Afnic, the association in charge of the .fr top-level domain and several other French overseas and generic TLDs, announced today the release as free software of its tool named IBDNS, standing for…
Afnic, the association in charge of the .fr top-level domain and several other French overseas and generic TLDs, announced today the release as free software of its tool named IBDNS, standing for Intentionally Broken DNS.
On the Internet, applications using the DNS (Domain Name System) generally follow the protocol’s technical specifications. But when developing a testing tool or a resolver, it can be useful to verify its behaviour compared when faced with DNS servers that do not comply with these specifications. After all, a good DNS client must be able to handle poorly formed messages or incorrect behaviour of name servers without malfunctioning.
This is where IBDNS comes into play. IBDNS fills a gap in the universe of DNS test tools by offering the possibility of deviating intentionally and on demand from the DNS specifications, and thus simulating incorrect behaviour of authoritative name servers.
Afnic had initially developed IBDNS to cater to the needs of Zonemaster, its DNS zone health assessment tool designed in collaboration with their Swedish counterpart Internetstiftelsen. This begs the question: how to ensure that Zonemaster gives the right diagnosis in all circumstances. The test suite accompanying Zonemaster to this end relied on zones that were intentionally misconfigured, but hosted on standard servers. The method worked well for 90% of the anomalies detected, but the remaining 10% needed a more specific tool. By allowing the anomalies observed on the Internet to be faithfully replicated, which a standard DNS server cannot do, IBDNS further improves the reliability and accuracy of Zonemaster’s diagnostics.
In its initial use case as a testing tool for testing tools, IBDNS aims to comfort Zonemaster in its position as the benchmark DNS testing tool. Its release as free software reflects the determination to shift gears and have Zonemaster’s unit tests reach a coverage as close as possible to 100%.
Afnic invites anyone who’s interested – be they developers of DNS resolvers, DNS testing tools and more generally tools that interact with authoritative name servers, security auditors for this same category of software applications, researchers interested in the DNS and its implementation, or just people curious about the workings of the DNS – to discover the IBDNS source code on Afnic Labs’ Gitlab server.
Discover the IBDNS source code on Afnic Labs’ Gitlab serverRead the original article
Comments
By ResearchAtPlay 2024-05-2916:421 reply The purpose of this tool is testing if a domain name system follows (or does not follow) the correct specifications:
IBDNS fills a gap in the universe of DNS test tools by offering the possibility of deviating intentionally and on demand from the DNS specifications, and thus simulating incorrect behaviour of authoritative name servers.
By ivan888 2024-05-2918:59 To be pedantic, its purpose is for verification testing of systems that allow for testing of the type you describe
By kachapopopow 2024-05-2917:44 I absolutely love this. This will be amazing to trigger unexpected behavior in CoreDNS when working with dnsmasq pods that are resolved via wireguard.
I've had so many issues where I'd lose DNS inside pods and had to reschedule CoreDNS in order for it to start working again, hopefully I can finally trigger this on demand and find a solution for it.
By tonetegeatinst 2024-05-2919:182 reply Somewhat related....I think that while fiber needs to become faster and more affordable and accessable, the other big factor is speed is the latency in DNS. DNS is such a pain to troubleshoot personally,and factors like how fast DNS takes plays a big role in network speed.
Also, for the love that all that is holy, some ISP DNS servers just break if you try using ipv6 only which is just saddening.
By citrin_ru 2024-05-3010:54 > DNS is such a pain to troubleshoot personally
I have a different experience - you can query each authoritative server directly to troubleshoot a problem (which makes it easier compare to systems when you have a single endpoint and cannot see beyond it).
Poorly configured by ISP recursive servers though is a common pain - it is relatively easy to create and maintain a well working recursive caching DNS but it looks like ISP just don't care.
By notarealllama 2024-05-301:411 reply Got off that 75.75.75.75 (Comcast) train years ago. Just wait until you have an ISP that does port 53 blackholing / redirecting. No bueno.
By Operyl 2024-05-303:17 At least DoH is available still for the most part on those ISPs.
