CLASSIFIED · EYES ONLY · 53

It could be DNS.

We are not saying it is DNS. We are asking the questions nobody else will ask. Follow the evidence. Follow the TTLs. Follow the money.

DAYS UNDER INVESTIGATION: 15,491

The Evidence Board

Raw findings. Unverified. Uncomfortable. We pin them here for the public record, before someone "updates the zone file."

FACT · 001

The port number is 53. Fifty-three. A prime number. Look up what else is "prime." Ask yourself why.

FACT · 027

RFC 1034 was published in November 1987. The stock market crashed the month prior. No one has ever explained this convergence.

— coincidence???
Why exactly THIRTEEN root servers? Who decided this? In what smoke-filled room? Lettered A through M? WHO. PICKED. THE. LETTERS.
FACT · 055

AWS Route 53. Route 66 is famous, celebrated, songs are sung. Route 53 is silent. Hidden in plain sight.

FACT · 119

Have you EVER seen a DNS engineer look genuinely surprised when something breaks? They know. They have always known.

FACT · 208

"DNS" contains an N. So does "NSA." So does "NTP," "DHCP," and "LAN." I'm not saying. I'm asking.

Why does a "cache" need to "expire"? A normal filing cabinet doesn't expire. Who benefits from manufactured forgetting?
FACT · 404

Try explaining DNS to a non-technical person. Did they believe you? Would YOU believe you?

wake up

Unanswered Questions

Submitted to the IETF. Submitted to ICANN. Submitted to an unnamed contact. No reply.

· Internal Memo, Draft 47 ·

  1. Why are there exactly 13 root servers? Who authorized 13? Why not 12? Why not 14? What happens at server N?
  2. Why does the TTL exist? What purpose does "expiration" serve — other than manufacturing an opportunity for incidents?
  3. Who profits when every major outage is quietly attributed to "DNS"? Have you ever followed that money?
  4. Paul Mockapetris invented DNS in 1983. Have you ever seen him in the same room as your ISP's support agent? Think carefully.
  5. If DNS is "just a phonebook" — as they insist — why has no phonebook ever taken down a Fortune 500 company?
  6. Why is the SOA record so named? What is the "authority" it claims to have? Authority granted by whom?
  7. Why does dig always work when you're explaining the problem to someone else?

Classified Documents

Obtained through channels we are not at liberty to disclose. Authenticity: unconfirmed. Implications: enormous.

TOP SECRET
MEMORANDUM · DATE ████████
RE: Protocol ████████

TO: ████████████
FROM: █████████, ARPA

Per our conversation of ████, the resolver behavior shall be configured to ██████████████████. Public documentation will describe it as ██████████. At no point shall the true ████████████ be disclosed.

Burn after reading. Or cache it. Whichever serves.

INTERNAL
IETF DRAFT · REVISION ██
Concerning ████████████

Abstract: █████████████████████████████████████████████████ █████████████████████, which, given the observed TTL behavior, ██████████████████.

This draft expires in ██ seconds. Do not redistribute. Do not cache. Do not ask.

LEAKED
EMAIL · THREAD ███
Re: Re: Re: status update

> they're onto us
>
> fall back to TCP

understood. extending the TTL. buying us time.

— message redacted by sender, 3 minutes after sending —

Known Associates

Protocols and technologies frequently sighted in the vicinity of incidents. Guilt by association is, admittedly, guilt.

DHCP
Dynamic Host Configuration
a.k.a. "The Address Guy"

Hands out IP addresses like candy. Always on the scene. Claims ignorance. Suspicious.

BGP
Border Gateway Protocol
a.k.a. "The Getaway Driver"

Capable of rerouting anyone, anywhere, on short notice. Leaves no forwarding address.

NAT
Network Address Translation
a.k.a. "The Fence"

Hides identities for a living. Has been doing this for decades. Enough said.

NTP
Network Time Protocol
a.k.a. "The Alibi"

Claims to know "what time it is." Who appointed NTP timekeeper? How convenient, those timestamps.

A Partial Timeline

Documented incidents. Each attributed, officially, to "DNS." Each, we contend, merely attributed.

OCT · 2016
Dyn DDoS. Half the internet offline for hours.
"Probably IoT toasters," they said. We noticed which protocol was affected.
OCT · 2021
Facebook vanishes from the internet for six hours.
BGP, officially. But what was announced over BGP? Resolver records. Draw your own lines.
JUN · 2019
Cloudflare outage. The internet "feels slow."
An "unrelated leak." Unrelated to what, exactly?
2023 · 2024 · 2025
Countless outages. Pick one. Any one.
We dare you to find one where a reverse lookup didn't, at some point, enter the conversation.
TODAY ·
Something, somewhere, is currently resolving incorrectly.
We cannot prove it. We do not need to prove it.

Submit a Tip

Seen suspicious TTL activity? Noticed a resolver behaving irregularly? A colleague insisting "it can't be DNS"? Your anonymity is guaranteed.*

Anonymous Intake

* Anonymity is not actually guaranteed. Nothing is guaranteed. Especially not DNS.

· Triangulated Sources ·

We do not work alone.

itshallbedns.com → itmustbedns.com →

When the oracle foretells it, and the diagnostician confirms it, we will still be here — pinning index cards to a wall, asking who, asking why, asking at what TTL.