78

publication croisée depuis : https://lemmy.pierre-couy.fr/post/584644

While monitoring my Pi-Hole logs today, I noticed a bunch of queries for XXXXXX.bodis.com, where XXXXXX are numbers. I saw a few variations for the numbers, each one being queried several times.

Digging further, I found out these queries were caused by CNAME records on domains that look like they used to point to Lemmy/Kbin instances.

From what I understand, domain owners can register a CNAME record to XXXXXX.bodis.com and earn some money from the traffic it receives. I guess that each number variation is a domain owner ID in Bodis' database. I saw between 5 to 10 different number variations, each one being pointed to by a bunch of old Lemmy domains.

This probably means that among actors who snatch expired domains, several of them have taken a specific interest with expired domains of old Lemmy instances. Another hypothesis is that there were a lot of domains registered for hosting Lemmy during the Reddit API debacle (about 1 year ago), which started expiring recently.

Are there any other instance admins who noticed the same thing ? Is any of my two hypothesis more plausible than the other ? Should we worry about this trend ?

Anyway, I hope this at least serves as a reminder to not let our domains expire ;)

top 25 comments
sorted by: hot top controversial new old
[-] grandkaiser@lemmy.world 13 points 4 months ago

DNS engineer here, I'm not doing work on a weekend, but I will make you guys aware of digwebinterface.com great tool for running investigations like this

[-] ArrogantAnalyst@infosec.pub 7 points 4 months ago* (last edited 4 months ago)

As a DNS engineer - do you own a shirt with the slogan “It’s always DNS.” on it?

[-] grandkaiser@lemmy.world 3 points 4 months ago* (last edited 4 months ago)

It's not DNS until the firewall team cleans house and even then not until you happened to catch me between matches in the videogame I'm playing while waiting for something to break

[-] delirious_owl@discuss.online 12 points 4 months ago

Thanks for sharing your research

[-] qaz@lemmy.world 9 points 4 months ago* (last edited 4 months ago)

~~I feel like this could be abused by a bad actor by recreating instances in several ways:~~

  1. ~~Use the "dead" accounts that are still mods on communities on other instances.~~
  2. ~~Sneakily monitor user behavior (like votes etc.) without looking out of place.~~
  3. ~~Impersonate users.~~

~~I feel like it would be a good idea to start a list of the domains of dead instances and add them to a blocklist until the original people start using them again.~~

EDIT: This doesn't seem like a real problem due to key signing.

[-] Corgana@startrek.website 3 points 4 months ago

This is just the domain name, not the instance itself. If the instance is offline the moderator accounts will be inaccessible even if the domain name is sold.

[-] qaz@lemmy.world 5 points 4 months ago* (last edited 4 months ago)

Yes, but what if someone just creates a new instance and adds previous accounts. How do other instances know that the running instance has changed and didn't just go offline if it's registered on the original domain?

[-] 2xsaiko@discuss.tchncs.de 2 points 4 months ago

I would hope there's some kind of key signing mechanism to prove it's the same instance and not just someone else who's running another on the same domain.

[-] qaz@lemmy.world 4 points 4 months ago
[-] pcouy@lemmy.pierre-couy.fr 2 points 4 months ago

Thanks for the details ! Still curious to know how a new instance, with an old domain and fresh keys, would be handled by other instances.

[-] qaz@lemmy.world 1 points 4 months ago* (last edited 4 months ago)

Yeah, I first thought it was optional and was pleasently surprised when I found out Lemmy implements it, but I'm not quite sure if other software properly implement it either.

[-] Zagorath@aussie.zone 7 points 4 months ago

Out of interest, is pathfinder.social among those snatched up by these?

[-] pcouy@lemmy.pierre-couy.fr 5 points 4 months ago

It does not seem to be the case. Was it the full domain for this instance ?

[-] Ghoelian@lemmy.dbzer0.com 3 points 4 months ago

According to this service, that domain never had any subdomains, so looks like there's just nothing there at the moment.

Not sure how reliable it is, but it did correctly identify all of my own subdomains for a website that no one ever goes to.

[-] pcouy@lemmy.pierre-couy.fr 1 points 4 months ago* (last edited 4 months ago)

These services usually use either or both of passive DNS replication (running public recursive DNS resolvers and logging lookup that returns a record) and certificate transparency logs (where certificate authorities publish the domain names for which they issue certificates). A lot of my subdomains are missing from these services

[-] Ghoelian@lemmy.dbzer0.com 1 points 3 months ago* (last edited 3 months ago)

Ahh I guess they probably got my subdomains from let's encrypt then, used them for pretty much all my websites.

Edit: Just checked and yup, all my old subdomains are there from let's encrypt.

[-] pcouy@lemmy.pierre-couy.fr 2 points 3 months ago

What I did is use a wildcard subdomain and certificate. This way, only pierre-couy.fr and *.pierre-couy.fr ever show up in the transparency logs. Since I'm using pi-hole with carefully chosen upstream DNS servers, passive DNS replication services do not seem to pick up my subdomains (but even subdomains I share with some relatives who probably use their ISP's default DNS do not show up)

This obviously only works if all your subdomains go to the same IP. I've achieved something similar to cloudflare tunnels using a combination of nginx and wireguard on a cheap VPS (I want to write a tutorial about this when I find some time). One side benefit of this setup is that I usually don't need to fiddle with my DNS zone to set up a new subdomains : all I need to do is add a new nginx config file with a server section.

Some scanners will still try to brute-force subdomains. I simply block any IP that hits my VPS with a Host header containing a subdomain I did not configure

[-] Zagorath@aussie.zone 3 points 4 months ago

Yes, that's the full domain. It used to host communities such as !pf2general@pathfinder.social. Unfortunately it's been dead for 9–10 months now.

[-] pcouy@lemmy.pierre-couy.fr 2 points 4 months ago

The fact that it has not been bought as soon as the domain expired makes me believe this instance went down before the trend started

[-] Zagorath@aussie.zone 2 points 4 months ago

I'm actually not really clear on what the status of that instance is. Like, for me, when I browse to https://pathfinder.social, I actually see what looks like an empty Lemmy instance running 0.18.2. Some communities show the same for me, while others show a generic error message. So I don't know whether it's running in some failed state due to caching, or deregistered, or what.

[-] pcouy@lemmy.pierre-couy.fr 2 points 4 months ago

That's really really weird, I cannot resolve the domain to an IP, even after trying a bunch of different DNS servers. If you're on linux, can you run nslookup pathfinder.social and paste the output here ?

[-] Zagorath@aussie.zone 1 points 4 months ago* (last edited 4 months ago)

If you’re on linux

I'm not, but I do have WSL installed. It returned "Can't find pathfinder.social: No answer"

Out of interest, I tried the same command in Microsoft PowerShell, I get:

Server:  dns9.quad9.net
Address:  9.9.9.9

Name:    pathfinder.social

That's the full output. No actual list of returned addresses.

I'm guessing my system just has pathfinder.social cached.

[-] pcouy@lemmy.pierre-couy.fr 2 points 4 months ago

Yeah, this probably has to do with the cache. You can try opening dev tools (F12 in most browsers), go to the network tab, and browse to pathfinder.social. You should see all requests going out, including "fake requests" to content that you already have locally cached

[-] Zagorath@aussie.zone 1 points 4 months ago

Oh neat, I'd never thought of that before. Woulda been handy back last time I was working on a PWA!

200 OK (from service worker)

So yeah, getting it from the cache.

[-] pcouy@lemmy.pierre-couy.fr 2 points 4 months ago

There is even a "Ignore cache" box in the devtools network tab

this post was submitted on 26 Jul 2024
78 points (97.6% liked)

Fediverse

17786 readers
9 users here now

A community dedicated to fediverse news and discussion.

Fediverse is a portmanteau of "federation" and "universe".

Getting started on Fediverse;

founded 5 years ago
MODERATORS