|
phosdex posted:Ok, please explain why its dumb. If you're going to visit a website for instance, great you've just hidden the dns lookup request from your isp. Now how are you hiding the http(s) request to actually get that site? You can use a VPN. There's lots of easy ways to mess up a VPN so that it leaks DNS information. Even OpenVPN had a bug as recently as 2017. DNS over TLS/HTTPS takes care of that part, and VPN takes care of the rest.
|
# ? Apr 3, 2018 20:00 |
|
|
# ? Jun 8, 2024 07:51 |
|
bobfather posted:You can use a VPN. Ok but vpn is outside of what we were discussing. I get wanting to send your lookups to someone more privacy oriented than Google. I want to know now why my thinking here is "dumb".
|
# ? Apr 3, 2018 20:01 |
|
bobfather posted:According to a 2017 review, in the US the average mean latency for DNS lookups using root servers was about 24ms. Cloudflare is a lot faster - 7-21ms from a simple ping. I guess switching can save you time also. Ping is not a valid measure of DNS resolution time. Ping only times the round trip of ICMP packets to/from the server. You're interested in the round trip time for a DNS query and response, which is an important distinction because you're trying to lookup information that the DNS server itself will have to forward the question upstream behind the scenes in order to get the answer. The fastest possible response time means that you're getting a cached response from the DNS server's stored results. Any forward lookup (or root query) will be 2-3x's slower because it has to ask 2-3 times more queries to complete the initial request. You want a DNS server with the least number of hops between you and it, with the largest RAM cache. In my particular case, Cloudflare's 1.1.1.1 DNS server is one hop closer to me than Google's 8.8.8.8 DNS server. Just keep in mind that all of these "single address regarless of location" services are using anycast routing, which means that the actual physical endpoint should be closer to you, but can also mean that the actual operator of that machine may not be Google/Cloudflare/Cisco-OpenDNS directly. Internet Explorer posted:Is there any way to configure Windows, Chrome/Edge/Firefox, to use DNS over TLS or DNS over HTTPS? Don't do this. DNS is a UDP service for a reason. Pushing encryption down to the client level for DNS means that everything will be dogshit slow for no tangible benefit.
|
# ? Apr 3, 2018 20:05 |
|
phosdex posted:Ok, please explain why its dumb. If you're going to visit a website for instance, great you've just hidden the dns lookup request from your isp. Now how are you hiding the http(s) request to actually get that site? The "dumb" idea is this idea: "Don't use a forward DNS server - just ask the root hint servers for all DNS queries." 1) You're not an ISP so you won't leverage the economies of scale. 2) Root lookups don't resolve full domain names - only root servers, which then delegate to domain servers who handle host responses.* 3) You'll rarely get a cached response unless it's locally cached so prepare to waste several minutes per day (in aggregate) waiting for websites and everything else to get a DNS response before it even establishes a connection. 2*) Fastest DNS query looks like this:
Locally uncached response is the first chance to ask an external DNS:
Root lookup inside your router/firewall looks like this:
NOW, consider that a single web page load may require 10-20 DNS queries at a minimum and see how using locally cached DNS is a huge time saver. Take DNS out of UDP and every single Q&A interaction becomes a full protocol handshake: code:
CrazyLittle fucked around with this message at 20:49 on Apr 3, 2018 |
# ? Apr 3, 2018 20:40 |
|
phosdex posted:Ok, please explain why its dumb. If you're going to visit a website for instance, great you've just hidden the dns lookup request from your isp. Now how are you hiding the http(s) request to actually get that site? Part 2: "why is hiding DNS dumb?" Well if privacy is your #1 concern then it's actually not a dumb idea. Comcast and Verizon are famous for hijacking typographical errors in domain name lookups to redirect you to their own internal web servers. This was an "opt-out" service so you had to explicitly turn this internet-breaking "feature" off. Internet-breaking because a lot of software is dependent on actual DNS error codes for invalid name resolution, and when the DNS server hijacks invalid domains and returns a real IP address, it means the site/domain/server's not actually broken anymore! (Even though you're not heading to the correct server, of course). These practices have since died down, but the possibility is still there. And if there's money to be made from selling customer usage patterns then it's pretty much guaranteed that Comcast is trying to extract value from providing DNS servers at 75.75.75.75 Even if you don't use Comcast or Verizon's DNS servers directly, DNS is unencrypted traffic, so any wifi-sniffing script kiddy who's monitoring the insecured WiFi network can see other coffee shop patrons logging in to their pornhub.com account. If you use Google, you're submitting your DNS query results into Google's advertising engine to target you. Since your browsing habits are effectively 1:1 with your DNS queries, any DNS query you send to Google in parallel to your browsing any Google site or other page with Google Adwords on it, means Google sees what you're doing and where you're going even when you're surfing away from Google-touched pages. If you use OpenDNS aka Cisco Umbrella you're submitting usage data to their paid-for content-filtering services. phosdex posted:Now how are you hiding the http(s) request to actually get that site?
|
# ? Apr 3, 2018 21:11 |
|
q-q-q-quadruple post motherfuckasbobfather posted:According to a 2017 review, in the US the average mean latency for DNS lookups using root servers was about 24ms. Cloudflare is a lot faster - 7-21ms from a simple ping. I guess switching can save you time also. I hate to plug GRC because he's kind of a dumbass of the "software ram doubler" variety, but he did make a legitimate DNS benchmarking tool that does random lookups against common servers from your desktop and determines which ones might be best for you - perhaps even better than Cloudflare or Google. Of course if you're using this tool, don't change your router to DNS servers that aren't explicitly advertised for public open use. IE if you're not a Level3 customer, don't use Level3's 4.2.2.2 DNS server(s) - even if they're faster for you.
|
# ? Apr 3, 2018 21:30 |
|
CrazyLittle posted:The "dumb" idea is this idea: "Don't use a forward DNS server - just ask the root hint servers for all DNS queries." I'm aware of how lookups work against root servers. I'm fortunate to be with a good isp (or at least claims to be). Why I was asking, is the added time is insignificant to me, so what "gain" am I looking at by switching. CrazyLittle posted:That's actually built into the HTTPS protocol. HTTP includes the URL in the initial request. HTTPS is fully encrypted so the server doesn't even know what URL / domain name you're heading to until AFTER the HTTPS session is established. This cart-before-horse actually caused problems for hosting providers because it meant that you needed a separate public IP per HTTPS site, since the SSL certificate negotiation happens BEFORE you even open the HTTPS session, so you DNS resolve the server, you request the SSL cert from the server's IP address and bang, the cert doesn't match the domain name.... broken. Fortunately that issue was fixed in the HTTPS/TLS handshake where you can optionally request the domain name in the connection setup so that the webserver can dish out the correct SSL cert to match the URL request. << sorry word salad but I ran out of fucks to give. This I did not know. For some reason I thought the initial request was still clear until it established the secure connection.
|
# ? Apr 3, 2018 21:51 |
|
phosdex posted:I'm aware of how lookups work against root servers. I'm fortunate to be with a good isp (or at least claims to be). Why I was asking, is the added time is insignificant to me, so what "gain" am I looking at by switching. The point is that root lookups take an order of magnitude more time since each recursive query includes the intial lookup round trip plus every other lookup in addition. And you don't actually gain any privacy because the net-sec folks correctly point out that DNS is sniff-able by any point in your network connection (ie the ISP) since all DNS is UDP port 53. So if you move to a local DNS cache that does recursive lookups over DNS/TLS to another recursive caching server then you hopefully gain more reliable security and privacy without too much additional resolution time.
|
# ? Apr 4, 2018 01:28 |
|
Thats a lot of great info. Thanks CrazyLittle. So the best course of action is to what, use Cloudflare?
|
# ? Apr 4, 2018 01:51 |
|
I realised my modem has defaulted to using my ISPs DNS. I have 1.1.1.1 as the primary DNS and it seems to work fine. Can I trust them more than my ISP or google? I do not know. However I suspect google are extreme data hoarders so they might alright know everyone's favourite gay furry porn sites.
|
# ? Apr 4, 2018 03:31 |
|
redeyes posted:Thats a lot of great info. Thanks CrazyLittle. So the best course of action is to what, use Cloudflare? imho: 1) use your ISP's DNS since it's probably closer to you / less hops and therefore faster at resolving names 2) use google, cloudflare or openDNS, whichever is the least hops away (verify with traceroute) 3) use a dns benchmarking tool to check both round trip latency and actual resolution time to figure out who's the fastest dns server and use the fastest public server in your results. 4) gently caress property and gently caress service providers, they didn't lock it down so I'm gonna use the fastest DNS server that isn't locking me out. True story - using anycast DNS servers can sometimes send you to servers that are totally out of your region. I've had customers who got redirected halfway across the country because Google DNS had the wrong geo-IP data for their address, and therefore thought they were 1000's of miles away from their real physical space. This meant that regional info was wrong, and overall latency was bad since all the data was backhauling across the country.
|
# ? Apr 4, 2018 06:27 |
|
Due to being "privacy first", Cloudflare doesn't suppport edns-client-subnet- which essentially adds a truncated version of your IP into the dns request to allow CDNs to geolocate. For this reason, I'm sticking with OpenDNS...
|
# ? Apr 4, 2018 06:55 |
|
I use "not my local ISP" because otherwise a lot of websites mysteriously stop functioning.
|
# ? Apr 4, 2018 11:51 |
|
iajanus posted:I use "not my local ISP" because otherwise a lot of websites mysteriously stop functioning. This is why I use 4.2.2.2/1 - My ISP's DNS doesn't resolve DirecTVNow stream servers (something to do with a change to CGNAT) so I just get a black screen where nothing loads. Same happens when using Google's DNS servers.
|
# ? Apr 4, 2018 16:57 |
|
CrazyLittle posted:imho: Maybe I'm in a weird geo spot, but running Unbound as a resolver against the root servers always benchmarks faster for me at home, vs ISP DNS and all the public ones.
|
# ? Apr 5, 2018 03:30 |
|
For these with rack cabinets, how do y'all filter dust & cool the servers?
|
# ? Apr 5, 2018 03:55 |
|
Odette posted:For these with rack cabinets, how do y'all filter dust & cool the servers? Depends on how many racks and the heat output. Generally the stuff I deal with involves process coolers and replaceable filters in the HVAC design. So how much heat and where is the rack located.
|
# ? Apr 5, 2018 04:54 |
|
Devian666 posted:Depends on how many racks and the heat output. Generally the stuff I deal with involves process coolers and replaceable filters in the HVAC design. 42U rack in a garage. It came with a couple of fans mounted to the top, with a thermostat controller. 2 R710s, a R210II, Catalyst 2960S, KVM, and maybe a couple more 1U units. edit: I know 42U is overkill, but the smaller racks are overpriced or my bids get sniped.
|
# ? Apr 5, 2018 05:02 |
|
Odette posted:42U rack in a garage. It came with a couple of fans mounted to the top, with a thermostat controller. I don’t know what your plans are, but running this sort of gear at home is going to murder your electric bill. Those 2 r710s alone could cost you 50 bucks a month to run 24/7 Just something to think about.
|
# ? Apr 5, 2018 06:24 |
|
So there's probably 400W for the R710s and 200W for the R210 (plus any other 1Us). The switch could be anywhere from 80W to 890W. So you are somewhere in the 2 kW of heat range (maybe more depending on hardware). A bottom end Mitsubishi heat pump is able to cool about 2.5 kW (and use about 1 kW to provide maximum cooling). One heat pump doesn't provide any cooling redundancy if the unit fails so you need to be mindful of that.
|
# ? Apr 5, 2018 21:11 |
|
Can I ask what you are using all that equipment at home for? Home office?
|
# ? Apr 5, 2018 21:29 |
|
Armacham posted:Can I ask what you are using all that equipment at home for? Home office? People buy older enterprise gear and use it to do IT training stuff at home (home lab). I use older enterprise gear at home for my networking just for the management ability.
|
# ? Apr 6, 2018 01:57 |
|
The included PoE adapter for the AC Lite should be fine to also power the EdgeRouter X from the OP, Correct?
|
# ? Apr 6, 2018 03:10 |
|
KKKLIP ART posted:The included PoE adapter for the AC Lite should be fine to also power the EdgeRouter X from the OP, Correct? One or the other, not both.
|
# ? Apr 6, 2018 05:10 |
|
KKKLIP ART posted:The included PoE adapter for the AC Lite should be fine to also power the EdgeRouter X from the OP, Correct? It’ll power both, not sure what the other guy is on about.
|
# ? Apr 6, 2018 09:52 |
|
KKKLIP ART posted:The included PoE adapter for the AC Lite should be fine to also power the EdgeRouter X from the OP, Correct? I'm using it to power both and have been for months. There's a post somewhere on their forums where a Ubiquiti rep says you can do so.
|
# ? Apr 6, 2018 14:23 |
|
Moey posted:People buy older enterprise gear and use it to do IT training stuff at home (home lab). I don't see the point anymore, you can setup a small lab environment in AWS or Azure and just turn them on when you need them and probably spend less than 10 bucks a month on VM's.
|
# ? Apr 6, 2018 15:23 |
|
Inept posted:I'm using it to power both and have been for months. There's a post somewhere on their forums where a Ubiquiti rep says you can do so. It’s in the manual
|
# ? Apr 6, 2018 15:23 |
|
skipdogg posted:I don't see the point anymore, you can setup a small lab environment in AWS or Azure and just turn them on when you need them and probably spend less than 10 bucks a month on VM's. I personally don't, others seem to get all jazzed up about it though. Example /r/homelab
|
# ? Apr 6, 2018 18:18 |
|
Rather not have the hassle of finding a space to put that sort of gear and then dealing with shifting it when I get bored. Went through a bit of a phase and now I'm done.
|
# ? Apr 6, 2018 18:42 |
|
I've recently setup a Ubiquiti ER4. Now when I connect to a VPN I'm not able to access any of my local shares or ping any local hosts. I think what's happening is my router firewall is treating my host on the VPN like it's outside of the network. How do I set up the router so that I can tunnel through the VPN and still access my local network?
|
# ? Apr 6, 2018 23:41 |
|
FlyWhiteBoy posted:I've recently setup a Ubiquiti ER4. Now when I connect to a VPN I'm not able to access any of my local shares or ping any local hosts. I think what's happening is my router firewall is treating my host on the VPN like it's outside of the network. How do I set up the router so that I can tunnel through the VPN and still access my local network? Usually the point of a VPN is to send all of your traffic to the network on the other end so it acts like a PC at the remote location. That's what it's for. Do you only want your web browser to go over the VPN tunnel?
|
# ? Apr 6, 2018 23:53 |
|
That makes sense. I vaguely understand some of this stuff. I'd like all of my traffic to go over the VPN tunnel except my local SMB share between 2 devices.
|
# ? Apr 7, 2018 00:38 |
|
FlyWhiteBoy posted:That makes sense. I vaguely understand some of this stuff. I'd like all of my traffic to go over the VPN tunnel except my local SMB share between 2 devices. Many VPN’s do not allow this. It’s called “split tunneling”. If it’s a work connection might not be anything you can do about it. If it’s one you control you should be able to change it.
|
# ? Apr 7, 2018 01:01 |
|
When I connect my PC to my VPN (PIA), I can still see my media shares on my ps4 and stream chrome tabs to my chromecast. Is this not supposed to happen?
|
# ? Apr 7, 2018 01:49 |
|
realbez posted:When I connect my PC to my VPN (PIA), I can still see my media shares on my ps4 and stream chrome tabs to my chromecast. Is this not supposed to happen? Edit: They could also be something like Wifi Direct. I don't know enough about how the PS4 or ChromeCast work to give a more qualified answer, though. unruly fucked around with this message at 01:55 on Apr 7, 2018 |
# ? Apr 7, 2018 01:51 |
|
PIA only presents routes to a public address space, so all private stuff is still accessable. FlyWhiteBoy, elaborate on your VPN setup a little more. Who up are tunneling to and your config.
|
# ? Apr 7, 2018 01:56 |
|
unruly posted:As skipdogg said above, it might be configured to allow split tunneling. Are you seeing any other devices on the network? Can you ping them? yeah I can ping everything Moey posted:PIA only presents routes to a public address space, so all private stuff is still accessable. Oh, thanks. I looked up pia split tunneling and they said they don't support it, so I was worried something was wrong based on the above. The way it is behaving is how I want it to anyway, it would be pretty useless to me if I couldn't see my local stuff.
|
# ? Apr 7, 2018 02:02 |
|
Moey posted:PIA only presents routes to a public address space, so all private stuff is still accessable. It's a VPN service not a corporate VPN. I've tried using their client and OpenVPN on windows with the same result. Eventually I'd like to have the VPN running on my router using either OpenVPN or Wireguard. I'm testing just right now using the VPN on my Windows 10 machine to simplify things. You'll see a couple firewall rules in my config where I was testing trying to ping back into my network. Here's my config: https://pastebin.com/a03tVVGb
|
# ? Apr 7, 2018 03:16 |
|
|
# ? Jun 8, 2024 07:51 |
|
Not calling anyone in this thread out, but this kind of stuff is why I dread when my non-technical friends and family ask about VPNs. I'm glad that care about security and privacy, but VPNs are not user friendly enough to be the answer.
|
# ? Apr 7, 2018 03:27 |