😂

Hahaha

I just realized the other day I have 200+ samples on my work laptop. It’s all locked-down and [hopefully] can’t execute, but like... I’m kinda hesitant to pick it up now. Lol (I study malware, I’m not just a SUPER infected user)

Well he works in Internet and Computer Security as far as I know so his job is basically understanding how to fill up some random computer with malware ^^ It‘s obvious he‘s doing something he is passionate about which is nice.

@@mrnik.0 00

Now I cant stoping replaying it over and over

Just about to write that, now gonna practice that :)

@@TheDevilItSelf If you haven't figured it out yet, you need to hold the pen such that it is resting on your middle and ring finger. The thumb rests on the pen such that it is slightly off(towards the index finger) from the pen's center of gravity. Now flick the pen around your thumb with the middle finger and the ring finger.

@@rajiv8k thanks dude, thats actually really helpful

I AM INVINCIBLE!

I completely agree

Same! He's super entertaining as well. Computerphile please set up playlists categorized by nottingham staff!

Totally agree. He’s explaining these things better than anyone else.

His name MIKE POUND is Sooo James Bond character name=PUSSY GALOR

*bang* on for doctor *pound*

Truly. I actually started to learn to code watching his videos. Not from them ofc, but the motivation originated heree

who are you talking to? That's how it works.

It's actually quite terrifying, even if a poisoning attack only has like 1/1,000,000,000% chance of working.

Certbot takes like two to three lines of code lol

@@cosmicrider5898 It's not the name server that is the "hard" part. You can turn that on with the config file on most name servers these days. It's convincing accounting that spending 100,000/yr on the signed certificate is "worth it". Is your ISP really going to pay for that? What if they have to buy a dozen for various bits of their country wide network? Is your work going to buy one for their server? for each branch (yes there are ways around this at the corporate level, but if you have 2 or 3 small offices)?

This is a chicken and egg issue, without DNS the common name of X509 certificates could not provide the information where a certificate would fit in a global hierarchy so you wouldn't know what to validate it against. This is an issue solved by DNSSEC in a different way that still provides compatibility with regular DNS while maintaining its scalability.

@Bjorn While that might be true for some ISPs the real reason is that nobody thought about protecting against eavesdropping at the time DNS was invented and it is in such ubiquitous use today that nobody reinvented a perfect enough replacement yet. There are lots of interoperability and scalability issues to solve for any such replacement.

BYTE Magazine, by chance?

a snake. he showed at the end of the last dns video

A Cornsnake to be precise

The answer is always Gwyneth Paltrow's head.

I had the same question

@@bentoth9555 I read the question with Jack's voice lol

That's pretty devious. I love it!

I don't get it. But what about the local cache? Every browser that already had a DNS cache will then be permanently blocked (since the browser will never attempt to clear a 301 redirect cache automatically).

@@lake5044 Could be a problem with existing users, but might be able to be worked around by having the bot trap serving up a page saying "If you're seeing this, your browser's DNS cache is outdated. Clear it and try revisiting the site." which the bots will never actually read.

@@Roxor128 But then, that's no different than doing the same from your server (i.e. presenting some bot-challenge). I don't see the added benefit from going to such lengths as to purposefully poison your own domain name (maybe some load balancing? But standard load balancing is still much preferred and robust I think)

@Zero Cool What do you mean by "upload more RAM from the cloud"?

I noticed this a while ago and have been wondering if anyone else saw it haha. I hope if he sees this comment he knows it's not a bad thing or that I'm making fun, it's just a cute little quirk!

With relatively low costs, it only takes a few suckers to become profitable.

My guess: They just start sending every request that comes in round forever until both name servers become unresponsive because all they do is send queries to each other.

@@cameron7374 Have you got no hope at all in people who designed such fundamental service?

@@Mr.Leeroy I do have hope in them but if the specification says to ask the next DNS server if you don't know and they both point at each other, that is what will happen and not a flaw in the technology but rather user error. I mean, something like this can already happen with some routing protocols for regular routers where they establish a path that leads in a circle, in the hopes the next router knows where to send the packets. That's called a broadcast storm and it's the job of whoever is setting up the network to set it up in a way where it doesn't happen.

I think dnssec would be a better solution. I believe tls or doh could still be poisoned. Edit: he says this at 10:12

if the connection between the client and server is encrypted, there's no opportunity to send a spoofed response, since you'd need to crack the encryption to send a response on that specific request, right? dnssec just takes this a step further with trusted dns servers

DNSSEC is the answer, not DNS over TLS. However, if the server isn't supporting DNSSEC which a LOT do not, or it not enabled. . .then it's game on.

@@juliankandlhofer7553 The opportunity would be to MITM the client recursive name server, which could be easier or harder depending on the privacy profile (opportunistic or out-of-band key-pinned, see RFC7858 section 4).

@@cosmicrider5898 You're only partially correct, because who decides who is a 'trusted' domain name server? If you trust anyone to be that 'trusted' party, then by default you can no longer trust them. Anyone who gains that must trust is immediately untrustworthy, lol... That's the facts of life. What you need is DN SEC where we trust individual domains by their public keys which only they have the private key for... Where we dont trust domain name servers but we trust individual domains proving who they are themselves. We can't trust any central authority to give us the truth, because with that trust they will always use it to lie. Instead we have to determine the individuals that we trust and only rely on our own ability to verify they are who they say they are and if we believe or better yet know we can trust them. G000gle is not to be trusted they can't even let TRUE information not be censored due to pharmaceutical interest for people to believe something that is true is not true... Because if people believe something that is true is not true then they equal big money for the pharmaceutical companies, and if they know the truth that money is greatly diminished. These companies aren't out for our best interests but for their own and their friends.

I'm pretty sure that's intentional so they don't accidentally slander a random public IP address.

thx for the clarification

Apple Bonjour and Zeroconf use multicast DNS. Basically how this works is your devices for example Google Chromecast periodically sends a DNS packet to a multicast address that gets broadcast to all devices connected to your LAN or those who subscribed to said multicast address saying 'I am a chromecast, you can use my services x, y. and z at IP address such and such'. The .local Top Level Domain is one reserved for private usage - for example on your LAN - and will not be resolvable in the internet. Avahi (Linux) would be one example of a zeroconf implementation making use of the .local TLD.

do not use .local unless you know what you are doing

Stuff the request and response in an encrypted pipe (port 443 or 853) so that third parties can't view the requests to the DNS server. This also makes it harder to spoof the response, but the big thing here is in letting people pick their DNS server, and for third parties to not be able to view those requests.

It is skimmed over in this video but if you watch the other DNS explanation, that IP is the IP of the first DNS server you will ask (which in turn may ask other DNS servers)

Still for sale at Staples.

I imagine that university they work has a sub-optimal purchasing process and they ended up with piles of boxes of the stuff at a time no one was using it anymore. Now every employee is using it as scribbling paper for centuries to come. The editor even used an image of it as a surface for an animation which was funny.