Language:

en_US

switch to room list switch to menu My folders
Go to page: First ... 21 22 23 24 [25] 26 27 28 29 30
[#] Tue Apr 26 2022 13:19:24 UTC from IGnatius T Foobar

[Reply] [ReplyQuoted] [Headers] [Print]

My cable does NOT go to the pole. i cut that off a decade ago.  But

That only matters if you're using the "DirecTV" branded bridges.

MoCA normally runs at frequencies at or above 1 GHz, which is where the cable TV band ends (in the United States anyway). It's designed to coexist with a live cable television service.

The exception is the DirecTV-branded ones, which run in the 500 MHz band because the feed from your dish *does* use the 1 GHz band.

And I wouldn't accept "just use wifi" either :)

[#] Sun May 29 2022 17:22:05 UTC from Nurb432

[Reply] [ReplyQuoted] [Headers] [Print]

Bit of a rant about ads/pihole earlier

Looks like my Android phones and Chromebooks are hard coded to use google DNS. I can change the Chromebook ( but not the phone. grr! ), but cant use only my DNS server, as it will break at the office.  And i guess ( never noticed before ) my Linux stuff is using what it found at install time, not changing it on the fly.  Also bogus. ( they are all DHCP, with reserved addresses on the router, and NOT manually setup )

Really, they should be using what my DHCP is handing out.  



[#] Sun May 29 2022 17:23:35 UTC from Nurb432

[Reply] [ReplyQuoted] [Headers] [Print]

That explains a lot. 

Tue Apr 26 2022 09:19:24 AM EDT from IGnatius T Foobar
The exception is the DirecTV-branded ones, which run in the 500 MHz band because the feed from your dish *does* use the 1 GHz band.

 



[#] Mon May 30 2022 22:35:56 UTC from IGnatius T Foobar

[Reply] [ReplyQuoted] [Headers] [Print]

Easiest thing to do, if you control the network, is to give *your* DNS server an address of 8.8.8.8

[#] Mon May 30 2022 23:04:49 UTC from Nurb432

[Reply] [ReplyQuoted] [Headers] [Print]

Ok ill bite.Why should i choose google's over something like opendns or even cloudflare?

Mon May 30 2022 06:35:56 PM EDT from IGnatius T Foobar
Easiest thing to do, if you control the network, is to give *your* DNS server an address of 8.8.8.8

 



[#] Tue May 31 2022 00:42:05 UTC from Nurb432

[Reply] [ReplyQuoted] [Headers] [Print]

Never mind i read that wrong.  Ya, that would be a one-and done without having to screw with the devices any..

 



[#] Thu Jun 02 2022 15:48:51 UTC from IGnatius T Foobar

[Reply] [ReplyQuoted] [Headers] [Print]

Yeah. And if you still want an external DNS, it's clear that 9.9.9.9 is more trustworthy than 8.8.8.8 or 1.1.1.1.

[#] Thu Jun 09 2022 21:27:37 UTC from LoanShark

[Reply] [ReplyQuoted] [Headers] [Print]

2022-05-30 18:35 from IGnatius T Foobar
Easiest thing to do, if you control the network, is to give *your* DNS

server an address of 8.8.8.8

oooooh, that might be a good workaround for that annoying Docker localhost bug.

(For those not in the know, if you have 127.0.0.1 in your resolv.conf, and a Docker container is not running in `host` mode, it won't work exactly the way you expect because 127.0.0.0 is no routable to the host from the container; it just maps to the container. Docker deals with this by telling the container to use 8.8.8.81!)

[#] Fri Jun 10 2022 17:10:55 UTC from IGnatius T Foobar

[Reply] [ReplyQuoted] [Headers] [Print]

Yeah. That's pretty awful and I've put safeguards against it in a couple of systems I built since the last time you mentioned it, so thank you for that. Aside from not wanting to feed the googlebeast, we also need access to some private DNS infrastructure, so having lookups be completely broken is preferable to having it use public DNS because it's easier to troubleshoot.

The other alternative, is instead of spoofing 8.8.8.8 and 8.8.4.4 and 1.1.1.1 and the rest, you can simply capture all port 53 traffic at the perimeter firewall and reroute those lookups to "your" DNS server. ${WORK} does this to prevent circumvention of their DNS-based web filter ... which is fine unless you're an engineer who needs to actually test hosting systems that include DNS.

[#] Fri Jun 10 2022 22:09:35 UTC from LoanShark

[Reply] [ReplyQuoted] [Headers] [Print]

2022-06-10 13:10 from IGnatius T Foobar
Yeah. That's pretty awful and I've put safeguards against it in a
couple of systems I built since the last time you mentioned it, so

I wonder if your safeguards are enough. You may need to match on 127.0.0.0/8 because technically localhost is a node on localnet -- systemd-resolved uses 127.0.0.53 for instance I believe.

[#] Fri Jun 10 2022 22:22:49 UTC from LadySerenaKitty

[Reply] [ReplyQuoted] [Headers] [Print]

There's no place like [::1].



[#] Sun Jun 12 2022 04:58:16 UTC from IGnatius T Foobar

[Reply] [ReplyQuoted] [Headers] [Print]

IPv6 is teh r0x0r and I'm trying to use it everywhere! I want to see more [::1].

And yes, the safeguards need to consider a lot of different ways they can sneak out and get to undesirable DNS servers. In these systems I actually don't match on anything at all; I just make sure 8.8.8.8 is either blocked or spoofed for the entire environment. (We do a lot of private cloud environments so it's probably easier here than in some places.)

[#] Tue Jun 14 2022 06:28:41 UTC from darknetuser

[Reply] [ReplyQuoted] [Headers] [Print]

2022-05-29 13:22 from Nurb432
Bit of a rant about ads/pihole earlier

Looks like my Android phones and Chromebooks are hard coded to use

google DNS. I can change the Chromebook ( but not the phone. grr! ),

but cant use only my DNS server, as it will break at the office. 

And i guess ( never noticed before ) my Linux stuff is using what it

found at install time, not changing it on the fly.  Also bogus. (

they are all DHCP, with reserved addresses on the router, and NOT
manually setup )

Really, they should be using what my DHCP is handing out.  


I have a tendency to treat my Android devices as inherently untrustworthy since Android sucks so much.

I use a DNS MITM so I force those pesky Android pieces of shit to use my DNS servers instead of the ones they want to use.

As a side note, if you install the F-DROID version of Netguard you can force the Android device to use DNS services you specify instead of the hardcoded ones. Netguard comes with an integrated adblocker too which operates device-ise, which is great. The Google Play version has the adblock removed for obvious reasons.

[#] Tue Jun 14 2022 06:30:13 UTC from darknetuser

[Reply] [ReplyQuoted] [Headers] [Print]

2022-05-30 18:35 from IGnatius T Foobar
Easiest thing to do, if you control the network, is to give *your* DNS

server an address of 8.8.8.8



I think doing some iptables NAT trickery so any outbound connection targetting an external DNS server is directed to your own DNS server is cleaner.

[#] Tue Jun 14 2022 16:37:27 UTC from Nurb432

[Reply] [ReplyQuoted] [Headers] [Print]

i will have to try that



[#] Tue Jun 14 2022 19:55:32 UTC from LoanShark

[Reply] [ReplyQuoted] [Headers] [Print]


it's not just Docker anymore, either. Browsers like Chrome are starting to default their DNS resolution to public servers like 8.8.8.8 because those support a secured protocol that's not supported by your typical DNS server. Disabling or redirecting may have unforseeable consequences (but some will do it anyway until the consequences rear their heads.)


And I'm not saying "don't do it", people will do what they need to, I'm simply sounding a word of caution.

[#] Tue Jun 14 2022 20:33:26 UTC from IGnatius T Foobar

[Reply] [ReplyQuoted] [Headers] [Print]

I think doing some iptables NAT trickery so any outbound connection
targetting an external DNS server is directed to your own DNS server is

cleaner.

Agreed, and you can put it at your network edge to keep rogue Googleforcers at bay.

The only problem I can see is that now the bad guys are using DNS over HTTPS.
I have no idea how to block that.

[#] Tue Jun 28 2022 09:54:59 UTC from darknetuser

[Reply] [ReplyQuoted] [Headers] [Print]

2022-06-14 15:55 from LoanShark

it's not just Docker anymore, either. Browsers like Chrome are
starting to default their DNS resolution to public servers like 8.8.8.8

because those support a secured protocol that's not supported by your

typical DNS server. Disabling or redirecting may have unforseeable
consequences (but some will do it anyway until the consequences rear
their heads.)


And I'm not saying "don't do it", people will do what they need to,
I'm simply sounding a word of caution.



Are you talking about DNSSED and the line? Those are easy enough to carry over to your own servers.

[#] Tue Jun 28 2022 09:56:48 UTC from darknetuser

[Reply] [ReplyQuoted] [Headers] [Print]

The only problem I can see is that now the bad guys are using DNS over

HTTPS.
I have no idea how to block that.



An https proxy with DPI and a blacklist.

I have one of those ready for deployment but I have not found the need to roll it out. Breaking TLS with a MITM makes me nervous even if there are legitimate reasons for it.

[#] Tue Jun 28 2022 12:34:21 UTC from LoanShark

[Reply] [ReplyQuoted] [Headers] [Print]

Are you talking about DNSSED and the line? Those are easy enough to
carry over to your own servers.

Don't quite remember but it's a browser thing relating to Chrome (and maybe others') new default behavior. Sounds like IG had it right when he mentiond DNS-over-HTTPS.

Go to page: First ... 21 22 23 24 [25] 26 27 28 29 30