DNS on ma.ttias.be

The ghost domain problem in DNS, and what we're doing about it

mattias@ma.ttias.be (Mattias Geniar) — Sat, 06 Jun 2026 10:00:00 +0000

I wrote a piece over on the Oh Dear blog about a failure mode that most uptime monitoring gets wrong: a domain gets pulled from its registry’s zone, but its authoritative nameservers keep answering, and cached resolvers happily serve the stale delegation for days. Your monitoring says green. The domain is gone.

A new start for DNS Spy

mattias@ma.ttias.be (Mattias Geniar) — Wed, 16 Sep 2020 00:00:00 +0000

Hi all!

I’m excited to announce a strategic handover of DNS Spy to SecurityTrails with the goal to ensure both the future and growth of DNS Spy.

How to measure Linux Performance Avoiding Most Typical Mistakes: Network

mattias@ma.ttias.be (Mattias Geniar) — Wed, 08 Jul 2020 06:50:00 +0100

In this series, we are talking about Linux performance measurement, how to measure it right. Linux performance is a very broad topic, so we’ll focus on the four primary resources which are typically going to drive your system performance – obviously CPU, memory, disk storage, and network.

Initial impressions on running a Bitcoin Core full node

mattias@ma.ttias.be (Mattias Geniar) — Fri, 22 Mar 2019 20:19:30 +0000

Since about a week I’m running my own Bitcoin Core full node, one that keeps a full copy of the blockchain with all transactions included.

Showing the DNS score in your dashboard & an updated layout

mattias@ma.ttias.be (Mattias Geniar) — Thu, 28 Feb 2019 20:28:42 +0000

A new release of DNS Spy marks some useful improvements.

We’ve had our public DNS rating system for a little over a year now. Every day, hundreds of sites get scanned and receive recommendations for how to improve the resilience & setup of their nameservers. If you haven’t tried it out yet, go have a look.

Why your NS records matter

mattias@ma.ttias.be (Mattias Geniar) — Tue, 27 Nov 2018 09:20:56 +0000

Ever since the launch of our DNS scan, we’ve had the warning about mismatched NS records. Many users choose to ignore this, but there’s a pretty good reason we give a big warning whenever those records don’t line up.

A big update to DNS Spy – DNS Spy Blog

mattias@ma.ttias.be (Mattias Geniar) — Mon, 19 Nov 2018 07:30:10 +0000

A pretty big update to DNS Spy – our DNS monitoring & security solution – went live.

DNS Spy now checks for the “Null MX”

mattias@ma.ttias.be (Mattias Geniar) — Wed, 02 May 2018 17:45:44 +0000

A small but useful addition to the scoring system of DNS Spy: support for the Null MX record.

Due to CAA records, unable to issue TLS certs for names in private.cam.ac.uk

mattias@ma.ttias.be (Mattias Geniar) — Thu, 21 Sep 2017 19:07:02 +0000

Well that’s an unfortunate downside to the recently required CAA records.

CAA records specify restrictions on which certificate authorities are permitted to issue certificates for a particular domain. We do not publish CAA records in the DNS for cam.ac.uk, so we mistakenly believed that this change in policy would not affect us.

Why we’ve cancelled our free tier – DNS Spy Blog

mattias@ma.ttias.be (Mattias Geniar) — Thu, 21 Sep 2017 16:00:01 +0000

I decided to kill the free tier on DNS Spy , the economics of it just weren’t making any sense.

DNS Research: using SPF to query internal DNS resolvers

mattias@ma.ttias.be (Mattias Geniar) — Wed, 20 Sep 2017 13:28:34 +0000

Using the SPF records to trigger a response from an internal DNS server. Clever way to extract otherwise closed data!

A proposal for cryptocurrency addresses in DNS

mattias@ma.ttias.be (Mattias Geniar) — Mon, 18 Sep 2017 19:43:08 +0000

By now it’s pretty clear that the idea of a _cryptocurrency _probably isn’t going away. It might not be Bitcoin or Litecoin, it might not have the same value as it does today, but the concept of cryptocurrency is here to stay: digital money.

Chrome & Firefox now force .dev domains to HTTPS via preloaded HSTS

mattias@ma.ttias.be (Mattias Geniar) — Sun, 17 Sep 2017 08:04:28 +0000

tl;dr: Chrome 63 (out since December 2017), will force all domains ending on .dev (and .foo) to be redirected to HTTPS via a preloaded HTTP Strict Transport Security (HSTS) header.

Cloudflare now serves F-Root instance

mattias@ma.ttias.be (Mattias Geniar) — Fri, 15 Sep 2017 19:39:23 +0000

This is pretty cool, CloudFlare has become the host of one of the anycast root nameservers.

CAA record checking now mandatory for Certificate Authorities

mattias@ma.ttias.be (Mattias Geniar) — Sat, 09 Sep 2017 19:36:03 +0000

September = CAA validation month!

As of September 2017, every Certificate Authority is obligated to check the CAA DNS records for a domain it is about to issue a certificate to. This gives more control to the domain owner and can limit which Certificate Authorities are allowed to issue certificates.

Are homogenic nameserver names a single point of failure?

mattias@ma.ttias.be (Mattias Geniar) — Mon, 01 May 2017 18:23:37 +0000

Ondřej and I had a brief discussion over Twitter a few weeks ago about some of the DNS Spy scores related to using a single domain in your name servers vs. spreading the risk across multiple domains.

Interview on Laravel Spark & DNS Spy

mattias@ma.ttias.be (Mattias Geniar) — Thu, 20 Apr 2017 07:15:47 +0000

I did an interview on Laravel Daily about the build & launch of DNS Spy and the usage of the Laravel & Spark framework.

DNS Spy has launched!

mattias@ma.ttias.be (Mattias Geniar) — Wed, 19 Apr 2017 08:30:44 +0000

I started to created a DNS monitoring & validation solution called DNS Spy and I’m happy to report: it has launched!

CAA checking becomes mandatory for SSL/TLS certificates

mattias@ma.ttias.be (Mattias Geniar) — Sat, 08 Apr 2017 18:07:57 +0000

This was news to me in a few ways; first, there's a new DNS resource record called CAA (Certificate Authority Authorization) and second, Certificate Authorities are now required to check that record before issuing a certificate, to determine if they're allowed to do so.

DNS Spy enters public beta

mattias@ma.ttias.be (Mattias Geniar) — Wed, 01 Mar 2017 07:45:54 +0000

Here’s an exciting announcement I’ve been dying to make: DNS Spy , a new DNS monitoring and alerting tool I’ve been working on, has entered public beta!

Pi-Hole: A DNS-based blacklist for ads and tracking for Raspberry Pi

mattias@ma.ttias.be (Mattias Geniar) — Sun, 23 Oct 2016 10:08:32 +0000

I just “upgraded” our home network with a Pi-Hole , an interesting project that implements a DNS server with a known-list of ad- and privacy trackers. The result is that everyone on your network that uses that DNS server gets an adblocker for free, without configuration work.

Critical glibc buffer overflow vulnerability in getaddrinfo() on Linux (CVE-2015-7547 & CVE-2015-5229)

mattias@ma.ttias.be (Mattias Geniar) — Tue, 16 Feb 2016 19:30:18 +0000

In early 2015 we were startled by the “Ghost” vulnerability (CVE-2015-0235) . Now, it’s time for a similar DNS-based remote code execution vulnerability, split into 2 vulnerabilities: CVE-2015-7547 & CVE-2015-5229.

The best tech question to ask in a job interview

mattias@ma.ttias.be (Mattias Geniar) — Sun, 03 Jan 2016 20:41:58 +0000

“Explain to me how the internet works.”

CentOS 7 NetworkManager Keeps Overwriting /etc/resolv.conf

mattias@ma.ttias.be (Mattias Geniar) — Tue, 01 Sep 2015 19:00:16 +0000

In CentOS or Red Hat Enterprise Linux (RHEL) 7, you can find your /etc/resolv.conf file, which holds all nameserver configurations for your server, to be overwritten by the NetworkManager.

Bind/Named Crash: REQUIRE(name == ((void )0)) failed, CVE-2015-5477

mattias@ma.ttias.be (Mattias Geniar) — Tue, 11 Aug 2015 04:12:21 +0000

A couple of weeks ago, a major bind (named) vulnerability was exposed . The denial-of-service vulnerability abused a flaw in the way TKEY DNS records were processed.