DNS is beautiful
ฝัง
- เผยแพร่เมื่อ 15 พ.ค. 2024
- DNS or Domain Name System, despite its drawbacks, is brilliantly designed for scale. We can learn few lessons from this protocol especially when designing our own apps. This episode of the backend engineering show I go through how DNS works, the pros and the cons and attacks that happened on this system.
0:00 Intro
2:00 Overview DNS
7:40 How DNS works (Details)
15:44 DNS uses UDP
19:30 DNS Poisoning
24:10 is DNS really distributed?
26:30 How Attackers Abuse DNS
30:30 How Chrome overloaded the ROOT servers for 12 years
Resources
blog.apnic.net/2020/08/21/chr...
www.cloudflare.com/learning/d...
www.cloudflare.com/learning/d...
blog.cloudflare.com/sad-dns-e...
/ dependency-confusion
Fundamentals of Networking for Effective Backends udemy course (link redirects to udemy with coupon)
network.husseinnasser.com
Fundamentals of Database Engineering udemy course (link redirects to udemy with coupon)
database.husseinnasser.com
Introduction to NGINX (link redirects to udemy with coupon)
nginx.husseinnasser.com
Python on the Backend (link redirects to udemy with coupon)
python.husseinnasser.com
Become a Member on TH-cam
/ @hnasr
Arabic Software Engineering Channel
/ @husseinnasser
🔥 Members Only Content
• Members-only videos
🏭 Backend Engineering Videos in Order
backend.husseinnasser.com
💾 Database Engineering Videos
• Database Engineering
🎙️Listen to the Backend Engineering Podcast
husseinnasser.com/podcast
Gears and tools used on the Channel (affiliates)
🖼️ Slides and Thumbnail Design
Canva
partner.canva.com/c/2766475/6...
Stay Awesome,
Hussein - วิทยาศาสตร์และเทคโนโลยี
Get my Fundamentals of Networking for Effective Backends udemy course Head to network.husseinnasser.com (link redirects to udemy with coupon)
Your content is so worth the time! Thank you for making it captivating in your own unique way. I'm a network engineer and I can't tell you how much what you say helps me expand my horizons!
First I thought ok it was just DNS basics..but as you progressed through and explain DNS cache poisoning and Chrome bug.. it became a worth to watch video
Love it! You always get taught about DNS, but you never get taught about the sheer brilliance to be able to deliver such a service *at scale*. Thanks, Hussein.
Love it. Thanks for taking time to make this precious tutorial.
BTW, you seem to feel so relaxed when you talk.
What an amazing and insightful video!
your channel is a gold mine
As a network engineer I just love hearing Hussein take on DNS, it makes me appreciate some of the decisions developers have to make.
I was just having DNS problems the other day. I hope this will be useful.
There's nothing without problems, at the end of the day.
Nice way to wrap it all up :)
Really nice insights...
FYI I'm definitely going to look up for "Grandma for Hire" at least on surface web.
There might be more.....not sure! LOL love it.
My only question is, how does the tld server know the authoritative server is the right one for the domain?
real nice!
Professor, when is the deadline?
ODBC inclination of thoughts. Nice.
You noticed!
I did!
I'm looking for things to do to grow and going through your content is enlightening.
Thank you.
I use G-core's DNS hosting. 10-15 ms. Unlike Cloudflare, u can configurable DNS balancing by coordinates. Balancing by IP, ASN, countries, or continents with GeoDNS. DNS still coolest thing
I might think this would sound deadly simple to understand for some, but as through my self taught programming journey I still have no colorful view of base64 encoding. Peeked at your channel ad didn't found nothing about it. So asking you a favor for creating video about base64 encoding, what problems it "was" solving and current benefits of it. Thank you.
Sure! It is basically taking any binary blob and make it into string of subset characters (a-z 0-9) . Main use cases is getting rid special characters such as % and spaces and make it into a simple string that everyone understands. In the example I mentioned, environment vars will have special chars, spaces, etc so hackers in this case took all that and base64
Eg
This is a base 64 string RW5jb2RlIHRoaXMgIiRwZWNpYWwgc3RyaW5nIg==
Which is converted from this text
Encode this "$pecial string"
Play with it here amp.base64encode.org
Hope that helps
@@hnasr So base64 is like sha256 but reversible?
@@hnasr So if binary blob is being transported no matter what layer 4, layer 7 is in count, it always has to be encoded in base64 for the convenience of parsing it at one end so it's platform agnostic? Its funny to say because so far everything seems to make sense for me talking about networking, but this base64 is just... :DD
@@kornelijussliubauskas8299 It's not so much about ease of parsing or being platform agnostic, as it is about getting the blob through intact. Many communication channels are not binary safe (i.e. control characters in terminals, CRLF conversion on windows), so base64 trims down the character set in a way that any any two bytes can be represented using three "plain text" characters, minimising the chances the data gets mangled in transit. It's a more efficient version of turning the bytes into a string of hexadecimal values, as base64 has a size overhead of 50% whereas hexadecimal notation has an overhead of 100% (doubling the size). Either way, once decoded, you now have your binary blob elsewhere, but unless you're just piping it out to disk / network, you still need to process it in whatever potentially platform specific way it may require. All the lower layer networking is binary-safe, base64 mostly helps overcoming application protocols that look for control characters in the byte stream and modify it in transit.
Let's say i have a company which has a private network and i want a DNS server, how can i do that ?
Instead of partitioning with TLDs, couldnt they have partitioned by letters of the domain? Like as if the first or last letter was a tld without the dot.
I see, your idea is to replace TLD with the first character of the domain, so there will be a fixed number of 26 partitions only. The root servers will return IP address of a partition server. And the partition sever will return the authoritative name server IP.
example, resolving hussein will ask the root server for an “h” server which there will be many, the client connect to the h server, and ask for hussein, get back the authoritative name server which will have the ip address of hussein.
Sub domains will be asked from the authoritative name server.
We can even add an additional layer of partitioning in case one letter gets too large.
I love the idea. Might work! (Btw I love comments like this which challenges what we have today)
Interesting idea. This would also mean we're coupling the name we want with the DNS nameservers. If there was ever a reason we'd want to avoid a certain nameserver, we'd have to mostly change our site's name. This is opposed to the current situation where we'd just have to change the tld part of our site's name.
This would centralize DNS unless the tld was also partitioned or the full domain list was made public somewhere, eg each domain registrar posted a list of all their domains and IP addresses so that anyone could run their own 'h' master server 🤔
DNS never goes down. That's the beauty of it. Just like the Internet never goes down.
Btw, how could DNS spoof work in modern internet as browsers check for certificates?
By default, browsers used to try and initiate a plain http connection. Only when the origin responded with the availability of https would it try and upgrade the connection.
This has been very recently changed - Not sure how this work with these in place.
@@mateuscanelhas5662 I see. Is it still the case may I ask?
@@maximus6884 It is not. th-cam.com/video/XrlfX0duLKQ/w-d-xo.html
Wtf where'd my comment go
@@poiiihy youtube deletes.
I really like your videos, but it would be better if you show some tools / code and demonstrate whatever you're saying.
'DNS is beautiful'
no you're beautiful
So Google was DDoS-ing the DNS root servers for 10 years, haha
Who here made it to the grandmas for hire part? 😅
Lmao
Damn... Those attackers who hacked apple really got big brains. 😂
😂😂
For Grandma
First, non emoji comment.
first reply to first non emoji comment
@@almostcertainlynotapotato6528 😂
😋😋😋
Can you please shorten the length of videos
This takes out the major fun in this way, Its just asking someone to change the style of their teaching which made them popular. What makes him standout is this way of him .
I skipped a lot of videos of this man because of their length. I see so many good feedbacks in the comments, but I don't really feel like I get that precious information from here.
@@iulians1993 for me it was totally opposite of what you said. Depends on person to person and their domain knowledge...
I think the length of the video is perfect to go into enough details
Lengthy videos ensure enough details in it. This is much needed!
Bro started the video as though his wife died or something. lol
🤣
I laughed so hard man... 🤣🤣
I love your explanation on DNS - but I do not agree that DNS is beautiful. Its design is beautiful however DNS itself is evil. WEB2 is broken and WEB3 is invented strogly because of DNS problems. Big goverments own the entire internet and the entire internet is broken because of DNS. Why? Because DNS is controlled by a single entity. And that entity loves to keep all power to itself. For this reason, the WEB2 cannot be decentralized, can be easily blocked and it can NEVER be secure. Comes IPFS addressing all of these issues in WEB3.
really? web3 is live?
web3 should replace web2 right now then
DNS is not controlled by a single entity. It is controlled by all of the name servers your query hits. Nothing prevents you from setting up your own root name servers. Even though the main root nameservers are run my ICANN there early hasn't been an issue even though it's centralized. IPFS uses content based addressing which is separate from just using a simple name.
@@gyroninjamodder DNS is centrally controlled ; Just try to reach say RT or Sputnik using a DNS server located in the European Union...
@@big-t2060 Are you saying that Is European ISP's nameservers sensor it? I recommend using 8.8.8.8 or 1.1.1.1 instead in that case. It's even better to use DoH if you are worried about that.
I really enjoy this video, thk for the video