| ↑back Search ←Prev date Next date→ Show only urls | (Click on time to select a line by its url) |
| Who | What | When |
|---|---|---|
| *** | dwarren has quit IRC (Read error: Connection reset by peer) | [01:51] |
| ........................... (idle for 2h11mn) | ||
| toeshred has quit IRC (Ping timeout: 265 seconds)
toeshred has joined #arpnetworks | [04:02] | |
| jbergstroem has quit IRC (Ping timeout: 250 seconds)
jbergstroem has joined #arpnetworks mjp has quit IRC (Read error: Connection reset by peer) carvite_ has joined #arpnetworks mjp has joined #arpnetworks jpalmer has quit IRC (*.net *.split) twobithacker has quit IRC (*.net *.split) sjackso has quit IRC (*.net *.split) Hien_ has quit IRC (*.net *.split) carvite has quit IRC (*.net *.split) carvite_ has quit IRC (Changing host) carvite_ has joined #arpnetworks carvite_ is now known as carvite jpalmer has joined #arpnetworks twobithacker has joined #arpnetworks sjackso has joined #arpnetworks Hien_ has joined #arpnetworks | [04:09] | |
| .... (idle for 16mn) | ||
| dj_goku_ has quit IRC (Read error: Connection reset by peer)
dj_goku has joined #arpnetworks | [04:37] | |
| .... (idle for 15mn) | ||
| dwarren has joined #arpnetworks | [04:52] | |
| .................................................. (idle for 4h8mn) | ||
| SpeedBus has quit IRC (Ping timeout: 245 seconds)
SpeedBus has joined #arpnetworks | [09:00] | |
| ......................................... (idle for 3h22mn) | ||
| mnathani has quit IRC (Ping timeout: 264 seconds)
mnathani has joined #arpnetworks | [12:23] | |
| .............. (idle for 1h5mn) | ||
| dj_goku_ has joined #arpnetworks
dj_goku has quit IRC (Read error: No route to host) | [13:31] | |
| dj_goku_ has quit IRC (Read error: Connection reset by peer) | [13:42] | |
| dj_goku has joined #arpnetworks
dj_goku has quit IRC (Changing host) dj_goku has joined #arpnetworks | [13:47] | |
| ...... (idle for 25mn) | ||
| qbit has quit IRC (Quit: leaving) | [14:12] | |
| ....... (idle for 32mn) | ||
| qbit has joined #arpnetworks
qbit is now known as Guest28144 Guest28144 is now known as qbit | [14:44] | |
| ......... (idle for 40mn) | ||
| mercutio | does anyone know of an ipv6 netmask validator?
ie to make sure you're not screwing up syntax. | [15:27] |
| brycec | mercutio: like http://www.gestioip.net/cgi-bin/subnet_calculator.cgi ? | [15:34] |
| mercutio | ahh yeah like that
it's not quite as nice as the netmask command i usually use for ipv4 just to check :) in the end i used openbgpd to validate it :) | [15:43] |
| brycec | it was simply the first google result for "ipcalc ipv6" :P (Also, I've used their IP address management stuff before) | [15:44] |
| mercutio | the extra :: etc gets confusing. | [15:44] |
| brycec | there's an extra :: ? | [15:44] |
| mercutio | it /loked/ right | [15:45] |
| brycec | Shouldn't there be at most 1 | [15:45] |
| mercutio | nah
shortened form. this is a /127 that i'm doing. | [15:45] |
| brycec | Right. In shortened form there can only be 1 instance of :: | [15:45] |
| mercutio | yeah
there only is one | [15:45] |
| brycec | So where's the extra? | [15:45] |
| mercutio | well over ipv4 it's "extra" | [15:45] |
| brycec | ah | [15:46] |
| mercutio | i just get paranoid of making mistakes so like to check | [15:47] |
| brycec | That's fine. i was just confused by "the extra ::" (because to me, there's 1, and any more are extra. I don't compare it to ipv4) | [15:49] |
| *** | medum has joined #arpnetworks | [15:49] |
| mercutio | Yeah, I'm still kind of rusty on IPV6.
i'd be fine if it only went up to /32 :) but the long addresses by sight still are a bit.. disorientating. apparently someone had asked about netmask gaining ipv6 support in 2000. and someone asked for an update last year. it's a pretty nifty program for ipv4.. you can just do things like netmask -r 192.168.13.76/29 or such and it'll show you the range of ip addresses that covers. | [15:56] |
| brycec | ipcalc does the same thing | [16:01] |
| mercutio | oh | [16:01] |
| brycec | And has seen an update more recently than 5 years ago | [16:01] |
| mercutio | with ipv6 support? | [16:01] |
| brycec | no idea offhand
Looks like no, at least on my install | [16:01] |
| mercutio | the help doesn't suggest ipv6
well ipv4 hasn't changed, so don't relaly need updates. | [16:02] |
| brycec | looks like sipcalc has superseded ipcalc and supports ipv6 | [16:03] |
| mercutio | sipcalc sounds like it might
haha | [16:03] |
| brycec | (yep, confirmed ipv6 in sipcalc) | [16:03] |
| mercutio | sweet, this looks good
yeah i tried it. | [16:04] |
| ........... (idle for 50mn) | ||
| *** | RandalSchwartz has joined #arpnetworks | [16:54] |
| RandalSchwartz | anyone up for a ZFS question? | [16:54] |
| mercutio | yeah sure | [16:55] |
| RandalSchwartz | so... I use send/recv to clone a snapshot from zroot to pool/zroot (on a different disk)
what steps do I have to take to make it boot off the second disk, and mount pool/zroot as / | [16:55] |
| mercutio | oh i haven't done much with freebsd zfs root | [16:56] |
| RandalSchwartz | something in bootconf? | [16:56] |
| mercutio | but i think as long as the bootloader understands it shoudl be find
you probably have to use zfs set mountpoint=/ on it | [16:56] |
| RandalSchwartz | vfs.root.mountfrom="zfs:zroot"
probably need to edit that too | [16:56] |
| mercutio | https://wiki.freebsd.org/RootOnZFS
hmm | [16:57] |
| RandalSchwartz | do I need to promote the snapshot so it becomes the live fs
I haven't done that before | [16:57] |
| mercutio | you'll need to clone the snapshot
so usually you make a snapshot on the sender, set the receiver to readonly | [16:57] |
| RandalSchwartz | yes... the tool does that
zxfer | [16:57] |
| mercutio | and keep updating the snapshot on the receiver using diffs, then when you wnat to promote it, you clone frmo the snapshot to a real file system | [16:57] |
| RandalSchwartz | ahh. clone... that was the word I was missing I guess | [16:58] |
| mercutio | it sounds like freebsd doesn't use the zfs automount stuff
and uses /etc/fstab instead. and that vfs.root.mountfrom is probably what you want. yeah so you can take any snapshot, create a clone from it, and access it like a normal filesystem. | [16:58] |
| RandalSchwartz | Hmm. Maybe I should rehearse this in a VM. :) | [17:00] |
| mercutio | seems like a good idea | [17:01] |
| RandalSchwartz | and the selected boot drive is out-of-band right?
this is a dedi system at arp | [17:01] |
| mercutio | i'm not sure | [17:02] |
| RandalSchwartz | ok | [17:02] |
| mercutio | i would just split the boot pool from the data pool.
and just haev a fully functional second pool on another machine | [17:03] |
| RandalSchwartz | too late for that. :) | [17:03] |
| mercutio | heh | [17:04] |
| RandalSchwartz | we're trying to migrate from hard to ssd | [17:04] |
| mercutio | yeah. | [17:04] |
| RandalSchwartz | currently mirror hard... using zxfer to push data over. that worked well. | [17:04] |
| mercutio | without doing another install
how big is your root | [17:04] |
| RandalSchwartz | that's personal! | [17:04] |
| mercutio | you can mirror to ssd if it's big enough
so mirror hard-disk to ssd | [17:04] |
| RandalSchwartz | can't set up mirror after the fact | [17:05] |
| mercutio | you can | [17:05] |
| RandalSchwartz | already have mirror hard1 hard2 | [17:05] |
| mercutio | if it's small enough existing
you can unmirror or just remove drive / fail it | [17:05] |
| RandalSchwartz | hards are 768, ssd is 512
so it wouldn't accept the mirror | [17:06] |
| mercutio | i had to do that when migrating my zfs array at home
yeah | [17:06] |
| RandalSchwartz | so I have to resort to this send/recv dance
all for about 100G of data. :) | [17:06] |
| mercutio | i'd normally opt for another system install
on a second machine | [17:06] |
| RandalSchwartz | "if I put it in a jail..." | [17:07] |
| mercutio | but that's why i don't migrate from hard-disk to ssd
yeah if you'd made your root smaller.. | [17:07] |
| RandalSchwartz | hard to do that now :) | [17:07] |
| mercutio | when you do your ssd short stroke it
you can always expand it later. | [17:07] |
| RandalSchwartz | interesting thought | [17:07] |
| mercutio | it's a good habit to be in if you're using much less data
so like with a 512gb ssd, with 100gb of data you may decide to only do 200gb on each drive but leave partition space there | [17:08] |
| RandalSchwartz | hmm. looks like you *can* "mirror down"
... https://blogs.oracle.com/mock/entry/how_to_shrink_a_mirrored | [17:09] |
| mercutio | yeah.
oh i don't know if you can i think that was added after the fork. | [17:11] |
| RandalSchwartz | ugh | [17:11] |
| mercutio | i've been finding with ssd's raidz works better than mirrored. | [17:12] |
| RandalSchwartz | says blog entry 2010
but I'd need 3 ssds then | [17:12] |
| mercutio | you've got so many iops, and write speed goes up.
yeah. | [17:12] |
| RandalSchwartz | we've been in this conversation before :) | [17:12] |
| mercutio | oh | [17:12] |
| RandalSchwartz | Oh, I could split each ssd into two | [17:12] |
| mercutio | oh yeah you can't have more than 2. | [17:12] |
| RandalSchwartz | and make it a 4-way raidz | [17:12] |
| mercutio | uhh | [17:13] |
| RandalSchwartz | or 3 with a spair
spare | [17:13] |
| mercutio | that wouldn't give you redundancy | [17:13] |
| RandalSchwartz | oh - because ssd fail is taking two drives at once
and double fail is bad | [17:13] |
| mercutio | anyway, with linux i've found it really easy to migrate.
i don't actually think it'll be that complicated. i would check out the freebsd zfs root documentation for before it was in the installer. s/for/from/ | [17:14] |
| BryceBot | <mercutio> i would check out the freebsd zfs root documentation from befrome it was in the installer. | [17:14] |
| mercutio | haha
i didn't have /g i think there's just two key components, the bootloader, and the initial config as it comes up | [17:14] |
| RandalSchwartz | yeah, the latter being /boot/loader.conf
or something like that where I found the zfs:zpool thing | [17:17] |
| mercutio | https://calomel.org/zfs_freebsd_root_install.html
does this help? that site is terrible hmm zfs set bootfs? https://wiki.freebsd.org/RootOnZFS/GPTZFSBoot/9.0-RELEASE this may be better | [17:21] |
| RandalSchwartz | better in what sense
ahh.. that's the one I have bookmarked. | [17:30] |
| mercutio | ok | [17:31] |
| RandalSchwartz | ok - gonna wander into ##freebsd to see if they know what I need | [17:31] |
| mercutio | good idea | [17:32] |
| ................ (idle for 1h18mn) | ||
| mnathani_ | sipcalc 0.0.0.0/0 >> Addresses in network - 4294967295
Usable range - 0.0.0.1 - 255.255.255.254 | [18:50] |
| brycec | Checks out by my math. | [18:56] |
| ............ (idle for 57mn) | ||
| mnathani_ | I wonder how many bytes it would take to store a compressed text file containing one ipv6 address per line and do that for all possible ipv6 addresses | [19:53] |
| mercutio | a lot
oh compressed. there's actually special compression algorithams for things like that | [20:04] |
| or do you mean human readable compression? | [20:13] | |
| ..... (idle for 23mn) | ||
| ip addresses are predictableish
which reminds me, http://blog.edgecast.com/post/110230974176/being-good-stewards-of-the-internet | [20:36] | |
| anisfarhana | and until now i still dont understand how to use the sipcalc even with lots of reading.
Stupid is always stupid i guess. | [20:38] |
| mercutio | anisfarhana: sipcalc 192.168.13.13/29 will show something like
etwork range - 192.168.13.8 - 192.168.13.15 Usable range - 192.168.13.9 - 192.168.13.14 so if you have a /29 subnet that you want to place, you can figure out where a nice multiple of 8 is you can always do it on your own too. curiously it doesn't seem to like legacy subnets. netmask does. err legacy netmasks | [20:38] |
| anisfarhana | Yes i actually know that part.
As i u always use sipcalc to trace out youtube ip address blocks. and blocked it in firewall until many of staff at office complained they are not able to use Google. | [20:41] |
| mercutio | youtube is probably easier to block in dns.
and you can block alternative dns providers. it shares infrastructure too close to google search. | [20:43] |
| anisfarhana | Interesting...
So what you just said, https for youtube counts too? I have no problem blocking youtube.com But i do have problem to block https://www.youtube.com | [20:47] |
| mercutio | http or https can be blocked just by dns
unless anyone knows the ip addresses to go to | [20:49] |
| anisfarhana | And now even worst, our staff use Google Chrome and it use HTML5 player for youtube. | [20:49] |
| mercutio | what dns cache are you using? | [20:49] |
| anisfarhana | I do blocked youtube by using squid too, the mime for *media player*
anisfarhana blinks | [20:50] |
| mercutio | that wont' help https unless you force people to use proxy | [20:50] |
| *** | brycec is now known as regex | [20:50] |
| anisfarhana | mercutio: Can you simplify your question again? | [20:50] |
| *** | regex is now known as brycec | [20:50] |
| anisfarhana | I am not RandalSchwartz :P
Well, I use tranparent proxy at office though | [20:50] |
| mercutio | are you using unbound or bind or dnsmasq or what as a local resolver?
transparent proxies don't work with https | [20:52] |
| anisfarhana | Okey..I dont know what to say now.
Your question is just..very geeky to me. | [20:52] |
| *** | pyvpx has quit IRC (Remote host closed the connection) | [20:52] |
| mercutio | well in /etc/resolv.conf.. there's a nameserver... do you have your own local one?
or are you just using your isp's resolver? | [20:53] |
| brycec | It's a geeky channel... | [20:53] |
| anisfarhana | But i use squid in firewall. Firewall ---> proxy server (local ip address) ---> Internet
I am using Google DNS. | [20:53] |
| mercutio | do you have a cache in front of that?
or do you just hand out google dns to desktops? | [20:53] |
| anisfarhana | Desktop --> DHCP server (use google dns) ---> Firewall (also google dns) | [20:55] |
| mercutio | does the dhcp server have local dns cache?
like dnsmasq can do dns as well as dhcp | [20:55] |
| anisfarhana | It is just normal dhcp server in wondows. | [20:55] |
| mercutio | isc dhcp server doesn't.
oh | [20:55] |
| brycec | in other words, a "dns forwarder" | [20:55] |
| anisfarhana | Open the range for each VLANs. | [20:55] |
| mercutio | windows :/
do you run squid on windows? | [20:55] |
| anisfarhana | That is only i know to setup dhcp server.
Debian | [20:56] |
| mercutio | dnsmasq is pretty easy | [20:56] |
| anisfarhana | I use ipcop for firewall. | [20:56] |
| mercutio | and does dns too
and makes it easy to point domain names somewhere else | [20:56] |
| m0unds | whoa, ipcop? haven't heard that name in years | [20:56] |
| mercutio | and it publishes dhcp names to dns. | [20:56] |
| anisfarhana | Interesting... | [20:57] |
| mercutio | ipcop?
did i miss osmethingZ? err something | [20:57] |
| anisfarhana | m0unds: It works, I have at least 4 ipcops running like charm now. | [20:57] |
| m0unds | anisfarhana: is it still actively developed? i had no idea it was still around | [20:57] |
| anisfarhana | Why bother with those expensive appliance while ipcop can do that? | [20:57] |
| mercutio | cos there's pfsense now? :") | [20:57] |
| anisfarhana | m0unds: afaik yes sir. | [20:57] |
| brycec | because there's better AND free
mercutio: ++ Also m0n0wall | [20:58] |
| anisfarhana | Its not about free, why you wanna spend lots of money while you can use opensource for the same mission? | [20:58] |
| mercutio | anisfarhana: he was just saying there are better alternatives that are also free. | [20:58] |
| anisfarhana | Better use that money and donate to people like mercutio here. | [20:58] |
| brycec | m0n0wall and pfSense are both free, open-source, etc | [20:59] |
| m0unds | yea, i compared ipcop to m0n0wall in 03 or so, and decided on m0n0wall because i liked bsd better | [20:59] |
| anisfarhana | Ah yes..well..again..sorry if i said anything wrong. my engrish is not good. | [20:59] |
| m0unds | ran it on an old hp proliant server until i couldn't bear the noise anymore and built something newer (in like 04 or 05) | [21:00] |
| anisfarhana | mercutio: I am googling about dnsmasq atm | [21:00] |
| mercutio | i used to use an old openbsd box as a router | [21:00] |
| brycec | I ran m0n0wall for years, both at home and for work. Then there came pfSense and I used that at home and work, and still do use it at home. (Before m0n0wall, I used ipcop too) | [21:00] |
| mercutio | at home, with like 16mb of ram | [21:01] |
| anisfarhana | I wish i can flirt with those ipcops dev
lol | [21:01] |
| mercutio | it looks like ipcop is still in development. | [21:01] |
| anisfarhana | Yes it is :)
I am glad the ipcop is still alive.. And founder of #ipcop channel usually here, don't see him recently. mercutio: Ohhh dnsmasq + dhcp together in 1 place. | [21:02] |
| mercutio | yeah it does dns and dhcp
simple config | [21:05] |
| anisfarhana | I think dnsmasq is something like dns + AD server for windows? | [21:05] |
| mercutio | has a few nice things like being able to just stick extra dns names in /etc/hosts.
i reckon for small setups it's the simplest/easiest solution | [21:05] |
| anisfarhana | and dnsmasq actually can *block* any website i want, even on https? | [21:06] |
| mercutio | it can block the dns name to ip mapping | [21:06] |
| brycec | And it's easy to configure it to deny any DNS request matching a domain, such as blocking youtube.com | [21:06] |
| mercutio | or renumber it | [21:06] |
| brycec | ^ Which is how we got to this point. | [21:06] |
| anisfarhana | Sigh | [21:06] |
| mercutio | i'd recommend renumbering it to an ip with a web server on it that says it's blocked. | [21:06] |
| anisfarhana | I do aware about dnsmasq before, but i don't bother to find out what it is.
Does a person like me can configure / setup it? | [21:07] |
| mercutio | yes.
if you can configure squid you can configure dnsmasq. | [21:07] |
| anisfarhana | With no stress, less downtime, and no overnight at office?
I don't configure squid myself 100% | [21:08] |
| mercutio | well the biggest complication is if you have a mix or static and dhcp addresses on the same subnet | [21:08] |
| anisfarhana | Errr engrish error again. | [21:08] |
| mercutio | and just making sure you don't clash new ip address allocations over the top of existing static allocations. | [21:08] |
| anisfarhana | I don't configure the squid server 100% before, somebody help me for it. | [21:09] |
| mercutio | well the only way to learn is by doing
maybe configure it at home first? i'm using it at home myself. | [21:09] |
| anisfarhana | I do have spare machine at office, at least with 1 public ip address on it. | [21:10] |
| mercutio | dhcp is disruptive :) | [21:10] |
| brycec | I was too, as part of pfSense (but have just switched to Unbound) | [21:10] |
| anisfarhana | If i have mix/static/dhcp addresses on the same subnet? | [21:10] |
| mercutio | https://wiki.debian.org/HowTo/dnsmasq
this looks like a way to say the important things easy | [21:11] |
| anisfarhana | Ok by looking at the url given, I need another server for that. | [21:11] |
| mercutio | just run it on your squid server
you could setup dns first | [21:11] |
| anisfarhana | But squid server is more to front end. | [21:12] |
| mercutio | and setup your dhcp server to give out the dns cache's ip. | [21:12] |
| anisfarhana | current windows server that i use for dhcp server, able to do that? | [21:12] |
| mercutio | should be able to | [21:13] |
| anisfarhana | Ok thats great. | [21:13] |
| mercutio | i've never done dhcp on windows. | [21:13] |
| anisfarhana | It is easy.
That is why i use it. | [21:13] |
| mercutio | http://forums.petri.com/showthread.php?t=55350 | [21:14] |
| anisfarhana | I will use any OS that could give more easy solution based on my minimal knowledge.
Wow Interesting. I believe 006 DNS Servers i put for the windows box at office is 8.8.8.8/8.8.4.4 So basically, just replace that google dns, to my dnsmasq? | [21:14] |
| mercutio | yeah
and then dnsmasq can use 8.8.8.8/8.8.4.4 although i'd recommend not using google dns primary and secondary. the chances of both going down at once is increased. and google dns's performance can be kind of variable. i don't know what it's like there. | [21:16] |
| anisfarhana | It is good so far. | [21:18] |
| mercutio | i'm assuming google's dns is in singapore.
but i think they send their requests from taiwan or soemthing | [21:18] |
| anisfarhana | Many people use gDNS to run away from blocked website by our gov. | [21:18] |
| mercutio | heh
opendns may be another option or ultradns | [21:18] |
| anisfarhana | Slow.
Based on ping compared to gdns | [21:19] |
| mercutio | you can set dnsmasq to query multiple dns in parallel
and take the first answer it gets. ping isn't everything google ping is like 24 msec from here | [21:19] |
| anisfarhana | Yes this dnsmasq is interesting | [21:19] |
| mercutio | but it's more than 24msec slower on average.
there's a cool program called namebench which lets you benchmark dns servers. the problem with google here is that even though the server is close, all the requests come from ages away. | [21:19] |
| anisfarhana | I am aware of that. namebench even recommended to use gdns before. | [21:20] |
| mercutio | hmm | [21:20] |
| anisfarhana | But that is less important.
The more important thing is, how to fight our staff at office. mercutio: Can i trial and error do the dnsmaqs by using the vps first? and change one of DHCP ip range at office, point it to the public vps? | [21:21] |
| mercutio | don't run dnsmasq on vpos
vps | [21:23] |
| anisfarhana | Even for testing purposes? | [21:24] |
| mercutio | well i mean you can, but you'd have to be very careful with firewalling it. | [21:24] |
| anisfarhana | Firewalling the vps or ? | [21:24] |
| mercutio | you really don't want to run an open dns.
if you're behind a firewall it's safer. yeah unbound is better for acl support | [21:24] |
| anisfarhana | Well, i always can format the vps after that with 1 single click only. | [21:25] |
| mercutio | and not being open
well it's more there are constant dns attacks happenign these days and evn if you shut it off they'll continue so if you have open dns for 5 minutes and they find it | [21:25] |
| brycec | Martial arts? "The more important thing is, how to fight our staff at office." | [21:26] |
| mercutio | you'll get 24 hours or something of dns attacks
i dunno how long it is exactly probably longer | [21:26] |
| BryceBot | That's what she said!! | [21:26] |
| anisfarhana | I am wondering why some people outside want to *attack* me for that. | [21:27] |
| mercutio | it's dns amplification attacks
basically they query a really long record from you with a fake ip address of who they want to attack and you send a much bigger response than you receive so like if you type host -t any google.com you'll get a big long response but it's a pretty short query so they send to you at 50 megabit | [21:27] |
| anisfarhana | Well, i do have you to strike back. I can get brycec support if needed. | [21:28] |
| mercutio | and you respond with 200 megabit | [21:28] |
| brycec | What? don't involve me | [21:29] |
| mercutio | well what i'm saying is that if you're open at all they can keep hitting you
and so be careful to block port 53 on firewall before even trying such software. b ut it's probably easier to do it on a lan behind firewall | [21:29] |
| brycec | Through bugs/security holes, attackers can "hijack" your server (dns and ntp are popular choices) to DDOS a third target. it's not personal, anisfarhana | [21:30] |
| anisfarhana | brycec: "Never run from the battlefield without fighting" - anisfarhana | [21:30] |
| brycec | Except the Internet is all about defense | [21:30] |
| anisfarhana | mercutio: Then i must try it over the weekend.
brycec / mercutio : I was kidding though about the strike back. | [21:31] |
| mercutio | anisfarhana: the thing is if you're open for even a moment when they're checking for open relays | [21:32] |
| anisfarhana | mercutio: Installing dnsmasq on live server (squid server) is quite risky. | [21:32] |
| mercutio | they'll send attack traffic your way later and you can't stop it
and they don't know it's not still open because they're pretending to be their victim's ip. yeah thats' why i said do it at home if you're behind nat with no dmz with no internet ip it's safer. | [21:32] |
| anisfarhana | But the *network setup* is not same like in office. | [21:33] |
| mercutio | with ferm you can have something like: proto tcp dport 53 REJECT;
proto udp dport 53 REJECT; i thought you just wanted to test youtube blocking? | [21:33] |
| anisfarhana | You are telling about blocking port 53, I even don't know whether i do block 53 or not at office right now.
Duhhh I can feel the stress now. | [21:33] |
| mercutio | maybe just use unbound. | [21:34] |
| anisfarhana | mercutio: Sir, maybe i should explain to you first about the current network topology at my office. | [21:34] |
| mercutio | local-zone: "youtube.com" redirect
local-data: "youtube.com A 127.0.0.1" you should be able to have something ilke that in unbound. | [21:35] |
| brycec | mercutio: ++ | [21:35] |
| anisfarhana | Maybe something can make this dnsmaqs not working on current network setup.
mercutio: How about VM a linux in that windows dhcp server? | [21:35] |
| mercutio | with unbound you have acl's like: access-control: 127.0.0.0/8 allow
well if you're happy with your current dhcp server, then unbound may be the easier way to go | [21:36] |
| anisfarhana | and dnsmasq will not interfere with our current firewall + squid? | [21:37] |
| mercutio | and then you can stick it on the squid box | [21:37] |
| anisfarhana | If i am brave enough to take a risk on it.
Otherwise, i will use spare machine first for it. | [21:38] |
| mercutio | well doing dhcp as well is more disruptive than just dns. | [21:38] |
| anisfarhana | I am happy so far with my dhcp current dhcp server, its about 5 years now and still running like charm.
Well its windows, so I am not worry about kernel panic. or shellshock things you know. | [21:38] |
| brycec | (Windows can kernel panic. Its kernel panics tend to be coloured blue.) | [21:40] |
| mercutio | well we don't really do windows in here. | [21:40] |
| brycec | You don't say!?! :P | [21:40] |
| anisfarhana | brycec: Sir, with high respect to you, and to mercutio , and also to the arpnetworks, that windows not even give me single bsod until now. I am not saying that windows is good. But what i like said before, with my limited knowledge, I just use *any* that will give me less headache and problems.
Hate to see the conversation, or hates about windows vs linux. Its 2015 now. And do not ignore me just because i use only 1 single windows at office for dhcp server. :/ | [21:42] |
| brycec | This isn't Windows vs. Linux, anisfarhana. It was a statement that ARP Networks is known as a *nix VPS host. This is a *nix-leaning crowd in here. | [21:43] |
| anisfarhana | anisfarhana nods
Sorry for that. Sorry #arpnetworks My bad. I am talking about it since nobody speaking about arpnetworks or nix related here..thats all. Again, sorry. | [21:44] |
| mercutio | well ok back to your original issue. | [21:45] |
| *** | dj_goku has quit IRC (Ping timeout: 256 seconds) | [21:45] |
| mercutio | unbound is pretty easy to setup, and can do acl's to only allow certain ip's to access dns.
which makes it safer to use on an internet facing host. | [21:45] |
| anisfarhana | Wait mercutio, maybe we can speak about this in private or another channel? | [21:46] |
| mercutio | the config is slightly more verbose, but for the essentials it's not relaly harder.
well you know how to change the dhcp server. | [21:46] |
| brycec | You're free to talk about it in here
Nobody's complaining | [21:46] |
| mercutio | so it's just unbound config. | [21:46] |
| anisfarhana | Thanks.
mercutio: Change as in, that 006 in win dhcp server? The url given by you before? | [21:46] |
| mercutio | unbound is one of the most popular dns resolvers that came out of nowhere.
to being in lots of places. including arp iirc. anis: yeah. but it still works ok on small setups. | [21:47] |
| anisfarhana | from gdns to my-setup-dnsmasq, and my-setup-dnsmaqs use gdns right? | [21:48] |
| mercutio | go to unbound not dnsmasq,
less likely to break things :) it's a bit simpler to use google dns upstream from dnsmasq than unbound | [21:48] |
| anisfarhana | I thought unbound is the local IP address i use for dnsmasq server. Or I am wrong here? | [21:49] |
| mercutio | name: "."
forward-addr: 8.8.8.8 forward-first: yes you need something like that in the config to use google dns from unbound nah unbound is an alternate dns resolver https://unbound.net/ | [21:49] |
| anisfarhana | Ok ok, this is more confusing now.
Stop first mercutio. | [21:50] |
| mercutio | http://npr.me.uk/unbound.html
if you must you can run it on windows too | [21:52] |
| anisfarhana | So unbound and dnsmaqs, are different?
I need both of it? | [21:53] |
| mercutio | you need either
but unbound is safer to not be open dns unbound can also be graphed in cacti if you're into that kind of thing | [21:54] |
| ......... (idle for 42mn) | ||
| *** | dj_goku has joined #arpnetworks
dj_goku has quit IRC (Changing host) dj_goku has joined #arpnetworks | [22:37] |
| ↑back Search ←Prev date Next date→ Show only urls | (Click on time to select a line by its url) |