
Show HN: A site to look up DNS records - freekmurze
https://dnsrecords.io/
======
fny
So just `host -a whatever.com` with the addition that you're tracking me with
Google Tag Manager and God knows what else in the backend?

~~~
old-gregg
I was expecting to see something like
[http://dnstrails.com](http://dnstrails.com) <\-- this one shows you
historical data, which can be useful for checking the history of a domain
before you buy it.

~~~
a012
This website's UI is terrible. It automatically suggests domain names instead
of let users to input themselves. So if ones' domain name extensions are short
or not in their database, they can't provide you anything. For example: key in
any .co domains, they'll search .com for you. What a shitty design.

~~~
mxpxrocks10
Hi! I just came across this comment. There was a super annoying bug in the
autocomplete of a new UI we launched this week. Can you do me a favor and
shift-refresh and try again? Any other feedback is appreciated and will be
implemented.

Drop me a note at chris at ueland com with any other feedback. Thanks for
trying it out!!

------
stephenr
So someone else commented on this and was down voted, but let's try again.

This site literally wraps a shell command [1]:

    
    
        dig +nocmd example.com any +multiline +noall +answer
    

Wrapping shell commands into more usable services isn't necessarily bad. But
this is a pretty crazy example.

This 'app' is 500K (500 thousand!) lines of PHP. To run one shell command.

1:
[https://github.com/spatie/dnsrecords.io/blob/master/app/Http...](https://github.com/spatie/dnsrecords.io/blob/master/app/Http/Controllers/HomeController.php#L39)

~~~
mosselman
While I agree with the broader sense of what you are saying I agree, but
counting the lines of code like that is a bit unfair. Yes there are many, even
for an app, but the source code of your terminal and the commands that you use
should also be counted by your logic.

~~~
stephenr
You can only count the lines of code for my terminal if you also count the
lines of code for the Browser.

The source code of the command in question (dig) also doesn't count, because
their application literally calls the `dig` shell command. So they need not
just those 500K lines of PHP (I didn't bother to count the CSS or JS) but they
are also dependent on a shell (probably /bin/sh, which could be anything
deepening on their host OS) AND the dig command itself.

------
aons2309neo
How is this "beautiful"? It's just the direct text of a database look up in a
moderately nice font. I'd rather have a nice table layout without all of the
programmer-y info in there on a white (or maybe slightly off-white) background
with black (or very dark gray) text at a reasonable size, personally. To me
the font and coloring is far less a part of the beauty than all the other crap
that the database returns and that didn't get discarded or reformatted.

I don't know if the other info is useful to other people. But if so, perhaps
you could have a few different "pages". One that gives all the DB stuff, and
one that just prints the human readable stuff?

~~~
jstanley
I think it's a nice project. I like the output format and the simplicity of
it. But I too find the trend of describing one's own work as "beautiful"
rather grating.

------
sigi45
Was expecting something worthwhile. Was disappointing.

You could have made an nice ui with presents the information in a simple to
understand way. Instead if showing stuff like seconds etc. you could have
translated it into more understandable.

Instead of saying mx record, you could have used an email icon.

------
pablo-massa
Not a technical person here.

I just check my personal site with this tool and see that is possible know
that I use Google G Suite.

Is no way to opt out this? I'm more vulnerable to an attacker, right? They can
try to login to my account on gmail.com.

I thought that for not using an email address like @gmail.com, etc. I had the
advantage of hiding my login page XD

Maybe I'm a bit paranoid. Sometimes I have the idea that the Internet is not
well designed from the ground up for privacy in mind. Recently I check the
product Hotjar [0] and was amazed how creepy it is, you can see screen
recordings of the users interacting with your site, where are they from, and
more. I made a video about this [1] (spanish). Why by default the Internet is
like that?, all those features should be opt in imho, with user consent. What
do you think?

Excuse me if my wording is not perfect, my english is not the best :)

[0] [https://hotjar.com](https://hotjar.com)

[1]
[https://www.youtube.com/watch?v=FDgybTvnhjY](https://www.youtube.com/watch?v=FDgybTvnhjY)

~~~
captn3m0
>Is no way to opt out this? I'm more vulnerable to an attacker, right

Others can't send you a mail unless you publish those DNS records that say you
use GSuite. Hiding your email host doesn't give you much in the way of
security. If you're really concerned about security, see Google's Advanced
Protection Program[0].

[0]:
[https://landing.google.com/advancedprotection/](https://landing.google.com/advancedprotection/)

~~~
pablo-massa
I understand.

But I was thinking, a potential attacker receives an email from me
(me@customdomain.com), with this tool, they can look up and see that I use G
Suite and try to login on my account on gmail.com.

Thanks for letting me know about Google Advanced Protection Program.

~~~
mosselman
Using a good password and two-factor authentication basically eliminates this
issue. You are looking for what is called 'security through obscurity' which
is never a solid defence plan over real, verified, security (like real
encryption, proper passwords, multi-factor authentication, etc)

~~~
pablo-massa
You are right. Thanks for let me know about 'security through obscurity', I'm
reading the Wikipedia article now [0]. Yes, I'm using two factor and strong
passwords (and encouraging people to do that, too).

Thanks for let me expand my knowledge through education.

[0]
[https://en.wikipedia.org/wiki/Security_through_obscurity](https://en.wikipedia.org/wiki/Security_through_obscurity)

------
cdubzzz
Very nice! I was just doing this for some domains yesterday on ad-laden, ugly
as sin sites.

It would be nice if the page URL would update with each request and provide a
copy-pastable link (e.g.
[https://dnsrecords.io/q/ycombinator.com](https://dnsrecords.io/q/ycombinator.com)).

~~~
deathanatos
Out of curiosity, why are you not just calling, say, `dig`?

~~~
cdubzzz
At the time I was in Windows. I believe there is a Windows CLI command for
this as well, but didn’t know it off the top of my head.

~~~
stevekemp
"nslookup" is the tool you'd use, under windows.

------
msantos
I normally use
[https://toolbox.googleapps.com/apps/dig/#ANY/](https://toolbox.googleapps.com/apps/dig/#ANY/)

But I liked your UI better.

------
eloy
Looks very nice, but instead of sending ANY queries it should just send
multiple queries for different RRs, because ANY is deprecated by Cloudflare
(and probably more services)

~~~
LinuxBender
Agreed. I block ANY queries using iptables string filters. I also block
anything other than NOERROR responses from myself. Their site doesn't work
with any of my domains.

~~~
heybrendan
Interesting--I'd like to know more.

Would you please provide example command(s) of blocking both ANY queries and
NOERROR responses that you've had relative success with?

Thanks!

~~~
LinuxBender
Certainly!

    
    
      -A OUTPUT -p udp -m udp --sport 53 -m string --hex-string "|8500|" --algo kmp --from 30 --to 31 -j ACCEPT
      -A OUTPUT -p udp -m udp --sport 53 -m string --hex-string "|8400|" --algo kmp --from 30 --to 31 -j ACCEPT
      -A OUTPUT -p udp -m udp --sport 53 -j DROP
    

The above used in the filter table drops anything that does not match NOERROR
recursive and NOERROR non-recursive responses.

    
    
      -A PREROUTING -i eth0 -p udp -m udp --dport 53 -m string --hex-string "|0000ff0001|" --algo bm --from 40 --to 65535 -j DROP
    

The above used in the raw table drops "ANY". It could probably be optimized to
search through less of the packet.

    
    
      -A INPUT -i eth0 -p udp -m state --state NEW -m length --length 24:120 -m udp --dport 53 -j ACCEPT
    

Above is the inbound rule that blocks some overflow attempts.

~~~
heybrendan
Thanks a bunch.

I'll take a crack at implementing something similar, much appreciated!

~~~
LinuxBender
No problem. If you run into issues, it could be that your particular DNS
server may put the result code in a different part of the packet. If that is
so, simply use

    
    
      tcpdump -p -i interface -NNnn -s0 -c100 -SeX port 53
    

and look for the 8400 and 8500 hex codes and what the number in the far left
column is. Then adjust iptables accordingly to look in that part of the
packet.

Another way to do this is to modify the source code of the DNS server, but I
found that to be too time consuming.

Disclaimer: I should also add that the above method of using iptables to drop
anything we do not know about does violate some RFC's and instead follows the
thing our Mom's taught us, "If you don't have anything nice to say...". That
said, you would have to decide if bending some RFC's is ok. In a Corporate
environment it can lead to confusion and time lost troubleshooting.

------
RoyTyrell
If you're pretty new to software development, good job on making something.

------
drablyechoes
Vulnerable to XSS.

<b onmouseover=alert('XSS')>click me!</b>

~~~
dabernathy89
XSS implies that you can get this script to run for _other_ users, not just
yourself.

~~~
drablyechoes
I suspect it would work the same if the script was stored in a TXT record for
a domain being queried.

~~~
drablyechoes
There is even a tool for this called dnsxss.

------
codewritinfool
For whatever reason this reminded me of Zork. I tried several things without
success:

open mailbox go house open window get lamp

nothing worked. You might consider adding a game too. That way people could
play a game while looking up stuff.

------
ezekg
I love retro tools like this, so I dig the look. But I agree with sigi45 that
you could parse the information and display it in a more meaningful way,
because as of now I can just pop over to a terminal and do the exact same
thing. And whenever I input keygen.sh, it fails because ANY is deprecated by
Cloudflare [0].

[0]: [https://blog.cloudflare.com/what-happened-next-the-
deprecati...](https://blog.cloudflare.com/what-happened-next-the-deprecation-
of-any/)

~~~
echan00
Same here, I dig the look and the feel. It seems very intuitive

------
lima
ANY requests are considered harmful due the large response sizes (DNS
amplification!).

Some DNS servers will truncate the response or refuse (like CloudFlare).

------
joshmn
You're getting really mixed results here on HN, but personally, I love it for
the "cool" factor. Would I use this? No, not really, I have an entire suite of
command-line tools I'm familiar with already that don't require a browser.

But this is nice, it's pretty, and you've got a great domain name which you've
put to great use.

------
stevekemp
See also my API-like site:

[https://dns-api.org/](https://dns-api.org/)

Which seems like it could replicate yours with requests like:

[https://dns-api.org/any/steve.fi](https://dns-api.org/any/steve.fi)

------
dewey
Tried using it for a .me and a .com but I get this message for both of them:
[https://imgur.com/a/RiseT](https://imgur.com/a/RiseT)

~~~
jtokoph
Both domains are probably on Cloudflare. They block ANY requests with that
message.

~~~
dewey
They are both on Fastmail's DNS

~~~
ehPReth
[https://www.cloudflare.com/case-
studies/fastmail/](https://www.cloudflare.com/case-studies/fastmail/)

------
cranjice
I really DIG this site

~~~
mxpxrocks10
how Punny.

------
maxpert
Nice! Would be nice to see replication too.

------
devnull42
nice but dig +trace would be really really nice to add since dig alone doesnt
help much with troubleshooting.

------
igammarays
Love simple tools like this. Pinned.

------
maurilato
Great website!

