[00:00.000 --> 00:09.000]  Hello, everybody. Welcome to our last talk of the day. This is Peter Lowe.
[00:09.000 --> 00:12.000]  Am I going to be able to see them on the screen as well?
[00:12.000 --> 00:13.000]  No.
[00:13.000 --> 00:14.000]  Okay, I can look around.
[00:14.000 --> 00:15.000]  Yeah.
[00:15.000 --> 00:19.000]  Hello, this is Peter Lowe. He will be showing us many of the weird things people have done
[00:19.000 --> 00:23.000]  with DNS to finish our day.
[00:23.000 --> 00:24.000]  Thank you.
[00:24.000 --> 00:29.000]  The first thing I should say is that this presentation normally takes about 40 minutes
[00:29.000 --> 00:32.000]  because there's quite a lot of things to see, so I'm going to be running through it.
[00:32.000 --> 00:38.000]  It's going to be a whirlwind tour of bizarre and unusual things that people have done with DNS.
[00:38.000 --> 00:40.000]  Okay, so I'm going to skip through some of this stuff.
[00:40.000 --> 00:41.000]  This is all about who I am.
[00:41.000 --> 00:44.000]  Normally, I talk about myself a little bit, but nobody's really interested in that.
[00:44.000 --> 00:47.000]  You've come to see the weird stuff, right?
[00:47.000 --> 00:49.000]  I'm a security researcher.
[00:49.000 --> 00:52.000]  I do DNS stuff, basically.
[00:52.000 --> 00:54.000]  Bunch of different titles for this.
[00:54.000 --> 00:56.000]  Not very click-baity.
[00:56.000 --> 00:58.000]  This is a sort of intro to DNS.
[00:58.000 --> 01:02.000]  I'm assuming that everybody kind of knows what that is here, so we'll skip over that.
[01:02.000 --> 01:07.000]  And this is how it all started, which is part of the DNS abuse special interest group.
[01:07.000 --> 01:14.000]  For first, I'm the co-chair John Todd from Quad9 joked about some malware distribution via DNS,
[01:14.000 --> 01:16.000]  and we thought, oh, that's not possible.
[01:16.000 --> 01:17.000]  Wait, hang on.
[01:17.000 --> 01:23.000]  So I started going and collecting some other stuff.
[01:23.000 --> 01:25.000]  Yes, a lot of these aren't around anymore.
[01:25.000 --> 01:29.000]  Unfortunately, it's kind of like a museum of weird DNS things.
[01:29.000 --> 01:32.000]  Some of them still work, but there's a bunch of links at the end.
[01:32.000 --> 01:39.000]  If you're interested in any of these, I've tried to put resources and links to everything that you'll see.
[01:39.000 --> 01:41.000]  So first section, trace routes.
[01:41.000 --> 01:46.000]  Not 100% DNS, but basically it works by setting up a static route
[01:46.000 --> 01:50.000]  and then making sure that the reverse DNS maps back to something interesting.
[01:50.000 --> 01:56.000]  So this was one of the first things I ever saw, the Star Wars intro via DNS.
[01:56.000 --> 01:58.000]  It was by a guy called Ryan.
[01:58.000 --> 02:02.000]  I'm going to be looking up at here as well, by the way, because I can't remember all the details with these.
[02:02.000 --> 02:09.000]  Ryan Werber from Beald on it in 2013, it was one of the things I saw and thought, oh, how does that work?
[02:09.000 --> 02:14.000]  And it kind of got me interested in some of the stranger parts of DNS.
[02:14.000 --> 02:17.000]  There's an IPv6 version out there somewhere.
[02:17.000 --> 02:23.000]  It went down very quickly because of a DDoS, typical for a lot of these things, unfortunately.
[02:23.000 --> 02:28.000]  There is this one, which is hand.bb0.nl.
[02:28.000 --> 02:32.000]  This, as you can see, displays a hand, and it's done over IPv6.
[02:32.000 --> 02:36.000]  If you increase the number of hops, it does get more interesting as it goes on.
[02:36.000 --> 02:42.000]  This is the only space I had for on the slide, so, yeah.
[02:42.000 --> 02:46.000]  Sebastian Haas, who will be featured multiple times in this presentation.
[02:46.000 --> 02:49.000]  I hope he's here, but if not, hi, Sebastian.
[02:49.000 --> 02:57.000]  He put up a thing where you could trace it and find the live scores from the Euro 2020 match, which was pretty impressive.
[02:57.000 --> 03:07.000]  He also wrote a thing called Fake Root, or Faker Tea, which allows you to set up IPv6 routes on your local machine.
[03:07.000 --> 03:09.000]  This is another one from MakerForce.
[03:09.000 --> 03:15.000]  This is some alternate lyrics to American Pie, which I'm sure you're all familiar with.
[03:15.000 --> 03:22.000]  Bad Horse, if anybody here is a fan of Dr. Horrible Singalong, there is a semi-famous thing in it called Bad Horse,
[03:22.000 --> 03:26.000]  where he sings a little song, and we have the lyrics here.
[03:26.000 --> 03:32.000]  If you go and have a look at the SSL certificate chain for Bad.Horse, yeah, signed up Bad.Horse,
[03:32.000 --> 03:35.000]  there's a Lalisa Reg there as well.
[03:35.000 --> 03:39.000]  This is a screenshot of Dr. Horrible.
[03:39.000 --> 03:45.000]  And the first time I did this, Andrew Campling, who's an encrypted DNS guy and other stuff,
[03:45.000 --> 03:48.000]  he said, let's put something festive in so I went out and had a look.
[03:48.000 --> 03:52.000]  And of course, someone's done a Christmas tree, so there's not one.
[03:52.000 --> 03:55.000]  Toys and Toys.
[03:55.000 --> 04:00.000]  One of the first things I found was at Postel.org, which I think is a great place to be hosting something interesting.
[04:00.000 --> 04:02.000]  It's a calculator.
[04:02.000 --> 04:07.000]  It's not as good as Stefan Bolzmeier's, where you can actually put the plus character in,
[04:07.000 --> 04:09.000]  and it's not around anymore.
[04:09.000 --> 04:10.000]  I put this.
[04:10.000 --> 04:12.000]  There's a reverse Polish calculator out there.
[04:12.000 --> 04:18.000]  Apparently, this is a reverse Polish calculator, so it shows how much I know about maths.
[04:18.000 --> 04:20.000]  This is one of the more interesting ones.
[04:20.000 --> 04:22.000]  There's a bunch of different versions of this.
[04:22.000 --> 04:24.000]  It's a local IP echo.
[04:24.000 --> 04:26.000]  It tells you what your public-facing IP address is.
[04:26.000 --> 04:29.000]  It's actually quite useful because in scripts,
[04:29.000 --> 04:32.000]  instead of just doing a curl request in my IP.org or whatever,
[04:32.000 --> 04:38.000]  this is going to get an answer much quicker and it's much more easily scriptable.
[04:38.000 --> 04:42.000]  Yes, this one is the MyIP service from Google.
[04:42.000 --> 04:46.000]  As everybody knows, Google is famous for discontinuing services,
[04:46.000 --> 04:49.000]  but they're never going to let the DNS service go.
[04:49.000 --> 04:51.000]  So, yeah.
[04:51.000 --> 04:57.000]  There's some tools here for network admins, some IP to ASN translators, lots of different options.
[04:57.000 --> 05:04.000]  There's Team Cummry. There's an example here. There's some other ones out there if you go looking for them.
[05:04.000 --> 05:06.000]  There is an example here.
[05:06.000 --> 05:08.000]  I think this is from Tony Finch.
[05:08.000 --> 05:11.000]  This is postcodes, which will translate them to...
[05:11.000 --> 05:13.000]  Oh, and Jan-Pitt means...
[05:13.000 --> 05:15.000]  Sorry.
[05:15.000 --> 05:19.000]  This will give you the geolocation for postcodes in the UK.
[05:19.000 --> 05:21.000]  I think Jan-Pitt did some...
[05:21.000 --> 05:26.000]  Oh, yeah. This is also the airport codes, I think.
[05:26.000 --> 05:28.000]  I'm also missing my talk...
[05:28.000 --> 05:31.000]  Speaker notes, by the way, so forgive me for this.
[05:31.000 --> 05:33.000]  And DNS top toys. This is a great site.
[05:33.000 --> 05:36.000]  They put up a bunch of different things that you can look at.
[05:36.000 --> 05:38.000]  There's world time, IP Echo, another one.
[05:38.000 --> 05:41.000]  Number two words. I genuinely don't know what this is useful for.
[05:41.000 --> 05:45.000]  I don't know why anybody would use it, but it's kind of fun to have it.
[05:49.000 --> 05:50.000]  This is one of my favorite ones.
[05:50.000 --> 05:52.000]  I'm quite a fan of geocaching.
[05:52.000 --> 05:55.000]  I don't know if you guys know about it, but it's like Pokemon Go for geeks.
[05:55.000 --> 05:59.000]  And you get to go out in the world and find things that are out there.
[05:59.000 --> 06:03.000]  There is one geocache which has the author of Mocha Petrius,
[06:03.000 --> 06:06.000]  but it's unfortunately not Dr. Paul Mocha Petrius.
[06:06.000 --> 06:08.000]  This is, again, Sebastian Haas, I think.
[06:08.000 --> 06:12.000]  And it's basically a host name, and if you look up the text record for it,
[06:12.000 --> 06:14.000]  it gives you the hint for the first part of the geocache,
[06:14.000 --> 06:16.000]  which is, I love it, personally.
[06:16.000 --> 06:19.000]  There's a text adventure out there.
[06:19.000 --> 06:21.000]  This is very cool.
[06:21.000 --> 06:24.000]  I mean, this is what you want from DNS, right?
[06:24.000 --> 06:29.000]  A guy called Craig Mayhew, you look up different host names,
[06:29.000 --> 06:31.000]  and it gives you different options,
[06:31.000 --> 06:35.000]  and he uses round-robin DNS for random decision trees.
[06:35.000 --> 06:38.000]  So it's pretty cool.
[06:38.000 --> 06:40.000]  Tunneling.
[06:40.000 --> 06:43.000]  OK, so people's definition of tunneling varies, right?
[06:43.000 --> 06:46.000]  It could be a simple kind of like C2 communication,
[06:46.000 --> 06:49.000]  or it could be full file extraction over DNS.
[06:49.000 --> 06:51.000]  I've got some examples here.
[06:51.000 --> 06:53.000]  If you want to discuss what tunneling means exactly,
[06:53.000 --> 06:57.000]  let's meet afterwards and fight.
[06:57.000 --> 07:01.000]  This is an intro to tunneling, which I found from Slashdot in 2000,
[07:01.000 --> 07:04.000]  but the general concept is the same.
[07:04.000 --> 07:07.000]  Wikipedia over DNS by a guy called David Ledbetter.
[07:07.000 --> 07:09.000]  This is very cool.
[07:09.000 --> 07:11.000]  It actually supports Unicode as well.
[07:11.000 --> 07:13.000]  I don't think it works anymore, unfortunately,
[07:13.000 --> 07:16.000]  but it is basically, he took a local copy of the XML dump
[07:16.000 --> 07:19.000]  and then installed it, I think, on Power DNS,
[07:19.000 --> 07:22.000]  and you could look up pages via that.
[07:22.000 --> 07:26.000]  Blogging, another very cool example where you look up,
[07:26.000 --> 07:29.000]  you publish text records, and that is your static blog.
[07:29.000 --> 07:33.000]  I love it because it's going to be fast.
[07:33.000 --> 07:35.000]  It actually works.
[07:35.000 --> 07:37.000]  From a blog, all you really want is the content.
[07:37.000 --> 07:39.000]  So, yeah, you can get the index.
[07:39.000 --> 07:41.000]  You can get, look up specific posts,
[07:41.000 --> 07:45.000]  or order them by recently post, really recently posted.
[07:45.000 --> 07:48.000]  OK, so now we're getting a little bit more into the words.
[07:48.000 --> 07:50.000]  This is IP over DNS.
[07:50.000 --> 07:53.000]  There is a library out there called Iodine,
[07:53.000 --> 07:57.000]  which is the chemical element number 53,
[07:57.000 --> 07:59.000]  which is appropriate.
[07:59.000 --> 08:03.000]  It does full IP over DNS.
[08:03.000 --> 08:07.000]  There's some examples of how this can be used later on.
[08:07.000 --> 08:09.000]  I don't, I'm getting to the point where I lose words
[08:09.000 --> 08:11.000]  about how to describe this kind of stuff.
[08:11.000 --> 08:13.000]  I mean, it's all brilliant, but this is like,
[08:13.000 --> 08:15.000]  yeah, I don't know.
[08:15.000 --> 08:21.000]  HTTP over DNS, so we're getting even more crazy here.
[08:21.000 --> 08:23.000]  This is browser tunnel.
[08:23.000 --> 08:25.000]  It's actually quite useful for some things
[08:25.000 --> 08:27.000]  if you're in certain situations like an airport
[08:27.000 --> 08:30.000]  or something like that where things might be a bit restricted.
[08:30.000 --> 08:32.000]  This is basically how it works.
[08:32.000 --> 08:35.000]  It does raise the interesting concept of,
[08:35.000 --> 08:37.000]  if you're familiar with DNS over HTTPS,
[08:37.000 --> 08:41.000]  HTTP over DNS over HTTPS.
[08:41.000 --> 08:46.000]  So, yeah.
[08:46.000 --> 08:48.000]  This is pretty cool.
[08:48.000 --> 08:52.000]  It's called Slow DNS and it's a full VPN over DNS
[08:52.000 --> 08:56.000]  which is in the Google Android, the Google Play Store.
[08:56.000 --> 08:58.000]  I haven't used it because it does include ads
[08:58.000 --> 09:01.000]  and I've never actually got the courage to check it out properly.
[09:01.000 --> 09:04.000]  But I think it's the kind of thing that can really work
[09:04.000 --> 09:06.000]  in airports and other restricted areas.
[09:06.000 --> 09:09.000]  So it's, you run it and it's a VPN
[09:09.000 --> 09:12.000]  that lets you access the internet and it works over DNS.
[09:12.000 --> 09:14.000]  So a lot of places DNS is going to be unrestricted
[09:14.000 --> 09:17.000]  and this is going to help you out in those situations.
[09:17.000 --> 09:19.000]  The ads thing, well, you know, give it a go,
[09:19.000 --> 09:22.000]  but the concept is amazing.
[09:22.000 --> 09:24.000]  Another library that I found really cool
[09:24.000 --> 09:26.000]  is called DNS Cat 2.
[09:26.000 --> 09:28.000]  You install a server and you install a client
[09:28.000 --> 09:30.000]  and then they communicate to each other over DNS packets.
[09:30.000 --> 09:33.000]  You don't have to have an actual domain working at all.
[09:33.000 --> 09:35.000]  You don't have to register a domain.
[09:35.000 --> 09:37.000]  It just uses the DNS protocol
[09:37.000 --> 09:40.000]  and it's got a bunch of built-in functions
[09:40.000 --> 09:42.000]  like sending files and windows and messages
[09:42.000 --> 09:43.000]  and stuff like that.
[09:43.000 --> 09:44.000]  It's very cool.
[09:44.000 --> 09:45.000]  This is still on GitHub.
[09:45.000 --> 09:46.000]  There's a link at the end.
[09:46.000 --> 09:48.000]  You'll see.
[09:48.000 --> 09:50.000]  And a few other things.
[09:50.000 --> 09:51.000]  How much time?
[09:51.000 --> 09:53.000]  Oh, am I out of time?
[09:53.000 --> 09:55.000]  Okay.
[09:55.000 --> 09:57.000]  The benefits of being the last person speaking.
[09:57.000 --> 09:59.000]  Corey Quinn talked about how you can use DNS
[09:59.000 --> 10:02.000]  as a full config management system.
[10:02.000 --> 10:05.000]  This is the BIMI brand indicators,
[10:05.000 --> 10:07.000]  which works over DNS.
[10:07.000 --> 10:10.000]  It uses TXT records, which start with underscore BIMI.
[10:10.000 --> 10:12.000]  A full contacts database.
[10:12.000 --> 10:15.000]  Somebody in the UK has created a whole protocol
[10:15.000 --> 10:18.000]  and used it to put the yellow pages online
[10:18.000 --> 10:21.000]  and they've got an SDK and all sorts of crazy stuff.
[10:21.000 --> 10:23.000]  There is dskv.com.
[10:23.000 --> 10:25.000]  This is a full key value store.
[10:25.000 --> 10:26.000]  This works.
[10:26.000 --> 10:27.000]  This guy is quite dedicated to it.
[10:27.000 --> 10:28.000]  I have to say I'm quite impressed.
[10:28.000 --> 10:29.000]  It's a really good documentation.
[10:29.000 --> 10:31.000]  Go check it out.
[10:31.000 --> 10:34.000]  A file system over DNS.
[10:34.000 --> 10:36.000]  Yeah.
[10:36.000 --> 10:37.000]  I know.
[10:37.000 --> 10:38.000]  Right?
[10:38.000 --> 10:39.000]  I mean, why not?
[10:39.000 --> 10:40.000]  Okay.
[10:40.000 --> 10:43.000]  Ben Cox was in the audience when I did this presentation once
[10:43.000 --> 10:47.000]  and I had to say I totally lost my...
[10:47.000 --> 10:49.000]  It's amazing.
[10:49.000 --> 10:52.000]  And there's an example of him on Twitter streaming named P3
[10:52.000 --> 10:54.000]  over DNS and it working.
[10:54.000 --> 10:57.000]  It's just a magical...
[10:57.000 --> 10:58.000]  Here you go.
[10:58.000 --> 11:00.000]  Here's the links at the end and questions.
[11:00.000 --> 11:01.000]  There you go.
[11:01.000 --> 11:08.000]  Thank you.
[11:08.000 --> 11:12.000]  Any questions for Peter?
[11:12.000 --> 11:13.000]  No?
[11:13.000 --> 11:14.000]  No.
[11:14.000 --> 11:15.000]  Thank you Peter.
[11:15.000 --> 11:17.000]  Thank you all for being here.
[11:17.000 --> 11:35.000]  Have a good day.