0000 UTC [ - ]

A script could already bypass DNS by connecting directly to an IP address which could have been either hard coded or come from an API, for example. You could also send it all the other records via some API too. This just means people don't have to implement the service themselves.

p4bl0 2021-08-19 08:15:23 +0000 UTC [ - ]

Well the content is stored in a DNS Zone file but it is requested using JavaScript to an external HTTP API. I wouldn't really call that HTML over DNS but rather "DNS Zone as blog database".

Anyway, this made me think of iodine [1], an IP over DNS solution, which I still run on my main server even though it has a lot less use now than it had until a few years ago when there were a lot of open wifi with captive portals and way less 4G available.

[1] https://code.kyro.se/iodine/

dncornholio 2021-08-19 11:16:06 +0000 UTC [ - ]

Or just call it HTML over CloudFlare? That CloudFlare uses DNS on the backend doesn't validate DNS being in the title IMHO

judge2020 2021-08-19 12:38:26 +0000 UTC [ - ]

HTML over DoH maybe; i imagine other providers also have an open CORS policy.

RostiB 2021-08-19 10:04:46 +0000 UTC [ - ]

the site is down? - https://code.kyro.se/iodine/

p4bl0 2021-08-19 10:36:45 +0000 UTC [ - ]

Sorry I was on my smartphone and mistyped the url (it's kryo not kyro): https://code.kryo.se/iodine/

Thanks for pointing it out.

EDIT: As an aside, I still hate how mobile browsers have the bad habits of reloading tabs (and most of the time loosing content) that you get back to with no reason. If not for this crappy behavior, I would have copy-pasted the URL.

codetrotter 2021-08-19 11:27:06 +0000 UTC [ - ]

On a related note, when the autocomplete system sees that you are typing a URL, it could suggest URLs from browser history as completions, with the most recently visited URLs being shown first. Although, some URLs are long. And it’d suck to complete to the wrong URL, both for reasons of embarrassment in some cases and for reasons of privacy on other cases. So I guess it’s better that autocomplete don’t do that. Also it would probably need to show both title and a thumbnail of the page in the preview because many URLs don’t contain info about what’s on the page. Would be hard to fit sensibly on the screen.

ignoramous 2021-08-19 06:02:39 +0000 UTC [ - ]

Corollary is, spyware can use DNS to exfiltrate data [0]. Or, send out client-side metrics with cleverly drafted DNS requests [1], or use it as a 3p-cookie replacement [2].

[0] https://unit42.paloaltonetworks.com/dns-tunneling-how-dns-ca...

[1] https://github.com/Jigsaw-Code/choir (disclosure: I co-develop hard-forks of two other related Jigsaw-Code projects)

[2] http://dnscookie.com/

3pt14159 2021-08-19 10:32:44 +0000 UTC [ - ]

Fun story about this. I know one of the former guys at Xobni back in the day when it was still a thing. They had made an enterprise version that was sold to companies like Apple, Intel, etc. But even though the enterprise software no longer made external API calls, the company still wanted usage metrics so they could monitor feature usage. Knowing how locked down the networks were at companies like this, they exfiltrated the usage data via infrequent DNS requests to their DNS server. Everything was going fine until one day a dozen or so users at Intel stopped reporting. Hours later all of Intel stopped reported. Within the next day other companies started coming offline. Apple first, then some other large tech company and then a whole slew of them.

Turns out when you spy on your users word gets around.

codethief 2021-08-19 14:51:16 +0000 UTC [ - ]

I'm not sure why this should be a corollary now. DNS exfiltration has always been possible, just like the article you linked to says. (I also like to point people to https://twitter.com/rsobers/status/1293539543115862016 in this context because it puts the idea so succinctly.)

k4ch0w 2021-08-19 08:38:29 +0000 UTC [ - ]

Packet size is a really good detection for this. DNS packets should only be so big ;)

richthegeek 2021-08-19 10:33:59 +0000 UTC [ - ]

So I split my packets up into smaller chunks. Now you need to rate limit DNS. But you still need to allow regular DNS traffic somehow, or you break the internet.

LinuxBender 2021-08-19 12:49:04 +0000 UTC [ - ]

And packet rate. Some corporate firewalls may detect this as abusive and block it leading to questions from the security operations team and the person testing this out.

2021-08-19 09:07:51 +0000 UTC [ - ]

2021-08-19 10:03:58 +0000 UTC [ - ]

Spivak 2021-08-19 14:11:34 +0000 UTC [ - ]

You can even set up a VPN over DNS if you really wanted. https://github.com/yarrick/iodine

jacobkiers 2021-08-19 07:39:19 +0000 UTC [ - ]

Interesting, I'll read up on that.

1vuio0pswjnm7 2021-08-19 06:04:28 +0000 UTC [ - ]

Looks more like HTML via HTTP, specifically DoH.

    const dohServer = "https://cloudflare-dns.com/dns-query?ct=application/dns-json&type=TXT&name=";
    const baseDomain = "hod.experiments.jacobkiers.net";

About 12 years ago I experimented with HTML over UDP DNS by modifying dnstxt from djbdns to output a MIME header. I could store tiny web pages, i.e., hyperlinks, in a zone file and serve them with tinydns. (This was before the size of DNS packets ballooned with adoption of EDNS.)

1vuio0pswjnm7 2021-08-19 11:22:46 +0000 UTC [ - ]

Actually JSON via HTTP. Then using Javascript to create HTML from the JSON.

ThePhysicist 2021-08-19 08:45:58 +0000 UTC [ - ]

This technique has been a standard exfiltration & C2 (command & control) channel for malware for a long time. Typically malware will make a DNS request for a subdomain where the domain name encodes data or a request, and the response contains e.g. commands.

geocrasher 2021-08-19 05:51:46 +0000 UTC [ - ]

As someone who has an obsession with base64 encoding (as exemplified by my poorly written shell scripting here: https://miscdotgeek.com/curlytp-every-web-server-is-a-dead-d... ) I love this. It makes me wonder if some CSS and maybe even a highly compressed image or two could be added.

p4bl0 2021-08-19 08:40:35 +0000 UTC [ - ]

If you're obsessed with base64 here is a fun thing for you:

A few years ago I randomly remarked that repeated base64 prefix converge to a fixed point. I tweeted [1] the first characters of that string out of amusement, without any additional details.

Then someone saw the tweet, found it funny, and did a write-up about it [2], and then there was an interesting discussion on Reddit [3]. There may have been one on HN too, I don't remember.

Have fun :).

[1] https://twitter.com/p4bl0/status/298900842076045312

[2] https://web.archive.org/web/20160313123301/https://fmota.eu/...

[3] https://www.reddit.com/r/compsci/comments/18234a/the_base64_...

jacobkiers 2021-08-19 06:25:01 +0000 UTC [ - ]

Nice idea. Probably possible, since each resource has an index record, which contains the mime type.

I'll try it sometime soon (though my CSS skills are basically nonexistent...).

jacobkiers 2021-08-19 06:22:44 +0000 UTC [ - ]

Author here: I made it as a proof of concept, just because I could.

I used DoH because to the best of my knowledge it's not possible to open raw sockets from the browser. Otherwise I'd have done that.

I don't think there's any practical use. And I did not intend it to have any.

staysafeanon 2021-08-19 14:53:50 +0000 UTC [ - ]

>Author here: I made it as a proof of concept, just because I could.

Sometimes those are the most satisfying and technologically interesting proof of concepts. Don't let any of the detractors here tell you you're wasting your time!

erkkonet 2021-08-19 11:13:24 +0000 UTC [ - ]

All sites on the .tel domain used to be rendered from DNS. It seems to have changed in 2017 but Wikipedia still says[1]:

"In contrast to other top-level domains, .tel information is stored directly within the Domain Name System (DNS) [...] as opposed to the DNS simply returning details (such as IP addresses)"

[1] https://en.wikipedia.org/wiki/.tel

beembuild 2021-08-19 11:34:47 +0000 UTC [ - ]

I modified the dnstxt file from djbdns about twelve years ago to output a MIME header for HTML over UDP DNS. I could store hyperlinks for tiny web pages in a zone file and serve them with tinydns. (This was before EDNS exploded the size of DNS packets.) regards https://minimilitiamodapk.info/

PinguTS 2021-08-19 07:34:15 +0000 UTC [ - ]

Wondering why I can't query the DNS directly.

  $ dig posts-2021-08-17-serving-blog-content-over-dns-md.hod.experiments.jacobkiers.net TXT
  
  ; <<>> DiG 9.8.3-P1 <<>> posts-2021-08-17-serving-blog-content-over-dns-md.hod.experiments.jacobkiers.net TXT
  ;; global options: +cmd
  ;; Got answer:
  ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49067
  ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
  
  ;; QUESTION SECTION:
  ;posts-2021-08-17-serving-blog-content-over-dns-md.hod.experiments.jacobkiers.net. IN TXT
  
  ;; AUTHORITY SECTION:
  hod.experiments.jacobkiers.net. 292 IN SOA home.kie.rs. postmaster.kie.rs. 2021081903 3600 900 604800 3600

IncRnd 2021-08-19 11:22:11 +0000 UTC [ - ]

You can look at this line.

> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

That says that the DNS server didn't answer - for whatever reason - despite the address of that server being determined. It could have been a form of HN's "hug of death" where the website temporarily goes down when many people start to view it in a short period of time.

jacobkiers 2021-08-19 07:38:52 +0000 UTC [ - ]

That's weird, it should work. I'll investigate when I get home.

PinguTS 2021-08-19 07:51:50 +0000 UTC [ - ]

Just tried it again, now it works like magic. Don't know what was wrong.

bqmjjx0kac 2021-08-19 12:27:43 +0000 UTC [ - ]

Spooky, maybe you were MITMed.

masklinn 2021-08-19 07:35:30 +0000 UTC [ - ]

Apparently uses DoH. I don't think dig(1) talks DoH, you'd have to use curl or kdig.

PinguTS 2021-08-19 07:49:28 +0000 UTC [ - ]

DNS is DNS. You should be able to talk to the NS with DNS over UDP, TCP, or HTTP(s). The protocol used should not matter. The information received should be always the same.

ignoramous 2021-08-19 09:05:21 +0000 UTC [ - ]

...in an ideal world

masklinn 2021-08-19 07:30:29 +0000 UTC [ - ]

> You might not be able to see it immediately

Or at all since the content is entirely injected via JS with no fallback (and the JS uses class fields in case you thought an old browser might be able to load it).

andai 2021-08-19 08:00:14 +0000 UTC [ - ]

Been wondering about this, how many people are using old browsers? caniuse.com reports [0] 96% support for ES6 classes. The other 4% is divided between Internet Explorer, Opera Mini and obsolete versions of every other browser. So I'm trying to figure out what kind of people are using such ancient technology and why? What kind of unusual visitors would I be missing out on?

blowski 2021-08-19 08:14:43 +0000 UTC [ - ]

Anecdote: I know someone who has some antiquated games that he couldn't get working in anything other than a real install of Windows XP. The game has a forum, so he frequently uses IE8 installed on the computer to access it.

I guess there are lots of tiny edge cases that look like that.

phh 2021-08-19 08:11:23 +0000 UTC [ - ]

You're missing on visitors with disabled (or whitelisted) javascript. On HackerNews that'll be pretty common.

andai 2021-08-19 09:28:55 +0000 UTC [ - ]

It's true that people with JavaScript disabled won't be able to run any JavaScript, but once they turn it on it should have relatively good feature support -- I suspect the sort of people who know how to disable JavaScript aren't using software more than 5 years out of date.

masklinn 2021-08-19 09:37:24 +0000 UTC [ - ]

> but once they turn it on it should have relatively good feature support

How could they even know to tuen it on when all they get is an empty page?

cdubzzz 2021-08-19 12:22:41 +0000 UTC [ - ]

They are used to it? The number of users who have JS disabled is already small. The number of those users who lack the technical expertise to enable it as needed (and understand when that is necessary — e.g. with a blank or broken page) is probably many, many times smaller.

judge2020 2021-08-19 12:42:40 +0000 UTC [ - ]

The noscript tag is a thing.

toxik 2021-08-19 09:02:41 +0000 UTC [ - ]

Does anyone have a recommendation for a JavaScript whitelisting extension or method for macOS Safari?

2021-08-19 08:25:17 +0000 UTC [ - ]

masklinn 2021-08-19 09:36:30 +0000 UTC [ - ]

> caniuse.com reports [0] 96% support for ES6 classes.

Class fields are later addition to classes. And completely unnecessary here, it looks. The class fields are just duplicates of the instance fields, which are always filled.

> The other 4% is divided between Internet Explorer, Opera Mini and obsolete versions of every other browser. So I'm trying to figure out what kind of people are using such ancient technology and why?

Unsupported device which can not have recent updates for one reason or an other?

jacobkiers 2021-08-19 08:15:07 +0000 UTC [ - ]

I don't know how to do this without JS.

Also, since this was mostly a DNS-focused proof of concept, I don't particularly care about that. Not in this case, at least.

masklinn 2021-08-19 09:35:02 +0000 UTC [ - ]

You don’t have to “do this without JS” but you could have a fallback to tell JS-less users about it. As is they get a blank page and no idea what’s happening.

jacobkiers 2021-08-19 10:22:50 +0000 UTC [ - ]

Fair enough. I have added a fallback.

mobilemidget 2021-08-19 11:52:05 +0000 UTC [ - ]

"100s of requests per second"

dns works fine at those rates or higher, and you'll use caching dns servers of ISPs, scales like no other, geo support etc etc. I think its great idea for public data.

IncRnd 2021-08-19 06:38:47 +0000 UTC [ - ]

This looks like it was a fun project!

For anyone who wants to research the subject, the class of security vulnerabilities are called DNS tunneling.

luismedel 2021-08-19 11:08:41 +0000 UTC [ - ]

Yes. I recently wrote a Lua-scriptable DNS server called redns[1] (which seems to be a pretty popular name for hobbyist DNS servers, BTW) only to test some of those attacks.

[1] https://github.com/luismedel/redns

IncRnd 2021-08-19 11:26:44 +0000 UTC [ - ]

Nice!

Whenever I see regexs hanging off the Internet, my heart skips a beat! :)

kix53 2021-08-19 11:07:10 +0000 UTC [ - ]

The RR format can be made more efficient. TXT records can contain multiple character strings of up to 255 bytes, and despite their name can contain arbitrary octets. A step further from there would be to use a private use type (65280-65534) so your payload doesn't need to be cut into length byte prefixed chunks.

redspl 2021-08-19 13:32:13 +0000 UTC [ - ]

dig @1.1 TXT +short owo{0..201}.xn--kda.waw.pl | sed -E 's/[" ]//g' | base64 -d | mpv -

fsiefken 2021-08-19 09:42:08 +0000 UTC [ - ]

this would be nice for the gemini protocol or something linke twtxt as it is more text oriented, one could perhaps use base45 or other base for extra space efficiency. for the ultimate in image compression go avif or svg.

sonicggg 2021-08-19 05:58:58 +0000 UTC [ - ]

What's the point though? I can think maybe of reduced latency, but then you usually have the DNS already cached locally. And that takes me to a second point, won't you run into problems delivering content updates, given that clients will most likely cache DNS entries?

tyingq 2021-08-19 06:04:59 +0000 UTC [ - ]

Highly distributed global CDN for free. You can use a short TTL, though there are lots of misbehaving DNS servers around cache timeouts. "Fetch with DoH" kinda ruins the party, but browsers can't do UDP or non-HTTP TCP.

stayanon1 2021-08-19 06:05:53 +0000 UTC [ - ]

In my mind this is a neat proof-of-concept that shows how you can serve content through some absurd method (in this case serving HTML over DNS). It may not have "a point" beyond just being an example of what's possible!

2021-08-19 07:07:41 +0000 UTC [ - ]

thewakalix 2021-08-19 06:00:08 +0000 UTC [ - ]

Probably "because it's there".

jacobkiers 2021-08-19 06:25:46 +0000 UTC [ - ]

Yes, that's the case indeed.

2021-08-19 06:01:45 +0000 UTC [ - ]