WEBVTT

00:00.000 --> 00:25.000
I'm going to talk about something which is not yet DNS because it happens before DNS is executed and who I am. I'm Linux user for some time.

00:26.000 --> 00:35.000
I was the bien passionate at the bien user at the university time, but I am for almost any year's earth

00:35.000 --> 00:49.000
hit or now so I switched in Ferrora and I maintain some packages mostly DNS stuff and I have also become of a high it's kind of related to this.

00:50.000 --> 00:54.000
So what was my motivation?

00:54.000 --> 01:07.000
The pickle application does not use a DNS course directly. It uses a jelipsy library stuff or on Linux. It uses jelipsy.

01:07.000 --> 01:13.000
And that's typical by calling get other info library call.

01:13.000 --> 01:35.000
And their application can specify what others want to use and usually those applications allow also from command line user to specify if they want to limit for something because

01:35.000 --> 01:42.000
functionality sometimes it's needed.

01:42.000 --> 01:55.000
And it's required for link local IPv6 addresses because if you want to connect with those somewhere you have to specify

01:55.000 --> 02:07.000
interface at the address and this is quite a ugly one a long time ago we have sometimes only nips now.

02:07.000 --> 02:15.000
So what do we have on get other info? We have of course name of service we want to resolve.

02:15.000 --> 02:32.000
We specify by name or by number service which we are trying to reach and we can use hints and that's all.

02:32.000 --> 02:38.000
This will be better because it's the same.

02:39.000 --> 02:49.000
We specify hints and there are very important for what I'm talking about because there you specify which kind of others you want.

02:49.000 --> 02:57.000
If you don't care and what every other is which is the most common it should be most common but there are some.

02:57.000 --> 03:02.000
I didn't know thank you for my mark and use from IC.

03:02.000 --> 03:15.000
These was specified during IPv6 edition kind of when I was at university long time ago.

03:15.000 --> 03:23.000
Let's see what we can use there. There are a couple of flags where we can modify something for example.

03:23.000 --> 03:39.000
You can say don't do DNS at all. This is either address or file. We can specify also this is for listening socket not connecting somewhere which is also interesting for me and financially.

03:40.000 --> 03:48.000
There's the other family socket time whether you want TCP or UDP protocol.

03:48.000 --> 03:59.000
I don't know how to use it for anything else than zero and there are of course this is which for hints don't make sense.

03:59.000 --> 04:28.000
So you will even empty which is interesting you also received canonical name which is kind of if you have CNN chain there you can resist the name of a host how it's called the NDS the host itself like final a CNN target and because you can receive multiple addresses.

04:28.000 --> 04:36.000
There is next point and you can receive much more than single address that's fine.

04:36.000 --> 04:57.000
Why I even started looking into this because I was solving the question why often we generate IPv6 Quote address queries when nobody really needs them especially if you are on IPv4.

04:57.000 --> 05:16.000
IPv4 only network and that's unfortunately very common. Why does it ask for IPv6 address how how it will use them because if you got use connect on a list of those addresses you have only failure.

05:16.000 --> 05:42.000
So what's it useful and it seems windows already restricts them somehow and connect OS does it too and we kind of only on Linux request them all the time unless the user specified specific address family which is not the default on any good application.

05:42.000 --> 06:05.000
And this applies also for IPv6 networks that's why we should look into that even though I would like to sometimes have IPv only network like common thing and call IPv4 only network.

06:05.000 --> 06:16.000
A legacy network that's not yet through most of times and I don't have such network available at my work or not my home so.

06:16.000 --> 06:32.000
And the problem is also IPv6 addresses stunning that it doesn't exist when they do break the NSEC that's the problem for me too I would like the NSEC used everywhere.

06:33.000 --> 06:49.000
So what if my machine ask it only queries it actually needs and as I said if you use connect for results from get other info that's that's the way you want.

06:49.000 --> 07:04.000
But if there is any IPv6 out a leading for example leading to VPN connection only and otherwise you don't have any.

07:04.000 --> 07:22.000
Any route you need to start resolving IPv6 addresses too that's where I think failed system years already which had this condition implemented but they kind of checked wrong think I think.

07:22.000 --> 07:48.000
They tested only default route and you should test any route which is not link local or not local has the only address and if you just prevent asking that does not break the NSEC validation because there was no no fake response it's I think that's the correct thing.

07:48.000 --> 07:58.000
So I propose the G ellipsi change by a result of options but the problem with that that's not it match anyway so.

07:58.000 --> 08:20.000
This is the proposal but it doesn't work well on mobile network when condition change very quickly for example here if you have flaky Wi-Fi and connect often disconnect and so on it needs a faster reaction.

08:20.000 --> 08:38.000
Dynamic changes are best handled if you can process them by local service and I started looking what service can we use for that and I unfortunately I don't know much with them.

08:38.000 --> 09:01.000
The problem is get other info how it was defined is stateless so it doesn't even detect an EDNS 0 which is also over 20 years old and you have to specify it explicitly if you want to use it that's a shame.

09:01.000 --> 09:19.000
So and there is a multi q type support which I would like to see there is often some some non support for and for example there are proposed to be used for.

09:19.000 --> 09:27.000
DNS SD by Apple which uses a lot.

09:27.000 --> 09:50.000
But I think it's very useful for AF and spec when when in fact now request always a address and what a address and I think today.

09:50.000 --> 10:15.000
And those are also requesting for every single host name HDDPS address which is nice handling is somehow there is a link if you want to look into what it's not implemented anywhere as far as know that multi q types.

10:15.000 --> 10:25.000
So what we can offer what we can use everything is obsolete it or is system years of this so there are no good choices I know.

10:25.000 --> 10:38.000
So NFCD kind of is exactly this it catches only gyripsics calls and it's obsolete it holds a caching so.

10:38.000 --> 10:59.000
It could be fixed by but I don't know that code system years of the has also own plugin and could be used but at least for me working with system the upstream is kind of difficult and I want to avoid them if I can.

10:59.000 --> 11:27.000
And then I remember I in all times at the year as it I actually configured something called lightweight resolver that is LWRS which is implemented or was implemented in bind until 911 and day unfortunately they drop the support or.

11:27.000 --> 11:37.000
Because at how they implemented I think it indeed did not make much sense but.

11:37.000 --> 11:47.000
There is a problem gyripsid interface how it's specified now does not pass.

11:47.000 --> 12:03.000
Just and there's family and neither can pass flex used when I specify when I show data before so.

12:03.000 --> 12:10.000
It can't direct on those and I think it should be fixed but it's not yet possible.

12:10.000 --> 12:27.000
And that's because this call this is what actual plugin implements and you see here the name here is the where the responses will be put buffer is just for storing message.

12:27.000 --> 12:37.000
A result code and it's interesting here you can see a TTL but that's not exposed anywhere so you can't use it.

12:37.000 --> 12:46.000
For example I think a browser is like far folks need that it year to correctly cache the responses.

12:46.000 --> 13:06.000
This is the structure of the response where you see family kind of where to format a where you can study others here you can store scope ID which you need for a link local resolutions.

13:07.000 --> 13:22.000
And so what what it's needed in my opinion then I think we should send a request from the application to some.

13:22.000 --> 13:38.000
Some service local service which can maintain some state and do EDS 0 auto detection do multi Q type auto detection and we should use unique sockets for that.

13:38.000 --> 14:00.000
Because it offers quite interesting thing not available in original implementation which did not accept queries for over unix domain socket in original code.

14:00.000 --> 14:15.000
Good thing on that is you don't share one port with a whole system so every user can run the all encation service which don't have to collide and then send a.

14:15.000 --> 14:31.000
Forward to one common system service and so on there quite nice possible possible ways we can reuse that so.

14:31.000 --> 14:42.000
I tried to download the code and I did not know at the that moment this was never code by ISE this was some third party it died long ago.

14:42.000 --> 15:03.000
It uses even get hosted by name two which is very long obsolete it specifies only name and there's family host and which is not get added in for it's not it does not contain a for example that scope ID we need for local resolution.

15:03.000 --> 15:27.000
And the kind of asked only for give me or everything you got by the rest family that's not actually what I can use unless I remember very lot of missing stuff which I pan to do but fair to do that so far.

15:27.000 --> 15:40.000
And by 90 level it still had the unix domain support and people from ISE and unfortunately any move that supports from lighter versions because they don't use it for anything.

15:40.000 --> 15:50.000
I would love to heavy the back but I guess I would have to implement it myself and that would took time.

15:50.000 --> 16:04.000
So as I already said LWS never used the unix domain sockets for accepting queries I think that should be the only thing it should be doing and it should not listen on any IP address at all.

16:04.000 --> 16:30.000
It should not do but in a root service emulation and rely on whatever DMS that I was specified in it is here itself called and it was kind of special name the service it was even only simply to name the compile from that.

16:30.000 --> 16:45.000
And I had that one version and why I looked into that is because I still maintain it on era 8 and I kind of know the code so it was better than other alternatives for me.

16:45.000 --> 17:03.000
What is interesting it supports different views including caches it can have separate caches for separate clients and I think that's what we want to use.

17:03.000 --> 17:32.000
All already said that bind has quite an useful cache default for just small service running on machine what's which is a purpose for something different than doing cache for network so it has 90% it uses 90% of RAM on that machine and that's definitely what I don't want to use.

17:33.000 --> 17:42.000
It kind of up to 1% is enough for most of the stuff.

17:42.000 --> 17:57.000
I don't want any DNS ag validation at this service because it should be done by whatever DNS cache running on the same house on or the remote host it doesn't matter.

17:57.000 --> 18:13.000
And it's interesting on something somewhere in Slasharan on sockets stream because that's the best supported variant on all platforms.

18:13.000 --> 18:22.000
And I think it should not require any configuration at all just starting in that that would be.

18:22.000 --> 18:27.000
How looks.

18:27.000 --> 18:44.000
Unix socket and it's kind of very unused and it's not good for anything but what is much more interesting are socket options peer credentials and peer security.

18:44.000 --> 19:02.000
I don't know context or what's the call and I use it for a severe fix for other he first when I played and where I was hit by the thing I did not add that moment and that is it is Linux specific.

19:02.000 --> 19:31.000
It's not implemented the same way on other systems of this is what what can you get from every unix domain client and this is much more interesting than than just name of use socket so you have process ID of process which makes query you have UID or less use group ID but.

19:31.000 --> 19:58.000
The problem is there exists a similar variant from free base D but it's called different way uses different structure kind of we are mostly interested in UID and process ID and we have those groups less obvious kind of one is manual page is different section so it's kind of.

19:58.000 --> 20:03.000
And it has for the grammar.

20:03.000 --> 20:09.000
Should use different structure also we can't use that.

20:09.000 --> 20:35.000
So socket is not useful but what is interesting is who is asking but if we want to look something user friendly we need to do extra call and it can contact remote service which fetches remote from somewhere else so it's not free either and.

20:35.000 --> 20:40.000
Kind of includes some delay which would be unwanted.

20:40.000 --> 20:56.000
But from process ID you can fetch more interesting details like which which what the program asking for example is it being is it cool or is it Firefox is it something else.

20:56.000 --> 21:19.000
And at least on Linux you can fetch C groups which is something system D uses heavy and if you want to be a Linux specific you can get slice which is kind of user slice or system slice or get unit so you can monitor only system be service doing.

21:19.000 --> 21:28.000
By multiple processes different processes and you can watch what's this unit asking for.

21:28.000 --> 21:42.000
For queries and you can do this only by DNS protocol over internet protocol even to local host.

21:42.000 --> 21:54.000
And the great thing is it can be something like option location before your your application even though it's a DNS itself.

21:54.000 --> 22:02.000
And if it can answer from cash it doesn't need any configuration at all.

22:02.000 --> 22:22.000
Except watching yourself because it should rely on that and some core feature would be if you can run the service as user yourself it can watch your own files and you can customize addresses you want.

22:22.000 --> 22:39.000
You can even use some service managing some kind of special records which is not possible now as far as I know and it would be from time to time important for me.

22:39.000 --> 22:53.000
And of course you can use it this for creating block list as an advantage user on the system which I think would be cool also.

22:53.000 --> 23:08.000
And you can use it for watching changes of example so you then don't have to do an action and it should be always up to date.

23:08.000 --> 23:27.000
And I don't think if you know what selenux is or s elenux is is kind of things we use on federal and can stop even a root user process for touching some selected files on something.

23:27.000 --> 23:43.000
And we can use the unix domain sockets to restrict local processes to ask for remote names very similar way because we can ask among other things remote credential.

23:43.000 --> 23:50.000
Okay it's time is up so but I'm kind of finished.

23:50.000 --> 24:12.000
Yeah yeah and it's a you can use it for mnr or mdns request because because that's a protocol a non specific interface anyway so you then have to present something so that's it are there any questions.

24:12.000 --> 24:19.000
There's no time for no time for no solution.