My cable does NOT go to the pole. i cut that off a decade ago. But
That only matters if you're using the "DirecTV" branded bridges.
MoCA normally runs at frequencies at or above 1 GHz, which is where the cable TV band ends (in the United States anyway). It's designed to coexist with a live cable television service.
The exception is the DirecTV-branded ones, which run in the 500 MHz band because the feed from your dish *does* use the 1 GHz band.
And I wouldn't accept "just use wifi" either :)
Bit of a rant about ads/pihole earlier
Looks like my Android phones and Chromebooks are hard coded to use google DNS. I can change the Chromebook ( but not the phone. grr! ), but cant use only my DNS server, as it will break at the office. And i guess ( never noticed before ) my Linux stuff is using what it found at install time, not changing it on the fly. Also bogus. ( they are all DHCP, with reserved addresses on the router, and NOT manually setup )
Really, they should be using what my DHCP is handing out.
That explains a lot.
Tue Apr 26 2022 09:19:24 AM EDT from IGnatius T FoobarThe exception is the DirecTV-branded ones, which run in the 500 MHz band because the feed from your dish *does* use the 1 GHz band.
Ok ill bite.Why should i choose google's over something like opendns or even cloudflare?
Mon May 30 2022 06:35:56 PM EDT from IGnatius T FoobarEasiest thing to do, if you control the network, is to give *your* DNS server an address of 8.8.8.8
Never mind i read that wrong. Ya, that would be a one-and done without having to screw with the devices any..
Yeah. And if you still want an external DNS, it's clear that 9.9.9.9 is more
trustworthy than 8.8.8.8 or 1.1.1.1.
2022-05-30 18:35 from IGnatius T Foobar
Easiest thing to do, if you control the network, is to give *your* DNS
server an address of 8.8.8.8
oooooh, that might be a good workaround for that annoying Docker localhost bug.
(For those not in the know, if you have 127.0.0.1 in your resolv.conf, and a Docker container is not running in `host` mode, it won't work exactly the way you expect because 127.0.0.0 is no routable to the host from the container; it just maps to the container. Docker deals with this by telling the container to use 8.8.8.8[A1!)
Yeah. That's pretty awful and I've put safeguards against it in a couple
of systems I built since the last time you mentioned it, so thank you for
that. Aside from not wanting to feed the googlebeast, we also need access
to some private DNS infrastructure, so having lookups be completely broken
is preferable to having it use public DNS because it's easier to troubleshoot.
The other alternative, is instead of spoofing 8.8.8.8 and 8.8.4.4 and 1.1.1.1 and the rest, you can simply capture all port 53 traffic at the perimeter firewall and reroute those lookups to "your" DNS server. ${WORK} does this to prevent circumvention of their DNS-based web filter ... which is fine unless you're an engineer who needs to actually test hosting systems that include DNS.
The other alternative, is instead of spoofing 8.8.8.8 and 8.8.4.4 and 1.1.1.1 and the rest, you can simply capture all port 53 traffic at the perimeter firewall and reroute those lookups to "your" DNS server. ${WORK} does this to prevent circumvention of their DNS-based web filter ... which is fine unless you're an engineer who needs to actually test hosting systems that include DNS.
2022-06-10 13:10 from IGnatius T Foobar
Yeah. That's pretty awful and I've put safeguards against it in a
couple of systems I built since the last time you mentioned it, so
I wonder if your safeguards are enough. You may need to match on 127.0.0.0/8 because technically localhost is a node on localnet -- systemd-resolved uses 127.0.0.53 for instance I believe.
IPv6 is teh r0x0r and I'm trying to use it everywhere! I want to see more
[::1].
And yes, the safeguards need to consider a lot of different ways they can sneak out and get to undesirable DNS servers. In these systems I actually don't match on anything at all; I just make sure 8.8.8.8 is either blocked or spoofed for the entire environment. (We do a lot of private cloud environments so it's probably easier here than in some places.)
And yes, the safeguards need to consider a lot of different ways they can sneak out and get to undesirable DNS servers. In these systems I actually don't match on anything at all; I just make sure 8.8.8.8 is either blocked or spoofed for the entire environment. (We do a lot of private cloud environments so it's probably easier here than in some places.)
2022-05-29 13:22 from Nurb432
Bit of a rant about ads/pihole earlier
Looks like my Android phones and Chromebooks are hard coded to use
google DNS. I can change the Chromebook ( but not the phone. grr! ),
but cant use only my DNS server, as it will break at the office.
And i guess ( never noticed before ) my Linux stuff is using what it
found at install time, not changing it on the fly. Also bogus. (
they are all DHCP, with reserved addresses on the router, and NOT
manually setup )
Really, they should be using what my DHCP is handing out.
I have a tendency to treat my Android devices as inherently untrustworthy since Android sucks so much.
I use a DNS MITM so I force those pesky Android pieces of shit to use my DNS servers instead of the ones they want to use.
As a side note, if you install the F-DROID version of Netguard you can force the Android device to use DNS services you specify instead of the hardcoded ones. Netguard comes with an integrated adblocker too which operates device-ise, which is great. The Google Play version has the adblock removed for obvious reasons.
2022-05-30 18:35 from IGnatius T Foobar
Easiest thing to do, if you control the network, is to give *your* DNS
server an address of 8.8.8.8
I think doing some iptables NAT trickery so any outbound connection targetting an external DNS server is directed to your own DNS server is cleaner.
it's not just Docker anymore, either. Browsers like Chrome are starting to default their DNS resolution to public servers like 8.8.8.8 because those support a secured protocol that's not supported by your typical DNS server. Disabling or redirecting may have unforseeable consequences (but some will do it anyway until the consequences rear their heads.)
And I'm not saying "don't do it", people will do what they need to, I'm simply sounding a word of caution.
I think doing some iptables NAT trickery so any outbound connection
targetting an external DNS server is directed to your own DNS server is
cleaner.
Agreed, and you can put it at your network edge to keep rogue Googleforcers at bay.
The only problem I can see is that now the bad guys are using DNS over HTTPS.
I have no idea how to block that.
2022-06-14 15:55 from LoanShark
it's not just Docker anymore, either. Browsers like Chrome are
starting to default their DNS resolution to public servers like 8.8.8.8
because those support a secured protocol that's not supported by your
typical DNS server. Disabling or redirecting may have unforseeable
consequences (but some will do it anyway until the consequences rear
their heads.)
And I'm not saying "don't do it", people will do what they need to,
I'm simply sounding a word of caution.
Are you talking about DNSSED and the line? Those are easy enough to carry over to your own servers.
The only problem I can see is that now the bad guys are using DNS over
HTTPS.
I have no idea how to block that.
An https proxy with DPI and a blacklist.
I have one of those ready for deployment but I have not found the need to roll it out. Breaking TLS with a MITM makes me nervous even if there are legitimate reasons for it.