HTML over DNS: Serving Blog Content over DNS

Author here: I made it as a proof of concept, just because I could.<p>I used DoH because to the best of my knowledge it&#x27;s not possible to open raw sockets from the browser. Otherwise I&#x27;d have done that.<p>I don&#x27;t think there&#x27;s any practical use. And I did not intend it to have any.

Well the content is stored in a DNS Zone file but it is requested using JavaScript to an external HTTP API. I wouldn&#x27;t really call that HTML <i>over</i> DNS but rather &quot;DNS Zone as blog database&quot;.<p>Anyway, this made me think of iodine [1], an IP over DNS solution, which I still run on my main server even though it has a lot less use now than it had until a few years ago when there were a lot of open wifi with captive portals and way less 4G available.<p>[1] <a href="https:&#x2F;&#x2F;code.kyro.se&#x2F;iodine&#x2F;" rel="nofollow">https:&#x2F;&#x2F;code.kyro.se&#x2F;iodine&#x2F;</a>

The HTML bit is fun, but the more remarkable takeaway for me is that DoH servers accept cross-origin requests from ordinary javascript. This means two things:<p>- A website can bring its own DoH client and bypass both the OS resolver <i>and</i> the browser&#x27;s trusted DoH resolver for anything except the initial page request.<p>- Any website can now access the full DNS information of any domain: Not just A&#x2F;AAAA records, but also TXT, MX, SRV etc. Record metadata such as TTLs likewise.<p>All of that without requiring any backend infrastructure or exotic web API. It&#x27;s literally just a static HTML file and fetch().<p>That&#x27;s a genuinely new capability that wasn&#x27;t available to websites before public DoH servers became available. I&#x27;m no security expert, but this smells like it should have some implications for web security.

Corollary is, spyware can use DNS to exfiltrate data [0]. Or, send out client-side metrics with cleverly drafted DNS requests [1], or use it as a 3p-cookie replacement [2].<p>[0] <a href="https:&#x2F;&#x2F;unit42.paloaltonetworks.com&#x2F;dns-tunneling-how-dns-can-be-abused-by-malicious-actors&#x2F;" rel="nofollow">https:&#x2F;&#x2F;unit42.paloaltonetworks.com&#x2F;dns-tunneling-how-dns-ca...</a><p>[1] <a href="https:&#x2F;&#x2F;github.com&#x2F;Jigsaw-Code&#x2F;choir" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;Jigsaw-Code&#x2F;choir</a> (disclosure: I co-develop hard-forks of two other related <i>Jigsaw-Code</i> projects)<p>[2] <a href="http:&#x2F;&#x2F;dnscookie.com&#x2F;" rel="nofollow">http:&#x2F;&#x2F;dnscookie.com&#x2F;</a>

Looks more like HTML via HTTP, specifically DoH.<p><pre><code> const dohServer = &quot;https:&#x2F;&#x2F;cloudflare-dns.com&#x2F;dns-query?ct=application&#x2F;dns-json&amp;type=TXT&amp;name=&quot;; const baseDomain = &quot;hod.experiments.jacobkiers.net&quot;; </code></pre> About 12 years ago I experimented with HTML over UDP DNS by modifying dnstxt from djbdns to output a MIME header. I could store tiny web pages, i.e., hyperlinks, in a zone file and serve them with tinydns. (This was before the size of DNS packets ballooned with adoption of EDNS.)

This technique has been a standard exfiltration &amp; C2 (command &amp; control) channel for malware for a long time. Typically malware will make a DNS request for a subdomain where the domain name encodes data or a request, and the response contains e.g. commands.

As someone who has an obsession with base64 encoding (as exemplified by my poorly written shell scripting here: <a href="https:&#x2F;&#x2F;miscdotgeek.com&#x2F;curlytp-every-web-server-is-a-dead-drop&#x2F;" rel="nofollow">https:&#x2F;&#x2F;miscdotgeek.com&#x2F;curlytp-every-web-server-is-a-dead-d...</a> ) I love this. It makes me wonder if some CSS and maybe even a highly compressed image or two could be added.

I modified the dnstxt file from djbdns about twelve years ago to output a MIME header for HTML over UDP DNS. I could store hyperlinks for tiny web pages in a zone file and serve them with tinydns. (This was before EDNS exploded the size of DNS packets.) regards <a href="https:&#x2F;&#x2F;minimilitiamodapk.info&#x2F;" rel="nofollow">https:&#x2F;&#x2F;minimilitiamodapk.info&#x2F;</a>

Wondering why I can&#x27;t query the DNS directly.<p><pre><code> $ dig posts-2021-08-17-serving-blog-content-over-dns-md.hod.experiments.jacobkiers.net TXT ; &lt;&lt;&gt;&gt; DiG 9.8.3-P1 &lt;&lt;&gt;&gt; posts-2021-08-17-serving-blog-content-over-dns-md.hod.experiments.jacobkiers.net TXT ;; global options: +cmd ;; Got answer: ;; -&gt;&gt;HEADER&lt;&lt;- opcode: QUERY, status: NOERROR, id: 49067 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;posts-2021-08-17-serving-blog-content-over-dns-md.hod.experiments.jacobkiers.net. IN TXT ;; AUTHORITY SECTION: hod.experiments.jacobkiers.net. 292 IN SOA home.kie.rs. postmaster.kie.rs. 2021081903 3600 900 604800 3600</code></pre>

&gt; You might not be able to see it immediately<p>Or at all since the content is entirely injected via JS with no fallback (and the JS uses class fields in case you thought an old browser might be able to load it).

That&#x27;s interesting. I&#x27;m thinking about ways how this could be combined with <a href="https:&#x2F;&#x2F;dnskv.com" rel="nofollow">https:&#x2F;&#x2F;dnskv.com</a> - which allows not only reading from dns, but also storing:<p><pre><code> dig TXT content.uniquekey.dnskv.com --&gt; &#x27;ok&#x27; dig TXT uniquekey.dnskv.com --&gt; &#x27;content&#x27; </code></pre> Only thing that comes to my mind is data exfiltration from sites with content-security-policy which for some reason allows some DoH site

All sites on the .tel domain used to be rendered from DNS. It seems to have changed in 2017 but Wikipedia still says[1]:<p>&quot;In contrast to other top-level domains, .tel information is stored directly within the Domain Name System (DNS) [...] as opposed to the DNS simply returning details (such as IP addresses)&quot;<p>[1] <a href="https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;.tel" rel="nofollow">https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;.tel</a>

This looks like it was a fun project!<p>For anyone who wants to research the subject, the class of security vulnerabilities are called DNS tunneling.

The RR format can be made more efficient. TXT records can contain multiple character strings of up to 255 bytes, and despite their name can contain arbitrary octets. A step further from there would be to use a private use type (65280-65534) so your payload doesn&#x27;t need to be cut into length byte prefixed chunks.

&quot;100s of requests per second&quot;<p>dns works fine at those rates or higher, and you&#x27;ll use caching dns servers of ISPs, scales like no other, geo support etc etc. I think its great idea for public data.

dig @1.1 TXT +short owo{0..201}.xn--kda.waw.pl | sed -E &#x27;s&#x2F;[&quot; ]&#x2F;&#x2F;g&#x27; | base64 -d | mpv -

this would be nice for the gemini protocol or something linke twtxt as it is more text oriented, one could perhaps use base45 or other base for extra space efficiency. for the ultimate in image compression go avif or svg.

What&#x27;s the point though? I can think maybe of reduced latency, but then you usually have the DNS already cached locally. And that takes me to a second point, won&#x27;t you run into problems delivering content updates, given that clients will most likely cache DNS entries?