Je suis Charlie

Autres trucs


Seulement les RFC

Seulement les fiches de lecture

Mon livre « Cyberstructure »


A dynamic experimental DNS server, just for fun

First publication of this article on 31 May 2022
Last update on of 25 February 2024

Let me introduce you to a new program, an experimental authoritative DNS server intended for dynamic answers (answers depending, for instance, on the client). It is just for fun and it does not pretend to replace existing programs. But you may want to read its source code, or use its online demo, at

My main goal was to have fun. A secondary goal was to have a service to get the IP address used by resolvers to query authoritative name servers. So, as said above, this program is not intended for mission-critical uses.

The program is named Drink, for no special reason. Its source code is available online, under a free-software licence. It uses the Elixir programming language and I'll talk about it later.

Let's first use the program. An instance is installed on the domain The tests are done with dig, the links in this article are through the DNS looking glass. You can send TXT queries to get help:

% dig TXT
;; ANSWER SECTION:	0 IN TXT "Possible queries: " "hello/TXT to have a greeting. " "ip/TXT,A,AAAA to have the IP address of the client. ...


A query for the subdomain hello will produce a greeting and the version numbers of the programs used:

% dig TXT
;; ANSWER SECTION: 0 IN TXT "Hello, this is the Drink DNS server, version 0.1.0 and I use the dns library version 2.3.0, running on Elixir 1.13.2"


The most useful service today, in my opinion, is at the subdomain ip, returning the IP address of the DNS client:

% dig AAAA
;; ANSWER SECTION:	0 IN AAAA 2001:860:de02:102::d2


Two important things about this service:

  • If you do A (IPv4) or AAAA (IPv6) requests, and your resolver uses the other address family, you'll get a response but not of the queried type, and it will be put in the Additional section of the DNS message. Some resolvers will filter out this unexpected response. Use TXT requests if you want to avoid this.
  • The IP address returned is not your IP address, nor it is the one you use to talk to your resolver.

Here, we query through Quad9:

% dig @2620:fe::9 A   


As you can see, we queried Quad9 over IPv6 but Quad9 queried our dynamic server over IPv4, using one of PCH addresses.

If you want to know the ECS option sent by your resolver, you can query the ecs service (TXT query).

You can get the date and time of the DNS server, in RFC 3339 syntax:

% dig TXT
;; ANSWER SECTION:	0 IN TXT "2022-05-31T11:05:36.507343Z"


(Obviously, it is less efficient to synchronize clocks than NTP.) You can also get a random number, or IP address:

% dig A


It's probably a useless service but you can use it to explore randomly the Internet, with commands such as whois $(dig +short A). Beware, there is a security weakness in this command. Can you spot it? If you are the sort of person who does curl http://random-site.example/ | sudo bash, don't worry, this is not worse. Also, this command is less fun with IPv6, since a great part of the IPv6 address space is unallocated.

Drink has EDNS (RFC 6891) and recognizes a few options, such as the maximum size of the answer:

% dig +bufsize=50 TXT
;; Truncated, retrying in TCP mode.
;; ANSWER SECTION:	0 IN TXT "2022-05-31T11:24:09.318345Z"
;; MSG SIZE  rcvd: 91


As you can see from the "Truncated, retrying in TCP mode.", Drink returned a response with the truncation flag, and dig retried with TCP (which is of course supported by Drink). Another thing you can do with EDNS, is to query NSID (Name Server Identifier, RFC 5001):

% dig +nsid TXT
; EDNS: version: 0, flags:; udp: 1200
; NSID: 6e 73 31 2d 64 79 6e 2e 62 6f 72 74 7a 6d 65 79 65 72 2e 66 72 ("")
;; ANSWER SECTION:	0 IN TXT "2022-05-31T11:31:43.240583Z"


As you can see, the name server identifier is returned (not terribly useful in that case, but much more interesting if you use anycast). Drink also properly manage cookies (RFC 7873) and EDE (Extended DNS Errors, RFC 8914).

If you want not only the IP address of the machine querying Drink, but also the port and the transport protocol used (currently almot always UDP), you can query the subdomain connection :

%  dig TXT


Another service is at the subdomain bgp, returning not only the IP address of the DNS client, but also the IP prefix announced in the DFZ, and the AS number which originates this prefix:

% dig TXT
;; ANSWER SECTION:	3597 IN	TXT "2605:4500:2:245b::bad:dcaf" "2605:4500::/32" "46636"


(It uses the HTTPS service.) Here, the resolver 2605:4500:2:245b::bad:dcaf is part of the prefix 2605:4500::/32, announced by AS 46636. This is specially interesting when you ask many separate machines to query this name. For instance, with RIPE Atlas probes and the Blaeu program, we can ask 20 probes to do a DNS resolution:

% blaeu-resolve --requested 20 --type TXT
["" "" "49825"] : 1 occurrences 
["" "" "13335"] : 1 occurrences 
["" "" "15169"] : 1 occurrences 
["2001:610:1:40ba:145:100:185:17" "2001:610::/29" "1103"] : 1 occurrences 
["" "" "1103"] : 1 occurrences 
["" "" "20473"] : 1 occurrences 
["" "" "201454"] : 1 occurrences 
["" "" "715"] : 1 occurrences 
["2a02:908:2:110b::24" "2a02:908::/33" "3209"] : 1 occurrences 
["2404:4408:5::b9" "2404:4400::/28" "9790"] : 1 occurrences 
["2607:fb90:c13e:fff0:b77b:5ed3:0:aaaa" "2607:fb90:c13e::/48" "22140"] : 1 occurrences 
["2001:1438:2:14::11" "2001:1438::/32" "8881"] : 1 occurrences 
["2a04:e4c0:14::69" "2a04:e4c0:14::/48" "36692"] : 1 occurrences 
["" "" "8737"] : 1 occurrences 
["" "" "42"] : 1 occurrences 
["" "" "60294"] : 1 occurrences 
["" "" "13335"] : 1 occurrences 
["" "" "6830"] : 1 occurrences 
["" "" "11232"] : 1 occurrences 
["" "" "3243"] : 1 occurrences 
Test #41687133 done at 2022-06-11T10:17:45Z

Which gives us a glimpse of the resolvers they use (AS 12335 is Cloudflare and AS 15169 is Google, both operating public DNS resolvers used by some probes).

Another service? country gives you the country of your DNS resolver, as a ISO 3166 two-letter code:

% dig TXT


Two warnings: geolocation is far from perfect (it relies on databases which are not always up-to-date; by the way, we currently use ipinfo). And remember that it typically indicates the country of the machine, not the country of the company controlling it. For instance, currently, in France, users of Google Public DNS see their resolver in Belgium because this is where Google machines reside. (A similar service for geolocation of the resolver is

Note that requesting the full service will give you all the informations given by bgp and country:

% dig TXT
;; ANSWER SECTION:	3600 IN	TXT "" "" "8587" "NL"


The list of funny and useful (?) services is long: there is also unit which will give you access to unit conversions. See here a conversion of bars to kilopascals. Or you prefer to convert kilobytes to kibis?

% dig TXT
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20561
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; ANSWER SECTION: 86400	IN TXT "146.48 KiB"


If you still live in the 19th century and want to convert from/to the old english units to the international ones, you can do it, too:

% dig TXT
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32635
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; ANSWER SECTION: 86393	IN TXT "4571.78 m"


To get an idea of all the possible unit conversions, see the documentation of the library we use. A big warning, though: some unit names are case-sensitive but the DNS is supposed to be case-INsensitive. If you go through a resolver/forwarder which changes the case (which it is entitled to do), you may get errors such as "undetermined conversion".

Let's see another service, op, to perform arithmetic (a good opportunity to remind everyone that domain names are not limited to letters, digits and hyphen):

% dig TXT
... 86400	IN TXT "4"

% dig 2+3\*4-\(5-2\) TXT
2+3*4-\(5-2\) 86400 IN TXT "11"

Note that some characters were special for the Unix shell (not for the DNS) and had to be escaped. Some were special both for the shell and for the zone file format, this is why dig escaped them. (A similar service, but requiring RPN, is at See its documentation.)

Not more useful, but funny, the number formatting service. You indicate a number and a language (as a language tag) and you get the number spelled in words:

% dig +short TXT
% dig +short TXT
% dig +short TXT
"seixanta-cinc milions sis-cent cinquanta-sis mil set-cent trenta-quatre"

Not all languages are represented, for disk space and memory reasons. We currently have arabic (ar), catalan (ca), german (de), english (en), french (fr) and dutch (nl). Note also that, for some languages (surprinsingly, not for french), the answer may be not ASCII but full UTF-8. This will require a DNS client able to display it, something that typical traditional DNS clients cannot do. (Note that there is no standard for the character set and encoding of the characters strings in a TXT record value. No way to tag them as « UTF-8 ». This explains the lack of clients.) An example of such a client is the DNS Looking Glass, another is the fediverse DNS bot.

And a last service, weather reports. You query for a city (here, Quimper) and whether you want current weather:

% dig TXT
;; ANSWER SECTION: 1800 IN TXT "Quimper" "Sunny" "25.0 C" "precipitation 0.0 mm" "wind 15.1 km/h" "cloudiness 0 %" "humidity 44 %"

Or the weather for the next day (here, in La Paz):

% dig TXT
;; ANSWER SECTION: 1800	IN TXT "La Paz" "Sunny" "9.2 C" "precipitation 0.0 mm" "wind 7.6 km/h" "cloudiness 0 %" "humidity 20 %"

Finally, note that Drink, unlike all (most?) other dynamic DNS services, is fully protected with DNSSEC. Responses are dynamically signed and can therefore be authenticated by the resolver:

% dig +dnssec LOC
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; ANSWER SECTION: 10 IN	LOC 38 5 56.000 N 179 42 40.000 E 5741.00m 0.00m 0.00m 0.00m 10 IN	RRSIG LOC 8 4 10 (
				20230216040000 20230211154000 63937
;; Query time: 48 msec
;; WHEN: Sun Feb 12 10:51:08 CET 2023
;; MSG SIZE  rcvd: 290

(See the 'ad' flag? It means "Authenticated Data".) You can check the DNSSEC configuration with DNSviz if you want: dnsviz-drink.png

Drink can also report statistics about the traffic it saw. For that, you have to activate its IPC interface and the statistics service. Then, you can query it (here, formatting the JSON with jq):

% echo statistics | socat - UNIX-CONNECT:/var/run/drink/drink.sock | jq .
  "protocols": {
    "tcp": 342,
    "udp": 15047
  "qnames": {
    "1/": 1,
    "2 + 2 * 5 - 10 -": 1,
    "": 1,
    "": 1,
    "OTHER NAME": 8556,
    "": 1,
    "": 1,
    "": 1,
    "": 1918,
    "": 3,
    "": 5,
    "": 10,
    "": 4383
  "qtypes": {
    "A": 10656,
    "AAAA": 2218,
    "ANY": 7,
    "AXFR": 2,
    "CNAME": 3,
    "DNSKEY": 856,
    "DS": 1,
    "LOC": 2,
    "MX": 8,
    "NS": 18,
    "PTR": 9,
    "SOA": 1013,
    "SRV": 2,
    "TXT": 54,
    "URI": 2
  "rcodes": {
    "NOERROR": 6326,
    "NXDOMAIN": 14,
    "REFUSED": 8542
  "running-seconds": 59316,
  "running-time": "16 hours 28 minutes 36 seconds",
  "server-start": "2023-04-25T15:15:54.585281Z",
  "when": "2023-04-26T07:44:30.314052Z"

OK, let's assume you're convinced and you want to install Drink on your machines. Since it is written in the Elixir programming language, which requires a runtime, you need to install Elixir, and also the Erlang sources, to compile the DNS library (on Debian, this is apt install elixir erlang-dev erlang-src, on Arch, pacman -S elixir erlang-nox). Then, get the code with git and just type mix deps.get then mix run drink.exs (see the file for details). You will probably need to create a configuration file or to provide options on the command line, see again for details.

For the ip service, you can find similar existing services:

  • (A and AAAA, if the request is over IPv4, it creates an IPv4-mapped IPv6 address, see RFC 4291, section; besides Drink, it seems to be one of the few whose source code is available,
  • is a bit different, it is not a zone in the usual DNS tree, you need to query the authoritative server directly (and so you need a clean DNS path, something which is not always available, for instance at WiFi hotspots, and you won't learn the IP address of your resolver); try dig ip (and see their other funny services); its source code (in Go) is available,
  • (TXT queries) displays the IP address of the client, its port, the country, and ECS information.
  • and (TXT, A and AAAA),
  • (only TXT queries, does also ECS),
  • whoami​.​fastly​.​net and whoami​6.​fastly​.​net (A, AAAA, and TXT queries, the TXT queries also give you ECS information).
  • (A and AAAA),
  • (A and AAAA),
  • (only A requests, even if the servers have IPv6),

If you know other similar DNS services on the Internet, don't hesitate to report them. (They tend to be short-lived, many old ones no longer work, or return broken results.)

If you have ideas about services implemented on Drink, or bugs to report, please create a ticket.

Now, a few words about the source code. One of the reasons of the choice of the programming language Elixir is its excellent support of parallelism (or, rather, the excellent support of parallelism by the Erlang virtual machine). This is priceless for Internet servers. One process (an Elixir process, not an operating system process) is created for each connection (a connection being an UDP request or a "real" connection, with TCP) and the parallelism between clients is efficiently handled by the virtual machine. This isolation of processes (they share nothing, not even memory) also protects the server against malicious or broken clients, that can wait for a long time sending anything, or can send badly crafted DNS messages (something which is quite common on the Internet). A process may crash (for instance when attempting to decode a malformed DNS message) but the server will continue to serve the other clients.

The Drink server handles, of course, UDP and TCP (which is mandatory, see RFC 7766 and RFC 9210, but often forgotten in "custom" DNS servers). This is also something that is relatively easy with Elixir parallelism.

The DNS library I used saved me a lot of work, thanks to its author. But it also has some limitations. For instance, it has no support for EDNS options so I had to add it (not a big deal, but still annoying).

If you know Elixir, and its culture, you may be surprised to see that Drink does not use many things common in the Elixir world, such as OTP supervisors or protocols like GenServer. This is because, for this specific case, it seems to me they were not adding a lot of value. I may change my mind later.

One word about performance, testing with the excellent dnsperf tool. On a PC with two 2.6 Ghz cores, running dnsperf with one hundred parallel sending threads yields 10,000 requests per second and zero failure. (This is with Drink's logging and DNSSEC disabled, if you log each query, the DNS server will be much slower, and if you sign answers as well.)

% cat data
ip.test A
hello.test TXT
test SOA

%   ./src/dnsperf -n 10000 -c 100  -s -p 3553 -d data
DNS Performance Testing Tool
Version 2.9.0

[Status] Command line: dnsperf -n 10000 -c 100 -s -p 3553 -d data
[Status] Sending queries (to
[Status] Started at: Tue May 31 21:12:09 2022
[Status] Stopping after 10000 runs through file
[Status] Testing complete (end of file)


  Queries sent:         30000
  Queries completed:    30000 (100.00%)
  Queries lost:         0 (0.00%)

  Response codes:       NOERROR 30000 (100.00%)
  Average packet size:  request 25, response 90
  Run time (s):         2.974810
  Queries per second:   10084.677677

  Average Latency (s):  0.009701 (min 0.000258, max 0.028758)
  Latency StdDev (s):   0.002650
  Latency StdDev (s):   0.022502

Otherwise, Drink implementation has been the subject of a talk at OARC meeting #40 in Atlanta (february 2023), centered about its usage (slides are available online), and at FOSDEM (february 2023), mostly focused on internal implementation, slides and video are available online.

Version PDF de cette page (mais vous pouvez aussi imprimer depuis votre navigateur, il y a une feuille de style prévue pour cela)

Source XML de cette page (cette page est distribuée sous les termes de la licence GFDL)