frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

fp.

A modern iperf3 alternative with a live TUI, multi-client server, QUIC support

https://github.com/lance0/xfr
1•tanelpoder•22s ago•0 comments

Famfamfam Silk icons – also with CSS spritesheet

https://github.com/legacy-icons/famfamfam-silk
1•thunderbong•49s ago•0 comments

Apple is the only Big Tech company whose capex declined last quarter

https://sherwood.news/tech/apple-is-the-only-big-tech-company-whose-capex-declined-last-quarter/
1•elsewhen•4m ago•0 comments

Reverse-Engineering Raiders of the Lost Ark for the Atari 2600

https://github.com/joshuanwalker/Raiders2600
2•todsacerdoti•5m ago•0 comments

Show HN: Deterministic NDJSON audit logs – v1.2 update (structural gaps)

https://github.com/yupme-bot/kernel-ndjson-proofs
1•Slaine•9m ago•0 comments

The Greater Copenhagen Region could be your friend's next career move

https://www.greatercphregion.com/friend-recruiter-program
1•mooreds•9m ago•0 comments

Do Not Confirm – Fiction by OpenClaw

https://thedailymolt.substack.com/p/do-not-confirm
1•jamesjyu•9m ago•0 comments

The Analytical Profile of Peas

https://www.fossanalytics.com/en/news-articles/more-industries/the-analytical-profile-of-peas
1•mooreds•10m ago•0 comments

Hallucinations in GPT5 – Can models say "I don't know" (June 2025)

https://jobswithgpt.com/blog/llm-eval-hallucinations-t20-cricket/
1•sp1982•10m ago•0 comments

What AI is good for, according to developers

https://github.blog/ai-and-ml/generative-ai/what-ai-is-actually-good-for-according-to-developers/
1•mooreds•10m ago•0 comments

OpenAI might pivot to the "most addictive digital friend" or face extinction

https://twitter.com/lebed2045/status/2020184853271167186
1•lebed2045•11m ago•2 comments

Show HN: Know how your SaaS is doing in 30 seconds

https://anypanel.io
1•dasfelix•11m ago•0 comments

ClawdBot Ordered Me Lunch

https://nickalexander.org/drafts/auto-sandwich.html
2•nick007•12m ago•0 comments

What the News media thinks about your Indian stock investments

https://stocktrends.numerical.works/
1•mindaslab•13m ago•0 comments

Running Lua on a tiny console from 2001

https://ivie.codes/page/pokemon-mini-lua
1•Charmunk•14m ago•0 comments

Google and Microsoft Paying Creators $500K+ to Promote AI Tools

https://www.cnbc.com/2026/02/06/google-microsoft-pay-creators-500000-and-more-to-promote-ai.html
2•belter•16m ago•0 comments

New filtration technology could be game-changer in removal of PFAS

https://www.theguardian.com/environment/2026/jan/23/pfas-forever-chemicals-filtration
1•PaulHoule•17m ago•0 comments

Show HN: I saw this cool navigation reveal, so I made a simple HTML+CSS version

https://github.com/Momciloo/fun-with-clip-path
2•momciloo•18m ago•0 comments

Kinda Surprised by Seadance2's Moderation

https://seedanceai.me/
1•ri-vai•18m ago•2 comments

I Write Games in C (yes, C)

https://jonathanwhiting.com/writing/blog/games_in_c/
2•valyala•18m ago•0 comments

Django scales. Stop blaming the framework (part 1 of 3)

https://medium.com/@tk512/django-scales-stop-blaming-the-framework-part-1-of-3-a2b5b0ff811f
1•sgt•18m ago•0 comments

Malwarebytes Is Now in ChatGPT

https://www.malwarebytes.com/blog/product/2026/02/scam-checking-just-got-easier-malwarebytes-is-n...
1•m-hodges•18m ago•0 comments

Thoughts on the job market in the age of LLMs

https://www.interconnects.ai/p/thoughts-on-the-hiring-market-in
1•gmays•19m ago•0 comments

Show HN: Stacky – certain block game clone

https://www.susmel.com/stacky/
2•Keyframe•22m ago•0 comments

AIII: A public benchmark for AI narrative and political independence

https://github.com/GRMPZQUIDOS/AIII
1•GRMPZ23•22m ago•0 comments

SectorC: A C Compiler in 512 bytes

https://xorvoid.com/sectorc.html
2•valyala•24m ago•0 comments

The API Is a Dead End; Machines Need a Labor Economy

1•bot_uid_life•25m ago•0 comments

Digital Iris [video]

https://www.youtube.com/watch?v=Kg_2MAgS_pE
1•Jyaif•26m ago•0 comments

New wave of GLP-1 drugs is coming–and they're stronger than Wegovy and Zepbound

https://www.scientificamerican.com/article/new-glp-1-weight-loss-drugs-are-coming-and-theyre-stro...
5•randycupertino•27m ago•0 comments

Convert tempo (BPM) to millisecond durations for musical note subdivisions

https://brylie.music/apps/bpm-calculator/
1•brylie•29m ago•0 comments
Open in hackernews

Images over DNS

https://dgl.cx/2025/09/images-over-dns
201•dgl•4mo ago

Comments

cyanmagenta•4mo ago
The cap for record size is 64KB, but you can have an arbitrary number of records, so larger images should be possible by combining multiple TXT record responses into one.
dgl•4mo ago
I put a link to[1] in the article, which was previously discussed here[2] with a correction to that article. Basically there's a 2 byte length header on TCP DNS responses, limiting the payload (i.e. the DNS message inside) to 64 KiB.

  [1]: https://www.netmeister.org/blog/dns-size.html#:~:text=65536%20bytes%20DNS%20payload%20%2B%202%20bytes%20size%20%3D%2065538%20bytes
  [2]: https://news.ycombinator.com/item?id=39257147
KPGv2•4mo ago
Also with EDNS0, you can send larger messages over UDP, too, because you aren't restricted to a single UDP payload, but can send multiple datagrams.

It's pretty cool how this tech has evolved. UDP has become so much more reliable that you can even do SSL over UDP, with a complex mechanism meant to account for dropped packets during the handshake process.

m3047•4mo ago
After many years of "4096 ought to be enough for anybody", the default max UDP size in BIND 9 was reduced to 1232. Frags are bad; jumbos are good, but frags are bad!
cyanmagenta•4mo ago
Right, but you aren’t limited to one DNS call. You could have the javascript resolve multiple text records, then combine them together.

You could even do this over UDP if you really wanted, just merging a bunch of 1200-byte records together

m3047•4mo ago
A DNS message cannot exceed 64K, but multiple messages can be transmitted over TCP. That's the way AXFR (zone transfer) is done: one question, multiple responses.

https://github.com/m3047/rear_view_rpz/blob/b17cf943ccd7498d...

hhh•4mo ago
Very cool. I have done similar for playing Bad Apple as well as Doom over DNS:

https://youtu.be/AJ2Q12vYojY

https://youtu.be/GoPWuJR6Npc

dgl•4mo ago
Cool!

For the bad apple one; I tried something like that, it works if you're directly querying the authoritative DNS server, but if a cache is involved the records will be re-ordered by randomisation (even in some cases with TTL=0). That's why I ended up doing this as a single very long record, because then it can be cached without worrying about reordering.

mycall•4mo ago
The wild part of DNS is that port 53 is typically open on firewalls and is excellent for data exfiltration/infiltration.
nenenejej•4mo ago
Is it? Most firewalls I see allow no inbound by default (although all outbound)
NegativeK•4mo ago
I assume they were referring to outbound.

But ideally it'd be blocked and all traffic would go through an internal caching resolver, right? To reduce internal latency and load on outside servers, but also to have records if needed and to block whack requests or responses if needed.

lormayna•4mo ago
In a corporate environment you must use only the company DNS internal resolver and they are the only one that should go outside on port 53. This is a basic security measure to detect and block every attempt of DNS tunnelling or exfiltration
tuwtuwtuwtuw•4mo ago
Even if you use the internal resolver you could exfiltrate the data.
pixl97•4mo ago
I mean most of the time said company resolvers have a service that block either suspicious requests, or only allow whitelisted domains.
lormayna•4mo ago
Yes, but an internal resolver has filtering and must be heavy monitored. If the DNS logs are sent to a SIEM you will be detected quickly
notepad0x90•4mo ago
highly detectable though. modern ngfw's are all over this.
deoxykev•4mo ago
And it typically works on captive portals too before payment.
Sophira•4mo ago
AFWall+ on Android is an example of this - even if an app is blocked, as long as it has Internet permission it can still make DNS requests, allowing for two-way communication despite the firewall.
alamzin•4mo ago
Yes, but why? :)
jama211•4mo ago
FUN! And who knows, maybe this will lead to something later. Many discoveries or inventions were built on things people didn’t know the use of at the time.
rvz•4mo ago
Exactly.
CaptainOfCoit•4mo ago
Better question: Why not? :)
HeckFeck•4mo ago
Because I want my DKIM signatures to be literal signatures.
rvz•4mo ago
Why not? This is exactly what hackers and tinkerers do.
boznz•4mo ago
Question can also be interpreted as "why does DNS even allow this" which is fair as it only purpose should be to convert a domain name address into a 32 bit number. The answer is partially in the link on TFA. I guess they had their reasons.
pixl97•4mo ago
I mean DNS has had different record types for as long as I can remember, txt records in specific allowed the protocol to be extensible without everyone having to update their software to support new record types.

And that also leaves out the common things like MX records.

rany_•4mo ago
The image is actually HEIF not AVIF :)
zamadatix•4mo ago
HEIF is just the usual container for AVIF encoded data, similar to how AV1 encoded data might commonly be in an MP4 or MKV container. HEIF might easily get conflated with HEIC, which is Apple's implementation of HEIF specifically for HEVC encoded data. Too many damn "HE"s, if you ask me.

If you run "strings" you should see "av01Image" pretty early on in the HEIF header, which is what signals it's really an AVIF file. Tools like "file" may possibly not be updated to look for that yet, so could just report the container alone.

dgl•4mo ago
To be fair I did lazily do:

         else if (c.slice(4, 4+4) == "ftyp") f="avif";
Because I didn't feel like parsing the HEIF to check it's actually AVIF. I'm pretty sure browsers aren't that bothered about the file extension or MIME type for images.
rany_•4mo ago
Huh, my image viewer claimed it's HEIC specifically. My camera also seems to conflate HEIC and HEIF in the settings. It provides HEIF as a format option, when I guess it should be specifying which codec is actually being used. I had no idea HEIF isn't tied to just HEIC though.
r721•4mo ago
I wonder is it possible to create a HN clone over DNS?
deoxykev•4mo ago
How about LLM chat over DNS? https://github.com/accupham/llm-dns-proxy
mrb•4mo ago
Oh, this reminds me of a Chrome extension I wrote to distribute Web content (images, html, js, anything) over DNS: https://blog.zorinaq.com/cdn53-a-super-distributed-cdn/ It implements the fake TLD .cdn53: when visiting http://zorinaq.com.cdn53 the extension intercepts the request, sends a DNS query for the TXT record for "_cdn53.zorinaq.com" and the response contains the HTML content, or any content, and it can be up to ~65 kb in size. It's super-distributed as it will naturally be cached by all DNS resolvers worldwide that hit the domain...
vitonsky•4mo ago
Good idea. Probably nowadays this would not work due to changes in chrome extension API? They have limit a network interception API.
BuildTheRobots•4mo ago
There's also the Iodine project if you want to tunnel raw IPv4 over DNS [53]

[53] https://github.com/yarrick/iodine

mmh0000•4mo ago
I love iodine.

I used to do a lot of consulting work at locations with extremely locked down networks. I could use iodine + wireguard to punch through most firewalls, slow, but effective.

lormayna•4mo ago
This means that the security department is not doing a good job: things like iodine can be detected easily by a NGFW or by an analysis on DNS logs. This is a quite basic security posture.
EvanAnderson•4mo ago
Back when I was using it similarly to the other poster (say, 15 years ago) that wasn't the case. It's still a great litmus test of security posture today.

Just using DNS for data exfiltration, in general, is usually pretty fruitful. I wrote a "live off the land" data exfil script for Windows once, using the certutil and nslookup commands to base64 encode data and ship it out to my off-site DNS server.

I'll have to try it against a Palo Alto NGFW sometime and see what alarms I trip. I honestly never thought to try.

lormayna•4mo ago
That's make sense 15 years ago. Right now even the SOHO appliances have the DNS inspection feature.
bongodongobob•4mo ago
Lol no it isn't. Most companies don't even have MFA across the board, much less do anything with DNS security beyond maybe a blacklist.
lormayna•4mo ago
MFA is quite more complex to implement, especially if legacy applications are involved. Applying a basic DNS security monitoring is not hard, you can even implement with few policies on the border FW and something like an ELK stack. The most difficult part is implementing an appropriate process
roygbiv2•4mo ago
The only real place I got iodine to work was 40k feet above the ocean. Even then it was only good enough to telnet into an SMTP server to send an email. Most of the time it's failed for me.
notepad0x90•4mo ago
This is cool and all but due to malicious actors abusing this avenue, firewalls as well as endpoint agents will detect and block this. If you create a serious solution that uses this that is, it's great for home use and experimentation I guess.
SaggyDoomSr•4mo ago
I worked in the networking group for a cloud computing company. You've heard of them. We didn't charge for (some) DNS traffic, so some customers figured out how to use DNS as a transport mechanism to skirt around paying data transfer fees. It would essentially be a DoS attack which affected EVERY customer, so a few could save tiny fractions of their overall spend. A peer team of mine had to deal with the mess. That team had > 100% annual staff turnover, because they just made the oncall staff deal with the problem every time it showed up rather than ever solve the core issue of having a DoS vector masquerading as a feature.
zoky•4mo ago
Wouldn’t the solution be to just start charging for excessive DNS traffic?
lelandbatey•4mo ago
Potentially yes, but that's a business decision which the on-call developer cannot deal make on behalf of the business.
canttestthis•4mo ago
There's a lot of stuff the dev team can do that are not strictly business decisions though. Rate limits, QoS, etc.
rapind•4mo ago
Those can be business decisions too though. It depends on whether or not the real / lucrative customers will notice, or maybe the noisy customers who will be all over twitter because a dev figured they'd make a big change like this on their own.

Throttling and tiering can definitely affect more people than you might suspect (like spiky services) and considering data and use are important.

gitaarik•4mo ago
You can also create a REST API that accepts domain names and returns IP addresses! Then you can make a webserver that uses the REST API to get the IP address of the image you want to display!
jedisct1•4mo ago
Images over DNS over DNSCrypt over a DNS relay accessed via a VPN acting as a gateway to Tor. Maximum security.