cloudflare? Seriously? Insiders name them "clownflare".
https://blog.fefe.de/
Sorry, it's in German but one can follow the links.
- Key extract with Heartbleed at cloudflare: https://twitter.com/indutny/status/454773820822679552
- TOR and Cloudflare: a very bad idea: https://blog.torproject.org/trouble-cloudflare
- Cloudbleed: https://bugs.chromium.org/p/project-zero/issues/detail?id=1139
- using 1.1.1.1 (or 8.8.8. is a very bad idea if you are interested in your privacy.
Same goes with this pilot project with Firefox and encrypted DNS.
- DNS outage at cloudflare: https://ianix.com/pub/dnssec-outages/20190321-www.cloudflare.com/
- another nice cloudflare outage which caused millions of websites going down: https://metro.co.uk/2019/07/02/cloudflare-outage-means-websites-including-detector-10103471/
I'm staying away from cloudflare as far as I can.
They MITM all the DNS and HTTP traffic by nature of what they do. Thus they are party to that on demand of the US gov potentially. Or if one day they suddenly change their terms.
As for secure DNS, the best solution is go full 1990 and use the hosts file.
(Yeah, I see that tongue-in-cheek, but I'm on a rampage here, so you get to tag along )
As I was involved in the development and deployment of RFC 4034/4035 secure DNS, I beg to differ.
I recommend turning validation on.
Further, the people behind Pi-hole are as far as I can tell trying a bit too hard to help. There is no option to not forward queries to another full service resolver. I think that this is a very important feature which is missing in Pi-hole. And they sortakinda gloss over the possibility of having the option, by stating that such a forwarder is required . Someone is wrong on the Internet. Today again.
And, they're using dnsmasq. I can't recommend dnsmasq. Not when the clearly superior unbound exists. Even before unbound, there was BIND. Which is much better than dnsmasq, but not as good as unbound. (And I'm not even starting to talk about PHP, a "language" that is banned from my computers.)
Yeah, worsthorse, I'm throwing spanners in your thought process. Sorry. I think you'll be fine using it, but I, being sort of in the middle of it, am setting higher standards for my own systems. A rabbit-hole, as good as any TE one...
They MITM all the DNS and HTTP traffic by nature of what they do. T
journalctl -fu misbehaving-unit
or, when things get really rough, journalctl -fk
? No? Just me?
Nice job with the lamp. That looks excellent.
As for board: eBay spares/repair "removed from working PC but now untested" $100
That is one reason I refuse to buy components off eBay. You just don't know. Especially gaming stuff which tends to be owned by the sort of person who rags their hardware hard
All of this paranoia over who is watching your web browsing habits, same goes for smart TV's and speakers, Microsoft, Google etc, people making up their own DNS servers etc always makes me smile and I instantly think of this
QuoteThey MITM all the DNS and HTTP traffic by nature of what they do. T
Well, you have to get your DNS from somebody, and they will know what they are giving to you.
Quote from: mnementhNice job with the lamp. That looks excellent.
As for board: eBay spares/repair "removed from working PC but now untested" $100
That is one reason I refuse to buy components off eBay. You just don't know. Especially gaming stuff which tends to be owned by the sort of person who rags their hardware hardI don't really care about how the hardware was used. I care about idiots assembling and disassembling hardware in the worst ways possible. Much more potential for damage, often subtle enough to be a time sink. One good zap is worth hundreds of thousands of hours of load.
QuoteThey MITM all the DNS and HTTP traffic by nature of what they do. T
Well, you have to get your DNS from somebody,
and they will know what they are giving to you. The big American ISPs don't just let big brother watch, they also sell your requests and put their own ads in place of NXDOMAINs. If you ask me, cloudflare and google are still a step above even if they still sell the data and let big brother watch, so long as they don't mess with NXDOMAINs. Leads on DoH services that don't sell your requests and/or don't let Big Brother watch would, of course, be constructive and appreciated. I just think it's a bit ungrateful to complain that an improvement you're getting for free doesn't go far enough.
Ditto for the Poettering-pocalypse. Yeah, it's annoying as hell when he steps on your toes (the last time it affected me was when systemd-resolved broke dig +trace without an explicit server argument) but on the whole I'm glad it's happening. Name services always should have been handled per-link and per-service and always should go through a system wide cache layer that knows about links going up/down/reconfiguring for cache flushing purposes. /etc/resolv.conf, /etc/nsswitch.conf, and in-process glibc name resolution were always a bad fit for the modern network environment with complications like mDNS, NBT, and split-horizon resolvers from VPN connections and I'm glad somebody addressed that, even if I have to suffer a very minor inconvenience to obtain the benefits of said modernization.
Same goes for systemd as a whole. Compare the pile of RC scripts and runlevels in an old distro with the systemd units in a new distro. Are you really going to argue that declaring dependencies through a distro-specific mishmash of runlevel numbers, RC script precedence hierarchies, serialization scripts, file name alphabetical ordering, magic files, unparsed script comments, parsed script comments, and sleep <magic time> is better than having each unit declare a Require= line? Or that letting every service reinvent supervisory restart, centralized search/compressed/forward-secure logging, start-on-demand, and dependency watching in 5 different ways so as to maximize bugs and minimize knowledge transfer is a good idea? I sure wouldn't. I love being able to get all of that with at most a line or two in a unit file, rather than 30 lines of shell script and a trip every other month through TTY archana, and I *especially* love that the knowledge I gain by doing so instantly translates to all of the other services on my box.
$ uptime
07:38:43 up 492 days, 8:29, 1 user, load average: 1,25, 1,20, 1,24
Besides, doesn't it just make you smile every time youCode: [Select]journalctl -fu misbehaving-unit
or, when things get really rough,Code: [Select]journalctl -fk
? No? Just me?
- "But it boots fast!" Like I fucking care.
Shouldn't be this far of..
(Attachment Link)
...
This is how volt-nuttery starts, isn't it? Who's to blame? Meter or reference? I must buy more stuff, obviously...
Without doubt, the reference is the problem. I have one of those, from RoadRunner here on the forum which was adjusted by him to 10.00000V before he posted it to me.
The day before yesterday, I put it on the calibration lab's Fluke 8508A and it read 10.0005275V.
Heh, well, I don't know. The order of magnitude of the difference isn't that far of what one might expect from a few years out of cal instrument.
On the other hand, I had some Fluke 8842s around some time ago and they also pointed to an offset of the reference as well...
- "But it boots fast!" Like I fucking care.
That's the thing though: it doesn't!
My laptops (work and private) all run the latest Linux Mint as their base OS. With every release, the systemd mediated boot process becomes more and more inconsistent with boot times from "fast" to "what the fuck is it doing?!".
I'm seriously contemplating moving to Devuan.
o "But it boots fast!" Like I fucking care.
That's the thing though: it doesn't!
My laptops (work and private) all run the latest Linux Mint as their base OS. With every release, the systemd mediated boot process becomes more and more inconsistent with boot times from "fast" to "what the fuck is it doing?!".
I'm seriously contemplating moving to Devuan.
This is one of the thousand reasons I run windows 10 on my desktop and laptop and just use virtual machines and EC2 to do my bidding on that side of things. Also Linux on high DPI laptops with power management and wifi that works consistently appears to be an impossibility.