I did exactly this 15 years ago. I was a C++ developer and there was no golang around yet. And Bind had fresh security bugs every month. So the easiest and safest thing I could do was use djbdns (tinydns) with its cdb files being recompiled whenever records had to be added or updated.
Some companies host bots, internal tools, and increasingly micro-services. But primarily side-projects and increasingly early-stage startups (e.g. https://blog.replit.com/blubbr).
One fresh thing is plenty of developers in India are hosting covid support apps on Replit. This particular app has done 1m+ hits in the past 24 hours: https://covid.army/
How is this different from glitch.me? I am genuinely curious. Looks like a static Next.js app. I am a regular replit user, I want to know if the support of node/deno is complete (it hasn't been really responsive so far).
Our marketing so embarrassingly out-of-date right now but yes we have a very robust hosting offering. It's still meant for side-projects and maybe early-stage startups.
Straightforward authority servers like these are very easy to write, in memory-safe languages. It might actually take longer to figure out how to get a BIND configuration doing what Replit does here, but even if it didn't, the resulting server is much safer than BIND, and does exactly and only what you want it to do.
I don't disagree overall that a competent team really could get this right in the same time it'd take to make it work how you wanted with BIND, but although DNS is simple there are some corner cases where an incorrect solution will appear to work in trivial scenarios - "It worked in my Chrome" but may have either functional problems or security problems.
For example the 0x20 trick. The specification for DNS is clear that you aren't supposed to care about bit 0x20 in labels. ClOWnS and cLowNs and clowns and CLOWNS are all the same label as far as DNS is concerned.
However your answers need to bit-for-bit match the question you were asked. So if you answer "ClOWns A?" with "CLOWNS A 10.20.30.40" that's a mistake, you were asked about "ClOWns" not "CLOWNS". In 1995 if your DNS server got this wrong nothing of consequence breaks. But in 2021 if you get this wrong some important things magically don't work.
The transaction IDs that should make forging DNS answers hard are very short, and so to beef that up slightly some stacks will hide more bits in the 0x20 bit of labels where they will be echo'd back by a compliant implementation. But to reap this reward they must ignore answers that get the 0x20 bits wrong, like yours.
I feel like if "You can't get this wrong" (a stronger claim that you admittedly didn't make) was true, my visits to the Let's Encrypt community site wouldn't all begin by ignoring the people whose problem is obviously just that their DNS server doesn't work properly. Some of them have problems an authority server doesn't care about, but lots of them have dumb problems you'd imagine are impossible and yet apparently people have successfully sold commercial DNS servers with those problems.
To add on to this, DNS is meant to be a simple protocol. The problems we encounter with it today are usually due to the thousands of little patches added on through the decades to tack functionality onto what is essentially supposed to be a key-value store.
Hi, author here! tptacek is right on the money. The authority server is really small and simple, and writing it in Go meant we had access to our existing internal packages that had the logic to fetch the data we need for each DNS query. This seemed like the most straight-forward path.
Hi, PowerDNS dev here! Would you mind fixing your handling of NODATA answers, which are currently lacking the AA bit and a SOA record in authority? It does not seem to affect all instances, so perhaps it only happens on the legacy infra.
You can get the details here, for example: https://dnsviz.net/d/b.b.b.b.b.b.b.b.a.a.a.a.a.a.nope.repl.c...
miekg/dns is really excellent. Our custom DNS server is written in Rust (with the NLNet libraries, which are also great), but I used miekg/dns to throw together a DNS telemetry system that we use to keep metrics on our DNS (and UDP) service from around the world using off-net hosts, which sounds cool to type out but was an absurdly simple coding project because of how good the libraries are.
More people should do cool weird stuff with DNS. (And Replit should host stuff on Fly! But also the DNS stuff we're talking about.)
Switched later to OctoDNS, mostly because we didn't want to run DNS infrastructure or deal with racing updates to records: https://github.com/octodns/octodns
At work we have a service built on powerdns-backend (http). The biggest pain there was lack of docs. There's circumstances where powerdns would make multiple requests to the backend app server, and figuring out how to answer its first direct queries in a way to satisfy it on the first query took some trial and error (this was a few years ago, so I don't remember specifics). I seem to remember it asking the backend for ANY records and then a bunch of metadata stuff, which meant having to spend time understanding not just how to answer the simple DNS TXT and A queries we were trying to do, but understanding how powerdns would interpret the client query, pass it to the backend, and interpret the result (which was quite different from straight DNS).
That also made it really hard to test, short of setting up a full end-to-end integration test including running powerdns (which I think we have, but isn't fully automated).
If I was building that service again, I'd definitely have a serious look into building it directly as a standalone DNS server rather than a backend for something else.
Unbound is pretty popular with the folks I work with, but in this case, they are only serving up things they are authoritative for, so they don't need much.
Hey anurag, big fan of Render!
We currently don't have a great solution for this and we recommend that users use a DNS provider that has support for something like an ALIAS record.
> We automatically detect the web server and open a webview in the workspace
And you have to use one of their package buttons to make that happen. Super frustrating that they don’t just have an button to open a web view on a port.
I'm not sure what you're referring to. You can use any web server library/framework you'd like, we open the web view whenever your program starts listening on a port. We can't open the web view any earlier since there would be nothing to load in the web view.
I have been working on this for a bit as well but did not figure it out completely yet (mostly due to lack of time): I want to create enough to have loadbalancing/failover on dns level (like cloudflare/route53). Any tips? Open source and on premise hosted.
The usual implementation is you simply check every few minutes which nodes are up and then in your A response you return all the working addresses.... are you trying to do something more complex?
Readit News
One fresh thing is plenty of developers in India are hosting covid support apps on Replit. This particular app has done 1m+ hits in the past 24 hours: https://covid.army/
You can add __repl after any app to get the source: https://covid.army/__repl
Deleted Comment
This seems like it would be great for rapid prototyping.
I wrote something on what it feels like to host an app from your editor: https://amasad.me/hosting
I think: a pretty easy engineering decision.
For example the 0x20 trick. The specification for DNS is clear that you aren't supposed to care about bit 0x20 in labels. ClOWnS and cLowNs and clowns and CLOWNS are all the same label as far as DNS is concerned.
However your answers need to bit-for-bit match the question you were asked. So if you answer "ClOWns A?" with "CLOWNS A 10.20.30.40" that's a mistake, you were asked about "ClOWns" not "CLOWNS". In 1995 if your DNS server got this wrong nothing of consequence breaks. But in 2021 if you get this wrong some important things magically don't work.
The transaction IDs that should make forging DNS answers hard are very short, and so to beef that up slightly some stacks will hide more bits in the 0x20 bit of labels where they will be echo'd back by a compliant implementation. But to reap this reward they must ignore answers that get the 0x20 bits wrong, like yours.
I feel like if "You can't get this wrong" (a stronger claim that you admittedly didn't make) was true, my visits to the Let's Encrypt community site wouldn't all begin by ignoring the people whose problem is obviously just that their DNS server doesn't work properly. Some of them have problems an authority server doesn't care about, but lots of them have dumb problems you'd imagine are impossible and yet apparently people have successfully sold commercial DNS servers with those problems.
More people should do cool weird stuff with DNS. (And Replit should host stuff on Fly! But also the DNS stuff we're talking about.)
It's a great post, thanks for writing it.
Switched later to OctoDNS, mostly because we didn't want to run DNS infrastructure or deal with racing updates to records: https://github.com/octodns/octodns
That also made it really hard to test, short of setting up a full end-to-end integration test including running powerdns (which I think we have, but isn't fully automated).
If I was building that service again, I'd definitely have a serious look into building it directly as a standalone DNS server rather than a backend for something else.
And if not (or also if you did), can you suggest documentation additions that would have helped you here?
Deleted Comment
Thanks Connor!
Did you consider creating CNAME records with your existing DNS provider to point to the target cluster proxy for each repl.co subdomain?
And you have to use one of their package buttons to make that happen. Super frustrating that they don’t just have an button to open a web view on a port.
Deleted Comment