frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

fp.

Stop building automations. Start running your business

https://www.fluxtopus.com/automate-your-business
1•valboa•1m ago•1 comments

You can't QA your way to the frontier

https://www.scorecard.io/blog/you-cant-qa-your-way-to-the-frontier
1•gk1•3m ago•0 comments

Show HN: PalettePoint – AI color palette generator from text or images

https://palettepoint.com
1•latentio•3m ago•0 comments

Robust and Interactable World Models in Computer Vision [video]

https://www.youtube.com/watch?v=9B4kkaGOozA
1•Anon84•7m ago•0 comments

Nestlé couldn't crack Japan's coffee market.Then they hired a child psychologist

https://twitter.com/BigBrainMkting/status/2019792335509541220
1•rmason•8m ago•0 comments

Notes for February 2-7

https://taoofmac.com/space/notes/2026/02/07/2000
2•rcarmo•10m ago•0 comments

Study confirms experience beats youthful enthusiasm

https://www.theregister.com/2026/02/07/boomers_vs_zoomers_workplace/
2•Willingham•17m ago•0 comments

The Big Hunger by Walter J Miller, Jr. (1952)

https://lauriepenny.substack.com/p/the-big-hunger
1•shervinafshar•18m ago•0 comments

The Genus Amanita

https://www.mushroomexpert.com/amanita.html
1•rolph•23m ago•0 comments

We have broken SHA-1 in practice

https://shattered.io/
4•mooreds•24m ago•2 comments

Ask HN: Was my first management job bad, or is this what management is like?

1•Buttons840•25m ago•0 comments

Ask HN: How to Reduce Time Spent Crimping?

2•pinkmuffinere•26m ago•0 comments

KV Cache Transform Coding for Compact Storage in LLM Inference

https://arxiv.org/abs/2511.01815
1•walterbell•31m ago•0 comments

A quantitative, multimodal wearable bioelectronic device for stress assessment

https://www.nature.com/articles/s41467-025-67747-9
1•PaulHoule•33m ago•0 comments

Why Big Tech Is Throwing Cash into India in Quest for AI Supremacy

https://www.wsj.com/world/india/why-big-tech-is-throwing-cash-into-india-in-quest-for-ai-supremac...
1•saikatsg•33m ago•0 comments

How to shoot yourself in the foot – 2026 edition

https://github.com/aweussom/HowToShootYourselfInTheFoot
1•aweussom•33m ago•0 comments

Eight More Months of Agents

https://crawshaw.io/blog/eight-more-months-of-agents
4•archb•35m ago•0 comments

From Human Thought to Machine Coordination

https://www.psychologytoday.com/us/blog/the-digital-self/202602/from-human-thought-to-machine-coo...
1•walterbell•35m ago•0 comments

The new X API pricing must be a joke

https://developer.x.com/
1•danver0•36m ago•0 comments

Show HN: RMA Dashboard fast SAST results for monorepos (SARIF and triage)

https://rma-dashboard.bukhari-kibuka7.workers.dev/
1•bumahkib7•37m ago•0 comments

Show HN: Source code graphRAG for Java/Kotlin development based on jQAssistant

https://github.com/2015xli/jqassistant-graph-rag
1•artigent•42m ago•0 comments

Python Only Has One Real Competitor

https://mccue.dev/pages/2-6-26-python-competitor
4•dragandj•43m ago•0 comments

Tmux to Zellij (and Back)

https://www.mauriciopoppe.com/notes/tmux-to-zellij/
1•maurizzzio•44m ago•1 comments

Ask HN: How are you using specialized agents to accelerate your work?

1•otterley•45m ago•0 comments

Passing user_id through 6 services? OTel Baggage fixes this

https://signoz.io/blog/otel-baggage/
1•pranay01•46m ago•0 comments

DavMail Pop/IMAP/SMTP/Caldav/Carddav/LDAP Exchange Gateway

https://davmail.sourceforge.net/
1•todsacerdoti•47m ago•0 comments

Visual data modelling in the browser (open source)

https://github.com/sqlmodel/sqlmodel
1•Sean766•49m ago•0 comments

Show HN: Tharos – CLI to find and autofix security bugs using local LLMs

https://github.com/chinonsochikelue/tharos
1•fluantix•49m ago•0 comments

Oddly Simple GUI Programs

https://simonsafar.com/2024/win32_lights/
1•MaximilianEmel•49m ago•0 comments

The New Playbook for Leaders [pdf]

https://www.ibli.com/IBLI%20OnePagers%20The%20Plays%20Summarized.pdf
1•mooreds•50m ago•1 comments
Open in hackernews

Images over DNS

https://dgl.cx/2025/09/images-over-dns
201•dgl•4mo ago

Comments

cyanmagenta•4mo ago
The cap for record size is 64KB, but you can have an arbitrary number of records, so larger images should be possible by combining multiple TXT record responses into one.
dgl•4mo ago
I put a link to[1] in the article, which was previously discussed here[2] with a correction to that article. Basically there's a 2 byte length header on TCP DNS responses, limiting the payload (i.e. the DNS message inside) to 64 KiB.

  [1]: https://www.netmeister.org/blog/dns-size.html#:~:text=65536%20bytes%20DNS%20payload%20%2B%202%20bytes%20size%20%3D%2065538%20bytes
  [2]: https://news.ycombinator.com/item?id=39257147
KPGv2•4mo ago
Also with EDNS0, you can send larger messages over UDP, too, because you aren't restricted to a single UDP payload, but can send multiple datagrams.

It's pretty cool how this tech has evolved. UDP has become so much more reliable that you can even do SSL over UDP, with a complex mechanism meant to account for dropped packets during the handshake process.

m3047•4mo ago
After many years of "4096 ought to be enough for anybody", the default max UDP size in BIND 9 was reduced to 1232. Frags are bad; jumbos are good, but frags are bad!
cyanmagenta•4mo ago
Right, but you aren’t limited to one DNS call. You could have the javascript resolve multiple text records, then combine them together.

You could even do this over UDP if you really wanted, just merging a bunch of 1200-byte records together

m3047•4mo ago
A DNS message cannot exceed 64K, but multiple messages can be transmitted over TCP. That's the way AXFR (zone transfer) is done: one question, multiple responses.

https://github.com/m3047/rear_view_rpz/blob/b17cf943ccd7498d...

hhh•4mo ago
Very cool. I have done similar for playing Bad Apple as well as Doom over DNS:

https://youtu.be/AJ2Q12vYojY

https://youtu.be/GoPWuJR6Npc

dgl•4mo ago
Cool!

For the bad apple one; I tried something like that, it works if you're directly querying the authoritative DNS server, but if a cache is involved the records will be re-ordered by randomisation (even in some cases with TTL=0). That's why I ended up doing this as a single very long record, because then it can be cached without worrying about reordering.

mycall•4mo ago
The wild part of DNS is that port 53 is typically open on firewalls and is excellent for data exfiltration/infiltration.
nenenejej•4mo ago
Is it? Most firewalls I see allow no inbound by default (although all outbound)
NegativeK•4mo ago
I assume they were referring to outbound.

But ideally it'd be blocked and all traffic would go through an internal caching resolver, right? To reduce internal latency and load on outside servers, but also to have records if needed and to block whack requests or responses if needed.

lormayna•4mo ago
In a corporate environment you must use only the company DNS internal resolver and they are the only one that should go outside on port 53. This is a basic security measure to detect and block every attempt of DNS tunnelling or exfiltration
tuwtuwtuwtuw•4mo ago
Even if you use the internal resolver you could exfiltrate the data.
pixl97•4mo ago
I mean most of the time said company resolvers have a service that block either suspicious requests, or only allow whitelisted domains.
lormayna•4mo ago
Yes, but an internal resolver has filtering and must be heavy monitored. If the DNS logs are sent to a SIEM you will be detected quickly
notepad0x90•4mo ago
highly detectable though. modern ngfw's are all over this.
deoxykev•4mo ago
And it typically works on captive portals too before payment.
Sophira•4mo ago
AFWall+ on Android is an example of this - even if an app is blocked, as long as it has Internet permission it can still make DNS requests, allowing for two-way communication despite the firewall.
alamzin•4mo ago
Yes, but why? :)
jama211•4mo ago
FUN! And who knows, maybe this will lead to something later. Many discoveries or inventions were built on things people didn’t know the use of at the time.
rvz•4mo ago
Exactly.
CaptainOfCoit•4mo ago
Better question: Why not? :)
HeckFeck•4mo ago
Because I want my DKIM signatures to be literal signatures.
rvz•4mo ago
Why not? This is exactly what hackers and tinkerers do.
boznz•4mo ago
Question can also be interpreted as "why does DNS even allow this" which is fair as it only purpose should be to convert a domain name address into a 32 bit number. The answer is partially in the link on TFA. I guess they had their reasons.
pixl97•4mo ago
I mean DNS has had different record types for as long as I can remember, txt records in specific allowed the protocol to be extensible without everyone having to update their software to support new record types.

And that also leaves out the common things like MX records.

rany_•4mo ago
The image is actually HEIF not AVIF :)
zamadatix•4mo ago
HEIF is just the usual container for AVIF encoded data, similar to how AV1 encoded data might commonly be in an MP4 or MKV container. HEIF might easily get conflated with HEIC, which is Apple's implementation of HEIF specifically for HEVC encoded data. Too many damn "HE"s, if you ask me.

If you run "strings" you should see "av01Image" pretty early on in the HEIF header, which is what signals it's really an AVIF file. Tools like "file" may possibly not be updated to look for that yet, so could just report the container alone.

dgl•4mo ago
To be fair I did lazily do:

         else if (c.slice(4, 4+4) == "ftyp") f="avif";
Because I didn't feel like parsing the HEIF to check it's actually AVIF. I'm pretty sure browsers aren't that bothered about the file extension or MIME type for images.
rany_•4mo ago
Huh, my image viewer claimed it's HEIC specifically. My camera also seems to conflate HEIC and HEIF in the settings. It provides HEIF as a format option, when I guess it should be specifying which codec is actually being used. I had no idea HEIF isn't tied to just HEIC though.
r721•4mo ago
I wonder is it possible to create a HN clone over DNS?
deoxykev•4mo ago
How about LLM chat over DNS? https://github.com/accupham/llm-dns-proxy
mrb•4mo ago
Oh, this reminds me of a Chrome extension I wrote to distribute Web content (images, html, js, anything) over DNS: https://blog.zorinaq.com/cdn53-a-super-distributed-cdn/ It implements the fake TLD .cdn53: when visiting http://zorinaq.com.cdn53 the extension intercepts the request, sends a DNS query for the TXT record for "_cdn53.zorinaq.com" and the response contains the HTML content, or any content, and it can be up to ~65 kb in size. It's super-distributed as it will naturally be cached by all DNS resolvers worldwide that hit the domain...
vitonsky•4mo ago
Good idea. Probably nowadays this would not work due to changes in chrome extension API? They have limit a network interception API.
BuildTheRobots•4mo ago
There's also the Iodine project if you want to tunnel raw IPv4 over DNS [53]

[53] https://github.com/yarrick/iodine

mmh0000•4mo ago
I love iodine.

I used to do a lot of consulting work at locations with extremely locked down networks. I could use iodine + wireguard to punch through most firewalls, slow, but effective.

lormayna•4mo ago
This means that the security department is not doing a good job: things like iodine can be detected easily by a NGFW or by an analysis on DNS logs. This is a quite basic security posture.
EvanAnderson•4mo ago
Back when I was using it similarly to the other poster (say, 15 years ago) that wasn't the case. It's still a great litmus test of security posture today.

Just using DNS for data exfiltration, in general, is usually pretty fruitful. I wrote a "live off the land" data exfil script for Windows once, using the certutil and nslookup commands to base64 encode data and ship it out to my off-site DNS server.

I'll have to try it against a Palo Alto NGFW sometime and see what alarms I trip. I honestly never thought to try.

lormayna•4mo ago
That's make sense 15 years ago. Right now even the SOHO appliances have the DNS inspection feature.
bongodongobob•4mo ago
Lol no it isn't. Most companies don't even have MFA across the board, much less do anything with DNS security beyond maybe a blacklist.
lormayna•4mo ago
MFA is quite more complex to implement, especially if legacy applications are involved. Applying a basic DNS security monitoring is not hard, you can even implement with few policies on the border FW and something like an ELK stack. The most difficult part is implementing an appropriate process
roygbiv2•4mo ago
The only real place I got iodine to work was 40k feet above the ocean. Even then it was only good enough to telnet into an SMTP server to send an email. Most of the time it's failed for me.
notepad0x90•4mo ago
This is cool and all but due to malicious actors abusing this avenue, firewalls as well as endpoint agents will detect and block this. If you create a serious solution that uses this that is, it's great for home use and experimentation I guess.
SaggyDoomSr•4mo ago
I worked in the networking group for a cloud computing company. You've heard of them. We didn't charge for (some) DNS traffic, so some customers figured out how to use DNS as a transport mechanism to skirt around paying data transfer fees. It would essentially be a DoS attack which affected EVERY customer, so a few could save tiny fractions of their overall spend. A peer team of mine had to deal with the mess. That team had > 100% annual staff turnover, because they just made the oncall staff deal with the problem every time it showed up rather than ever solve the core issue of having a DoS vector masquerading as a feature.
zoky•4mo ago
Wouldn’t the solution be to just start charging for excessive DNS traffic?
lelandbatey•4mo ago
Potentially yes, but that's a business decision which the on-call developer cannot deal make on behalf of the business.
canttestthis•4mo ago
There's a lot of stuff the dev team can do that are not strictly business decisions though. Rate limits, QoS, etc.
rapind•4mo ago
Those can be business decisions too though. It depends on whether or not the real / lucrative customers will notice, or maybe the noisy customers who will be all over twitter because a dev figured they'd make a big change like this on their own.

Throttling and tiering can definitely affect more people than you might suspect (like spiky services) and considering data and use are important.

gitaarik•4mo ago
You can also create a REST API that accepts domain names and returns IP addresses! Then you can make a webserver that uses the REST API to get the IP address of the image you want to display!
jedisct1•4mo ago
Images over DNS over DNSCrypt over a DNS relay accessed via a VPN acting as a gateway to Tor. Maximum security.