Author Topic: Test Equipment Anonymous (TEA) group therapy thread  (Read 14560637 times)

factory, marcumr and 32 Guests are viewing this topic.

Offline BU508A

  • Super Contributor
  • ***
  • Posts: 4522
  • Country: de
  • Per aspera ad astra
Re: Test Equipment Anonymous (TEA) group therapy thread
« Reply #50850 on: February 27, 2020, 03:47:41 pm »
You haven't lived until you've tried lugging a 1970's 26" colour TV up a flight of stairs on your own...   They must have weighed around 50Kg, more if there was a fancy wooden enclosure with shutters etc.

When I was in the 20ies, I've moved around a WEGA 3062 color TV set. Two stairs up. Alone. Wasn't really funny.


Two things to notice about our 20ies:  (1) we were amazingly strong, and (2) amazingly stupid.

When my car wouldn't start, I remember pushing it up a small incline nearby, then I would run round to the driver's door, jump in and let it roll down the hill again, then start it by dumping the clutch in 1st gear.   Today, I think I'd have gotten around to changing the battery!   :-DD

Testosterone is hindering logical thinking.  :-DD
“Chaos is found in greatest abundance wherever order is being sought. It always defeats order, because it is better organized.”            - Terry Pratchett -
 
The following users thanked this post: SilverSolder, mnementh

Offline Ice-Tea

  • Super Contributor
  • ***
  • Posts: 3063
  • Country: be
    • Freelance Hardware Engineer
Re: Test Equipment Anonymous (TEA) group therapy thread
« Reply #50851 on: February 27, 2020, 04:00:05 pm »
Shouldn't be this far of..

(Attachment Link)

...

This is how volt-nuttery starts, isn't it? Who's to blame? Meter or reference? I must buy more stuff, obviously...

Without doubt, the reference is the problem. I have one of those, from RoadRunner here on the forum which was adjusted by him to 10.00000V before he posted it to me.
The day before yesterday, I put it on the calibration lab's Fluke 8508A and it read 10.0005275V.

Heh, well, I don't know. The order of magnitude of the difference isn't that far of what one might expect from a few years out of cal instrument.

On the other hand, I had some Fluke 8842s around some time ago and they also pointed to an offset of the reference as well...


Offline bd139

  • Super Contributor
  • ***
  • Posts: 23018
  • Country: gb
Re: Test Equipment Anonymous (TEA) group therapy thread
« Reply #50852 on: February 27, 2020, 04:02:35 pm »
That's better. Tek 2245 for scale



Another monitor and arm arriving Saturday.

Previous crowding issue, hopefully now resolved :)



Edit: there's space to the left still for a whole half rack with of HP goodies (couple of power supplies, DMM, 3312A planned)
« Last Edit: February 27, 2020, 04:16:00 pm by bd139 »
 
The following users thanked this post: med6753

Offline worsthorse

  • Super Contributor
  • ***
  • Posts: 1237
  • Country: us
  • aina varma, usein väärin
Re: Test Equipment Anonymous (TEA) group therapy thread
« Reply #50853 on: February 27, 2020, 04:09:49 pm »
You have to point your router’s DNS server to an upstream DNS server which it can get that info from. If it works out of the box it’s using the resolver on the box which is probably configured by your ISP or uses OpenDNS or google DNS upstream.

Your PC is told where the DNS server is on your local network when it gets its IP address via DHCP.

If you add a PiHole to your network all you’re doing is sticking another box in there and telling your router to use DHCP to tell everyone to use the PiHole dude for DNS.

No, that is not how it works.

In DNS we talk about 3 different actors;  name servers, full-service resolvers, and stub resolvers.

  • The name server is loaded with data from a file. It answers queries from that, and nothing else. 
  • The full-service resolver is configured with a special set of name server addresses to boot-strap from, the root servers, and nothing else. The rest, it can recursively find by asking the root and traversing the tree.  It then caches this data. 
  • The stub resolver is the libraries your application are linked with in the end node. They, on Real Computers, look in /etc/resolv.conf for a set of full-service resolvers to query. The behaviour is  similar on Windows.

The PiHole is a Full-Service Resolver with a limiting configuration that makes it behave, in part, like a name server. If you have bought "broadband" instead of actual Internet you might nog be able to use it as a full-service resolver without configuring it to forward is queries to another full-service resolver. Which, of course makes the Pihole partially useless, because the entity running the other FSR will get your queries anyway. The goal must be that the PiHole or alternatively, the  FSR you set up with less blockings, can talk to the root servers and all other name servers that server names on the Internet.

Correct but from an end user perspective too much info  :-+

So... can I set up pi-hole and a full service resolver in the same box on the local side of my router and get the benefits of both pi-hole-ness and not using someone else's DNS server?

EDIT: Let me modify this: I'd like to block ads as close to the router and as transparently as possible, along with limiting the amount of information about my internet usage released to various corporate entities, and do both without a lot of server maintenance.  Is that too much to ask?  ;D
« Last Edit: February 27, 2020, 04:16:27 pm by worsthorse »
specialization is for insects.
 

Offline mansaxel

  • Super Contributor
  • ***
  • Posts: 3554
  • Country: se
  • SA0XLR
    • My very static home page
Re: Test Equipment Anonymous (TEA) group therapy thread
« Reply #50854 on: February 27, 2020, 04:15:54 pm »

Back home now so a slightly more extensive reply. Your points are true for the Internet at large and all the front facing stuff but most ISP end users (and last mile infrastructure) and corporates with private network space use fully caching nameservers to keep traffic and RTT down and control borders. Local resolver on the box will talk directly to the cache which is authoritative. The cache will service a zone off the public internet as well (like .local). We're using dnsmasq and a large Active Directory forest for this. There are probably more of those networks out there than any other including the internet. I mean we have 32 IP addresses with about 12,000 devices behind them and every Thompson / D-Link / TP-Link POS router that ships runs nameserver cache.

Yes, there are several networks operating according to that principle.

In my corporate environment, we've got internal and external DNS, with suitable leaking in-between, cache forwarding etc. We buy DNS service as secondaries from several different operators, and run our own interrnal service, including DNSSEC-validating caches.  I'm planning for anycast resolvers inside, to get better service availability. And no, you can't trust Microsoft with important things like DNS, so we're running our AD DNS on 3rd party Real Computers.

Privately, I'm running a couple of name servers for zones I host, and all my servers have their own unbound  FSR running on ::1.
I've got under 3ms to the Internet exchange in Stockholm, so latency is not a problem. Neither is bandwidth, nor address scarcity.
The kids computers are contaminated with Win 10, so am running a Samba4 AD to rein them in, with a public DNS zone.


Why public? Because I fucking hate .local. I'm friends with people operating root DNS services, and I've been running the name services for .SE, and the amount of crap badly configured computers throw at the infrastructure they're not paying for is insane. .local is a major player here.

Offline bd139

  • Super Contributor
  • ***
  • Posts: 23018
  • Country: gb
Re: Test Equipment Anonymous (TEA) group therapy thread
« Reply #50855 on: February 27, 2020, 04:30:59 pm »

Back home now so a slightly more extensive reply. Your points are true for the Internet at large and all the front facing stuff but most ISP end users (and last mile infrastructure) and corporates with private network space use fully caching nameservers to keep traffic and RTT down and control borders. Local resolver on the box will talk directly to the cache which is authoritative. The cache will service a zone off the public internet as well (like .local). We're using dnsmasq and a large Active Directory forest for this. There are probably more of those networks out there than any other including the internet. I mean we have 32 IP addresses with about 12,000 devices behind them and every Thompson / D-Link / TP-Link POS router that ships runs nameserver cache.

Yes, there are several networks operating according to that principle.

In my corporate environment, we've got internal and external DNS, with suitable leaking in-between, cache forwarding etc. We buy DNS service as secondaries from several different operators, and run our own interrnal service, including DNSSEC-validating caches.  I'm planning for anycast resolvers inside, to get better service availability. And no, you can't trust Microsoft with important things like DNS, so we're running our AD DNS on 3rd party Real Computers.

That's pretty much what I'm trying to simplify at the moment because we don't want to bother with managing it and finding anyone who can run it in budget isn't a good ROI. Agree with Microsoft DNS. Total shit show.

Privately, I'm running a couple of name servers for zones I host, and all my servers have their own unbound  FSR running on ::1.
I've got under 3ms to the Internet exchange in Stockholm, so latency is not a problem. Neither is bandwidth, nor address scarcity.
The kids computers are contaminated with Win 10, so am running a Samba4 AD to rein them in, with a public DNS zone.

I just get Amazon to do it now. I can't be bothered with looking after this stuff when I get home. As for Samba, the kids use OneDrive that comes with my O365 family sub. Entirely not my problem then! I don't have any local storage other than a couple of physical removable disks for periodic backups. I was running a Seagate 2 bay NAS but even that was too much for me to be bothered with :)

Why public? Because I fucking hate .local. I'm friends with people operating root DNS services, and I've been running the name services for .SE, and the amount of crap badly configured computers throw at the infrastructure they're not paying for is insane. .local is a major player here.

Yeah I don't like .local but it solves a whole load of pain if you are running AD with DNS. As for public there's good public and bad public. I'm currently living in a poorly contrived split-horizon DNS nightmare half in AD and half in a pikey DNS provider. we have things like www.google.com.company.local Ugh kill me. Everything is going to AWS and everything in public R53 zone with public addresses and Duo network gateway in front of it. That gives everyone SSO to the domain, sensible public addresses for services and easily revocable 2FA without having to spend a fortune setting up AO VPNs and stuff so they can all tap into the shit show.

Trying to get down to zero physical infrastructure, lose all the shitty grade third parties with their sticky fingers in everything, get to zero overheads and everything code driven and deployed in AWS.

Why did I take this job? Oh more money for test gear (and impending IR35 changes :-DD)
 

Offline mansaxel

  • Super Contributor
  • ***
  • Posts: 3554
  • Country: se
  • SA0XLR
    • My very static home page
Re: Test Equipment Anonymous (TEA) group therapy thread
« Reply #50856 on: February 27, 2020, 04:38:00 pm »

So... can I set up pi-hole and a full service resolver in the same box on the local side of my router and get the benefits of both pi-hole-ness and not using someone else's DNS server?

EDIT: Let me modify this: I'd like to block ads as close to the router and as transparently as possible, along with limiting the amount of information about my internet usage released to various corporate entities, and do both without a lot of server maintenance.  Is that too much to ask?  ;D

It depends. (of course I had to answer like that)

If you have a broadband connection that blocks your ability to ask the greater Internet DNS queries directly, you're going to have a harder time getting there.  This is a TE thread, so let's set up a test:

On a Real Computer (linux will do, Windows definitely not), make certain you have the program "dig"; on Debian-derivates it is in the "dnsutils" package.

Ask the computer:

$ dig primary.se. soa @primary.se. +mult

Note the answer row that contains:


;; ANSWER SECTION:
primary.se.      86400 IN SOA casper.besserwisser.org. mansaxel.besserwisser.org. (
            2020022101 ; serial
            600        ; refresh (10 minutes)
            1800       ; retry (30 minutes)
            3600000    ; expire (5 weeks 6 days 16 hours)
            300        ; minimum (5 minutes)
            )


Now, wait a few seconds, and then re-ask the same question. 

  • If the TTL  (the "86400" number) is unchanged, you are lucky.
  • If it is decremented (roughly corresponding to the amount of seconds elapsed between the questions) you have something on the way that leeches your queries, and proceeds to potentially lie to you..
  • If you get no answer at all, you have something more sinister blocking you

The first case is the best, and the simplest. A PiHole will help, and help well.  In the second case, you will leak query data more than necessary. In the third case, you'll leak as much as the second, but additionally will have to configure a forwarding setting in the PiHole to circumvent the blocking.

Offline mansaxel

  • Super Contributor
  • ***
  • Posts: 3554
  • Country: se
  • SA0XLR
    • My very static home page
Re: Test Equipment Anonymous (TEA) group therapy thread
« Reply #50857 on: February 27, 2020, 04:53:06 pm »

Why did I take this job? Oh more money for test gear (and impending IR35 changes :-DD)

I see. We're a 2500 (plus consultants) people company with lots of time-critical IT systems (broadcast) so the option of clouding everything is only an expensive idea in the minds of bosses that have been to the reality distorsion that is Gartner conferences, nothing that's even remotely practically possible.

Luckily enough, things are reasonably right, and there are funds to get them better.

At home, I get to do things my way. Sort of adjacent to TEA, time-nuttery or volt-nuttery.

Offline worsthorse

  • Super Contributor
  • ***
  • Posts: 1237
  • Country: us
  • aina varma, usein väärin
Re: Test Equipment Anonymous (TEA) group therapy thread
« Reply #50858 on: February 27, 2020, 04:57:41 pm »
So if this is too OT, let me know and I will take the conversation offline...

I ran the query twice:

; <<>> DiG 9.8.3-P1 <<>> primary.se. soa @primary.se. +mult
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22480
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;primary.se.      IN SOA

;; ANSWER SECTION:
primary.se.      86400 IN SOA casper.besserwisser.org. mansaxel.besserwisser.org. (
            2020022101 ; serial
            600        ; refresh (10 minutes)
            1800       ; retry (30 minutes)
            3600000    ; expire (5 weeks 6 days 16 hours)
            300        ; minimum (5 minutes)
            )

;; Query time: 173 msec
;; SERVER: 192.36.115.53#53(192.36.115.53)
;; WHEN: Thu Feb 27 08:53:07 2020
;; MSG SIZE  rcvd: 96

lhotse:~ wch$ dig primary.se. soa @primary.se. +mult

; <<>> DiG 9.8.3-P1 <<>> primary.se. soa @primary.se. +mult
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47996
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;primary.se.      IN SOA

;; ANSWER SECTION:
primary.se.      86400 IN SOA casper.besserwisser.org. mansaxel.besserwisser.org. (
            2020022101 ; serial
            600        ; refresh (10 minutes)
            1800       ; retry (30 minutes)
            3600000    ; expire (5 weeks 6 days 16 hours)
            300        ; minimum (5 minutes)
            )

;; Query time: 184 msec
;; SERVER: 192.36.115.53#53(192.36.115.53)
;; WHEN: Thu Feb 27 08:53:38 2020
;; MSG SIZE  rcvd: 96


I have a fiber connection through the telco, with a dynamic IP, and I've changed the router to use cloudflare for DNS for now. 

Based on what you wrote and this query, sounds like I should be able to do this? 

Off to do more reading on setting up DNS!  Thanks!
specialization is for insects.
 

Offline mansaxel

  • Super Contributor
  • ***
  • Posts: 3554
  • Country: se
  • SA0XLR
    • My very static home page
Re: Test Equipment Anonymous (TEA) group therapy thread
« Reply #50859 on: February 27, 2020, 05:00:44 pm »
So if this is too OT, let me know and I will take the conversation offline...

I ran the query twice:

<snip>

I have a fiber connection through the telco, with a dynamic IP, and I've changed the router to use cloudflare for DNS for now. 

Based on what you wrote and this query, sounds like I should be able to do this? 

Off to do more reading on setting up DNS!  Thanks!

Yeah, you're good. Go ahead!

Offline mnementh

  • Super Contributor
  • ***
  • Posts: 17541
  • Country: us
  • *Hiding in the Dwagon-Cave*
Re: Test Equipment Anonymous (TEA) group therapy thread
« Reply #50860 on: February 27, 2020, 05:12:08 pm »
Yeah they tend not to feel as heavy as they are. I put this down to the size and the memory of old big CRTs. I certainly don’t want to lug a 21” FD Trinitron around now  :-DD. Some younger folk arriving these days in the IT industry have never owned a CRT and think the LCDs are heavy
Thats so true, I remember going to Epsom to collect a 21 CRT monitor for Cad purposes and I had to carry it down a narrow flight of steps from an upstairs office, I was bleeding knackered by the time I'd got it into the car  :phew:

36" Trinitron KV-HR Series:   https://www.hoylen.com/articles/tech/sony-kvhr36m31/Sony-SHCS-Sight-brochure-KV-HR36M31.pdf   My back screams just from me LOOKING at that brochure.  :-DD

Here's a 40" WEGA Trinitron on fleaBay... 480P native res & 4:3 Aspect tho, so probably not as heavy as that KV-HR which was 16:9 (much thicker glass) and IIRC, 1440P native res.  :o

mnem
« Last Edit: February 27, 2020, 05:14:10 pm by mnementh »
alt-codes work here:  alt-0128 = €  alt-156 = £  alt-0216 = Ø  alt-225 = ß  alt-230 = µ  alt-234 = Ω  alt-236 = ∞  alt-248 = °
 
The following users thanked this post: BU508A

Offline Specmaster

  • Super Contributor
  • ***
  • Posts: 14483
  • Country: gb
Re: Test Equipment Anonymous (TEA) group therapy thread
« Reply #50861 on: February 27, 2020, 05:22:24 pm »
Thanks to the generosity of PA0PBZ  :-+, I have now finished the Thurlby CM200 project. The 1mm sockets which he kindly sent me, were slightly too large to fit the existing holes. A few minutes with a dremmel soon cured that and it was discovered during the removal process of the old ones, that they had all suffered plastic fatigue possibly due to being exposed to UV for to long. This is on my bench stack and is a useful addition in the battle against bad capacitors including those bastard TANTS.  :-DD

Who let Murphy in?

Brymen-Fluke-HP-Thurlby-Thander-Tek-Extech-Black Star-GW-Avo-Kyoritsu-Amprobe-ITT-Robin-TTi
 
The following users thanked this post: PA0PBZ, Zucca, BU508A, med6753, salvagedcircuitry, bd139, Kosmic

Offline BU508A

  • Super Contributor
  • ***
  • Posts: 4522
  • Country: de
  • Per aspera ad astra
Re: Test Equipment Anonymous (TEA) group therapy thread
« Reply #50862 on: February 27, 2020, 05:32:38 pm »
cloudflare? Seriously? Insiders name them "clownflare".

https://blog.fefe.de/

Sorry, it's in German but one can follow the links.

- Key extract with Heartbleed at cloudflare: https://twitter.com/indutny/status/454773820822679552
- TOR and Cloudflare: a very bad idea: https://blog.torproject.org/trouble-cloudflare
- Cloudbleed: https://bugs.chromium.org/p/project-zero/issues/detail?id=1139
- using 1.1.1.1 (or 8.8.8.8) is a very bad idea if you are interested in your privacy.
  Same goes with this pilot project with Firefox and encrypted DNS.
- DNS outage at cloudflare: https://ianix.com/pub/dnssec-outages/20190321-www.cloudflare.com/
- another nice cloudflare outage which caused millions of websites going down: https://metro.co.uk/2019/07/02/cloudflare-outage-means-websites-including-detector-10103471/

I'm staying away from cloudflare as far as I can.
“Chaos is found in greatest abundance wherever order is being sought. It always defeats order, because it is better organized.”            - Terry Pratchett -
 
The following users thanked this post: Zucca

Offline mnementh

  • Super Contributor
  • ***
  • Posts: 17541
  • Country: us
  • *Hiding in the Dwagon-Cave*
Re: Test Equipment Anonymous (TEA) group therapy thread
« Reply #50863 on: February 27, 2020, 05:44:34 pm »
   Currently restoring a Luxo Terea task light like this one purchased for CAD$8 at the thrift. I was lucky enough to find the CC power supply from it hanging on the "Wall o' Wall Warts" elsewhere in the store; would've been a total dicksore to find a substitute.  :phew:

A bit of a disappointment for Luxo; while the LED head is cast aluminum and it does have a nice heavy cast-iron base, the top hinge is glas-filled composite plastic and the base is rough-cast with a plastic shell. Also, the bottom hinge is made of cheap-feeling stamped steel, where the Luxo of old would've been a finish-cast one piece with the hinge machined into the casting itself. *sigh*

Still a damn sight nicer look & feel than 99% of what comes out of China (it was made there too); I'm not a fan of the silver so I'm going satin black on this one.

mnem
*tzzzzzt*
« Last Edit: February 27, 2020, 05:51:16 pm by mnementh »
alt-codes work here:  alt-0128 = €  alt-156 = £  alt-0216 = Ø  alt-225 = ß  alt-230 = µ  alt-234 = Ω  alt-236 = ∞  alt-248 = °
 
The following users thanked this post: Specmaster, bd139

Offline BU508A

  • Super Contributor
  • ***
  • Posts: 4522
  • Country: de
  • Per aspera ad astra
Re: Test Equipment Anonymous (TEA) group therapy thread
« Reply #50864 on: February 27, 2020, 05:49:45 pm »
Still a damn sight nicer look & feel than 99% of what comes out of China (it was made there too); I'm not a fan of the silver so I think I'm going to go satin black Tek blue on this one.

mnem
*tzzzzzt*

Fixed that for you.  :-DD

Here you go:
“Chaos is found in greatest abundance wherever order is being sought. It always defeats order, because it is better organized.”            - Terry Pratchett -
 

Offline worsthorse

  • Super Contributor
  • ***
  • Posts: 1237
  • Country: us
  • aina varma, usein väärin
Re: Test Equipment Anonymous (TEA) group therapy thread
« Reply #50865 on: February 27, 2020, 05:50:43 pm »
cloudflare? Seriously? Insiders name them "clownflare".

https://blog.fefe.de/

Sorry, it's in German but one can follow the links.

- Key extract with Heartbleed at cloudflare: https://twitter.com/indutny/status/454773820822679552
- TOR and Cloudflare: a very bad idea: https://blog.torproject.org/trouble-cloudflare
- Cloudbleed: https://bugs.chromium.org/p/project-zero/issues/detail?id=1139
- using 1.1.1.1 (or 8.8.8.8) is a very bad idea if you are interested in your privacy.
  Same goes with this pilot project with Firefox and encrypted DNS.
- DNS outage at cloudflare: https://ianix.com/pub/dnssec-outages/20190321-www.cloudflare.com/
- another nice cloudflare outage which caused millions of websites going down: https://metro.co.uk/2019/07/02/cloudflare-outage-means-websites-including-detector-10103471/

I'm staying away from cloudflare as far as I can.

i am happy to have another option for DNS resolution until i get something running behind my router here.  i ended up pointing to cloudflare to avoid using the telco provided DNS and google DNS servers, both of which i knew to be bad.  didn't realize cloudflare had issues and assumed that whoever i choose, as long it is "out there" is a privacy issue.
specialization is for insects.
 
The following users thanked this post: Zucca

Offline mnementh

  • Super Contributor
  • ***
  • Posts: 17541
  • Country: us
  • *Hiding in the Dwagon-Cave*
Re: Test Equipment Anonymous (TEA) group therapy thread
« Reply #50866 on: February 27, 2020, 05:56:43 pm »
Still a damn sight nicer look & feel than 99% of what comes out of China (it was made there too); I'm not a fan of the silver so I think I'm going to go satin black Tek blue on this one.

mnem
*tzzzzzt*
Fixed that for you.  :-DD   Here you go:   

LOL...  :-DD You caught me. I started that post last night but forgot to click send; you posted while I was editing to reflect that. Thankfully, it's already painted and in reassembly.  :phew:

mnem
« Last Edit: February 27, 2020, 06:01:00 pm by mnementh »
alt-codes work here:  alt-0128 = €  alt-156 = £  alt-0216 = Ø  alt-225 = ß  alt-230 = µ  alt-234 = Ω  alt-236 = ∞  alt-248 = °
 

Offline BU508A

  • Super Contributor
  • ***
  • Posts: 4522
  • Country: de
  • Per aspera ad astra
Re: Test Equipment Anonymous (TEA) group therapy thread
« Reply #50867 on: February 27, 2020, 06:18:49 pm »
cloudflare? Seriously? Insiders name them "clownflare".

https://blog.fefe.de/

Sorry, it's in German but one can follow the links.

- Key extract with Heartbleed at cloudflare: https://twitter.com/indutny/status/454773820822679552
- TOR and Cloudflare: a very bad idea: https://blog.torproject.org/trouble-cloudflare
- Cloudbleed: https://bugs.chromium.org/p/project-zero/issues/detail?id=1139
- using 1.1.1.1 (or 8.8.8.8) is a very bad idea if you are interested in your privacy.
  Same goes with this pilot project with Firefox and encrypted DNS.
- DNS outage at cloudflare: https://ianix.com/pub/dnssec-outages/20190321-www.cloudflare.com/
- another nice cloudflare outage which caused millions of websites going down: https://metro.co.uk/2019/07/02/cloudflare-outage-means-websites-including-detector-10103471/

I'm staying away from cloudflare as far as I can.

i am happy to have another option for DNS resolution until i get something running behind my router here.  i ended up pointing to cloudflare to avoid using the telco provided DNS and google DNS servers, both of which i knew to be bad.  didn't realize cloudflare had issues and assumed that whoever i choose, as long it is "out there" is a privacy issue.

If you are interested in some DNS alternatives, perhaps you want to check out these:

https://securedns.eu/

https://dismail.de/info.html#dns

https://digitalcourage.de/support/zensurfreier-dns-server  (Sorry, it's in German)

https://www.digitale-gesellschaft.ch/dns/ (a service based in Switzerland, site is in German)
“Chaos is found in greatest abundance wherever order is being sought. It always defeats order, because it is better organized.”            - Terry Pratchett -
 
The following users thanked this post: Mr. Scram

Offline mansaxel

  • Super Contributor
  • ***
  • Posts: 3554
  • Country: se
  • SA0XLR
    • My very static home page
Re: Test Equipment Anonymous (TEA) group therapy thread
« Reply #50868 on: February 27, 2020, 06:29:35 pm »
cloudflare? Seriously? Insiders name them "clownflare".

<snip>

I'm staying away from cloudflare as far as I can.

Seconded. Also, they're a major driver between the metadata gathering operation that is DoH.

Offline worsthorse

  • Super Contributor
  • ***
  • Posts: 1237
  • Country: us
  • aina varma, usein väärin
Re: Test Equipment Anonymous (TEA) group therapy thread
« Reply #50869 on: February 27, 2020, 06:41:25 pm »
cloudflare? Seriously? Insiders name them "clownflare".

<snip>

I'm staying away from cloudflare as far as I can.

Seconded. Also, they're a major driver between the metadata gathering operation that is DoH.

Thanks all for the heads up and help. I've temporarily swapped our router DNS pointers to a couple of opennic tier two servers until I learn enough to get a DNS server running locally.  And I guess I need to go learn what DoH is, too. 

Its always somethin'
specialization is for insects.
 

Offline med6753

  • Super Contributor
  • ***
  • Posts: 11313
  • Country: us
  • Tek nut
Re: Test Equipment Anonymous (TEA) group therapy thread
« Reply #50870 on: February 27, 2020, 06:57:02 pm »
Still a damn sight nicer look & feel than 99% of what comes out of China (it was made there too); I'm not a fan of the silver so I think I'm going to go satin black Tek blue on this one.

mnem
*tzzzzzt*
Fixed that for you.  :-DD   Here you go:   

LOL...  :-DD You caught me. I started that post last night but forgot to click send; you posted while I was editing to reflect that. Thankfully, it's already painted and in reassembly.  :phew:

mnem


You guys are dickheads.  :P :P :-DD
An old gray beard with an attitude.
 

Offline mnementh

  • Super Contributor
  • ***
  • Posts: 17541
  • Country: us
  • *Hiding in the Dwagon-Cave*
Re: Test Equipment Anonymous (TEA) group therapy thread
« Reply #50871 on: February 27, 2020, 07:08:07 pm »
Thank you.  >:D

mnem
Are you feelin' tha lurrrrve...?
alt-codes work here:  alt-0128 = €  alt-156 = £  alt-0216 = Ø  alt-225 = ß  alt-230 = µ  alt-234 = Ω  alt-236 = ∞  alt-248 = °
 

Offline bd139

  • Super Contributor
  • ***
  • Posts: 23018
  • Country: gb
Re: Test Equipment Anonymous (TEA) group therapy thread
« Reply #50872 on: February 27, 2020, 07:20:48 pm »
cloudflare? Seriously? Insiders name them "clownflare".

https://blog.fefe.de/

Sorry, it's in German but one can follow the links.

- Key extract with Heartbleed at cloudflare: https://twitter.com/indutny/status/454773820822679552
- TOR and Cloudflare: a very bad idea: https://blog.torproject.org/trouble-cloudflare
- Cloudbleed: https://bugs.chromium.org/p/project-zero/issues/detail?id=1139
- using 1.1.1.1 (or 8.8.8.8) is a very bad idea if you are interested in your privacy.
  Same goes with this pilot project with Firefox and encrypted DNS.
- DNS outage at cloudflare: https://ianix.com/pub/dnssec-outages/20190321-www.cloudflare.com/
- another nice cloudflare outage which caused millions of websites going down: https://metro.co.uk/2019/07/02/cloudflare-outage-means-websites-including-detector-10103471/

I'm staying away from cloudflare as far as I can.

You saved me a lot of typing there  :-DD

Also their http/2 implementation is a fucked up puddle of diarrhea. They claim it’s nginx but it has new and even more special bugs in it. Grr.

As for secure DNS, the best solution is go full 1990 and use the hosts file.  :-DD
« Last Edit: February 27, 2020, 07:22:56 pm by bd139 »
 

Offline mansaxel

  • Super Contributor
  • ***
  • Posts: 3554
  • Country: se
  • SA0XLR
    • My very static home page
Re: Test Equipment Anonymous (TEA) group therapy thread
« Reply #50873 on: February 27, 2020, 08:46:32 pm »

As for secure DNS, the best solution is go full 1990 and use the hosts file.  :-DD

(Yeah, I see that tongue-in-cheek, but I'm on a rampage here, so you get to tag along  :horse:)

As I was involved in the development and deployment of RFC 4034/4035 secure DNS, I beg to differ.  ::)

I recommend turning validation on.

Further, the people behind Pi-hole are as far as I can tell trying a bit too hard to help. There is no option to not forward queries to another full service resolver.   |O I think that this is a very important feature which is missing in Pi-hole. And they sortakinda gloss over the possibility of having the option, by stating that such a forwarder is required :wtf: . Someone is wrong on the Internet. Today again.  >:(

And, they're using dnsmasq. I can't recommend dnsmasq. Not when the clearly superior unbound exists. Even before unbound, there was BIND. Which is much better than dnsmasq, but not as good as unbound. (And I'm not even starting to talk about PHP, a "language" that is banned from my computers.)

Yeah, worsthorse, I'm throwing spanners in your thought process. Sorry. I think you'll be fine using it, but I, being sort of in the middle of it, am setting higher standards for my own systems. A rabbit-hole, as good as any TE one...

Offline bd139

  • Super Contributor
  • ***
  • Posts: 23018
  • Country: gb
Re: Test Equipment Anonymous (TEA) group therapy thread
« Reply #50874 on: February 27, 2020, 09:09:20 pm »
Yeah don't worry it was entirely tongue in cheek ;)

At least dnsmasq isn't systemd-resolved ;)

Edit: quick bit of Linux fuckery. If you use dnsmasq and point systemd-resolved at it on CentOS 8 and it comes up with the network disconnected (think wifi before networkmanager starts its own layer of buggery or just a shit hypervisor like Hyper-V) it hangs on boot and will never recover and you can't even drop into rescue/emergency mode  :palm:.

Honestly Windows is starting to look like a much better proposition these days as at least it's climbing the cliff rather than tumbling down like Wylie Coyote
« Last Edit: February 27, 2020, 09:16:38 pm by bd139 »
 
The following users thanked this post: Zucca


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf