Test Equipment Anonymous (TEA) group therapy thread

[mansaxel]

securedns.eu is down
digitalcourage seems to have some technical issues
dismail and digitale-gesellschaft are looking okay, but I do not have any experiences with them.
mansaxel is the one with a profound knowledge about DNS, perhaps he can give you some recommendations.

Thanks for the vote of confidence.

As long as you have a reasonably open Internet connection, running your own local full service validating resolver is going to be the most dependable (as long as you keep it running, of course!) and least leaky solution. You can install the filters of your own liking, instead of trusting some other entity.

As with everything else, the importance of this is a matter of comparing with the situation around you. If the SOP of ISP's in your country is to monetize your query data (in the US, most big ISPs do this), you must use something other than your ISP resolvers. If they're filtering heavy-handedly, like UK, likewise. If for no other reason than principle, you need to run a personal resolver. And, you really need it to do validation. Because some of these people intercept DNS queries and answer from their cache. Which, of course, will break if they lie, and work if they actually give you the data.

In Sweden, yes, we have a kiddie porn filter list, which has not yet seen abuse. On the other hand, we have laws that block monetizing query data. I'm much more comfortable with using my ISP's resolvers here. But still, I'm running my own. Because I can.

Basically, with the amount of suckage in default resolvers increasing, the  option of running your own becomes tastier.

What I'd really try to avoid, is using Google or Cloudflare resolvers. Except in a pinch, where you need to bootstrap things.

[mansaxel]

thanks BU508A!

That's why I am asking, to many good DNS people shooted down? why?

I am already scared about the incoming mansaxel post, either it would be very long and complicated and I will stare at my monitor like Homer Simpson or it will be a straight answer "Use this: DNS X" and I will left with a lot of noob questions in my head.

Either way I am worried to look like a rental car lady: I can talk but I can't say useful thing...

Forgive me in advance you DNS dragons Gods.

A honest question is always welcome. Ignorance, not so much. I see curiousity from you. I'm fine with that.

[mansaxel]

Run your own ... basically a bind9 on a raspberry or whatever will do the job.

I already do (pfSense with Unbound), but I HAVE to trust some DNS Servers outside my home. So which DNS Service outside my home can I trust?
Sorry if it was a stupid reply, I am still learning.

The only DNS servers you NEED to trust are the root servers.

And you can validate that what they are giving you has not been modified in-flight by using DNSSEC. Which unbound mostly does without you having to do anything.

A post in the TEA thread of course is not complete without a test. Try this:

On a Real Computer (a unix that's got "dig" or "drill" installed), ask this question:
        (substituting 192.0.2.53 for the IP address of your resolver box)

dig @192.0.2.53 . NS +dnssec

or, for drill:

drill -D @192.0.2.53 . NS

If the reply coming back contains this row:

;; flags: qr rd ra ad ; QUERY: 1, ANSWER: 14, AUTHORITY: 0, ADDITIONAL: 0

(the "ad" bit is the important one) and also this gobbledygook:

.   44952   IN   RRSIG   NS 8 0 518400 20200607050000 20200525040000 48903 . P5QF5W8x6oTcqgiLAB4goyCQkajM7rrf6wZdF9aseKIEP9WmnRWzcqZ+GwMelXeZGKp01T/XhDxBMktehESqTWLdTWK9CNgms59Mn494ChubTzlEHjRCdbZeeGmJVt/ZiZG2OZXpM1pAvgkzWlrwE3K000mWUC4Qog1vZZTZvpBHiiRy0vd5uzlWUZtXoa4zWtv+m/NTPi1l3FMXYXbv1JD3b1yoO2AHoIjhsvfjtwcv6j4CSCZuWWd2B0g98Z2hlf+TJ+gNMsgdTXnlPbVj5E2F42s9I87IVD00w6MiGmcukgt+h0c0zvPl1JikR116EJWXFr4VKwm8E694MQJ/kg==

(with some variation, that blob for instance is not valid after June 7 2020, and the "44952" will certainly vary, it's the remaining lifetime in seconds during which it may be cached) then you're most likely good.

Easy as pie!

/mansaxel, mentioned in a DNSSEC RFC.

[mansaxel]

Guess the TTi ws not to far off ;-)

Was fun, easy setup easy lock...

The TTien are much more picky on the 10seconds measurement period. If it's still a 1 with a lot of zeroes then, colour me impressed. My TF830 is pretty close, but not quite on 10 seconds.

[bd139]

TF930 has a fairly decent (not cheap) TCXO in it if I remember correctly.

[Specmaster]

TF930 has a fairly decent (not cheap) TCXO in it if I remember correctly.

It certainly does the following is a copy and paste from the operating manual as you can see, it is better than 1ppm, 

Timebase       
Measurement Clock:    50MHz.    
Internal Reference oscillator:    10MHz TCXO with electronic calibration adjustment.    
Oscillator Temperature Stability:    Better than ± 1ppm over rated temperature range.    
Initial Oscillator Adjustment Error:    < ± 0.2ppm at 21ºC.    
Oscillator Ageing Rate:    < ± 1ppm first year.    
Calibration adjustment range:    > ± 8ppm.    

[mnementh]

Pray tell, how is it cursed? It's fully recovered from the fireworks display. 

Well, it DID land on YOUR workbench... 

mnem
*ducks soggy ol' boot hurled from the vicinity of upstate New York*

Has anyone told NORAD that the incoming is not a ballistic missile but just a soggy old boot?

Where's the fun in that...? Those good ol' boys could do with a good ol' fashioned 23:59 scramble. 

mnem
What they REALLY need to watch out for is the retaliatory dwagon-boot counterstrike...

[mnementh]

The microphone is on the left!!?? That's messed up!

McBryce.

And just what is wrong with that? Yes, us lefties are very sinister and evil. 

   Lefties are by definition sinister. YOU are evil. There's a difference. 

mnem
*agitating-ily*

[Neomys Sapiens]

I seem to have been really lucky with the aquisition of the TVC501. Not only that it seems functional, it is also designed to be verifiable using standard instruments without a lot of requirements.
It's capabilities are where I am simply astounded. I can't understand how I could make do without one.
What is worrying is that reading those app notes make me want to aquire a WR501! (and to check out my unverified DD501). And the signal output of the scopes will come handy too.
Until now, I only had time to run one of the 4? verification checks and exercise the FP controls, but if things stay that way, the kink in the front panel foil will be my only problem.

Having had it a year earlier would have been beneficial even for my company work. Providing proof of GPS PPS pulse variations? A simple setup task.

Normally, I would like to cancel all appointments and other activities, but my boss might interfere with that. It will be even more interesting to use it in conjunction with a bigger, better scope (and here it starts anew).
I need help. (to get my hands on one, of course. Not what you thought.

The T502A that came with it is rather grimy although. The handle is distorted somewhat and the attachment on one side is missing. The complementary AM503 that came with it will join the backlog for considerable time, as a working one is at hand already. (It should work too, but Iwill not test it now.)

[mnementh]

Right now I'm tucking into the first Chicken Chinese Curry, topped with fat chips to celebrate our local takeaway has re-opened for deliveries. It's the first I've had since the lockdown started and its fucking beautiful, all being washed down with a glorious chilled Ginger Grizzly beer  and no I'm not sharing it with you lot.

To steal one of mnem's  med's Bugs Bunny's lines, Aint I a stinker

Ah correction....that's not his line...that's MY line. I used it first long time ago. 

Gee, sorry, fixed that for yah 

FT-FTFY... 

mnem
https://getyarn.io/yarn-clip/32ec2153-3212-4f38-8973-73edcdc4db98

[mnementh]

The mean thing with tants is that most of the time they die quietly and show no outer signs of their demise. The real acoustic and pyrolytic cap is definitively the RIFA, which should be designated as C6 (hexogene). These parts are the shaped charges of the electronic world.  :

Yes, if not enough oomph (aka activation energy from the external source) is available, tants just fail short.

The beaded ones are also often "sneaky little bastards" that leech their electrolyte under the damned silkscreen, making a complete dog's breakfast of what SHOULD be a simple recapping party.

mnem
 

[mnementh]

...Because the mech keyboard discussion (thanks bd), I bought a used cherry Mx red switches one (see here). I currently have an unLogictec brown switches one, curious to see how the difference is.

I love everything about that KB (steel frame, genuine Cherry reds, USB-C, reasonable price) except the red BL and tenkeyless. If it came across my RADAR at a reasonable used price, I'd probably spend a afternoon replacing the RED LEDs with blue ones, then regret giving up my 10-key and back on the bay of evil widdit. But it WOULD be fun for a while...

mnem

[mnementh]

@zucca if you don't mind big corporate brother watching you: https://developers.google.com/speed/public-dns I would trust google to take security seriously.

Security.... mmmhmnmm... yes. But I don't know that one could count on the impartiality of their tables, particularly by region.

mnem
 

[mnementh]

I still have my TF930, to coin a certain phrase, its going to the grave with me that is. I know that I'll get another that good at such a good price, its almost like I stole it. 

"What's it worth...? It's worth keepin'. " ~grand-dad

mnem
 

[edavid]

C4 aka Linux in the IT world. First thing I boot up is Libreexec on one of those nice little fanless M600's and it just works out of the box.

Only problem is they only have DP connectors on them which means you can't send audio over HDMI even with a DP->HDMI cable. Argh!

That's odd, it does work on the M72e Tiny and M73 Tiny.

This is the type of crappo adapter I use: eBay auction: #293305231900

[mnementh]

Any chance a FW update might resolve...? Or, this may be a known issue among fleet IT owners, and that's why the model is so cheap...

mnem
*toddles off to ded*

[tggzzz]

Having had it a year earlier would have been beneficial even for my company work. Providing proof of GPS PPS pulse variations? A simple setup task.

On my to-do list is to use my HP53301 modulation domain analyser / time interval analyser to do just that.

If you have a modern frequency/interval counter, it might be possible to persuade it to measure intervals.

[psykok]

Internal DNS -> fuck it, just use whatever comes with your router / firewall. Not worth any more effort than that. If you want to use it for content blocking, just use ublock in a browser.

Upstream DNS from your ISP -> just use google's DNS servers.

Fuuu it I go with big G then.
I do not need an external DNS. So after reading this, I will use this DNS in my pfSense box:
127.0.0.1 (Local Unbound)
8.8.8.8 (Upstream DNS Google #1)
8.8.4.4 (Upstream DNS Google #2)

Moreover:

- DNSSEC Support enabled.

- DNS over TLS for upstream forwarders to the DNS Resolver enabled.

- System Domain Local Zone Type:

Transparent: The DNS Resolver will answer the query from local data if there is a match. If there is no match in local data, the query will be passed to upstream DNS servers. If there is a match in the local data, but the type of data for which the query is being made doesn’t exist in the local data, the DNS Resolver will return a no error/no data message.

- Redirecting all DNS Requests to pfSense enabled.

Interesting will be to see how the Local OpenVPN Server will play along this.

and here I am, I thought DNS was just converting a string to some numbers...

Don't put all your eggs in the same basket :
You should consider  using 9.9.9.9 in addition  ti the google DNS.

[VK5RC]

HPAK 53230 is an order of magnitude more accurate (and sl less than that in expense! HiHi) 200pS vs 20pS or so resolution. The TICC from TAPR group make one around the $US 260 and is about 60ps resolution, they are back in stock again.

[duckduck]

Run your own ... basically a bind9 on a raspberry or whatever will do the job.

I already do (pfSense with Unbound), but I HAVE to trust some DNS Servers outside my home. So which DNS Service outside my home can I trust?
Sorry if it was a stupid reply, I am still learning.

What's wrong with the DNS that your internet service provider offers (other than the fact that they probably resell your browsing history)? I use 1.1.1.1 and 1.0.0.1 https://1.1.1.1/dns/. Seems like the least bad option to me. To do it right, you should encrypt your communications with your DNS since your ISP can read it otherwise. Some even spoof replies from other DNS servers you query. Sickening.

Firefox has an option for DNS over HTTPS that may work for you. Remember that Chrome essentially has it's own TCP stack and you can assume that your browsing history is being sent to Google some way or another. Internet Explorer is just a nightmare.

[Zucca]

The only DNS servers you NEED to trust are the root servers.

This. 

In my ignorance I was confusing the upstream DNS requests with the ones to the root servers.
Now I can also understand why I do not need big Google as external DNS if I have my Unbound running at home.

And you can validate that what they are giving you has not been modified in-flight by using DNSSEC. Which unbound mostly does without you having to do anything.

A post in the TEA thread of course is not complete without a test. Try this:

On a Real Computer (a unix that's got "dig" or "drill" installed), ask this question:
        (substituting 192.0.2.53 for the IP address of your resolver box)

dig @192.0.2.53 . NS +dnssec

or, for drill:

drill -D @192.0.2.53 . NS

If the reply coming back contains this row:

;; flags: qr rd ra ad ; QUERY: 1, ANSWER: 14, AUTHORITY: 0, ADDITIONAL: 0

(the "ad" bit is the important one) and also this gobbledygook:

.   44952   IN   RRSIG   NS 8 0 518400 20200607050000 20200525040000 48903 . P5QF5W8x6oTcqgiLAB4goyCQkajM7rrf6wZdF9aseKIEP9WmnRWzcqZ+GwMelXeZGKp01T/XhDxBMktehESqTWLdTWK9CNgms59Mn494ChubTzlEHjRCdbZeeGmJVt/ZiZG2OZXpM1pAvgkzWlrwE3K000mWUC4Qog1vZZTZvpBHiiRy0vd5uzlWUZtXoa4zWtv+m/NTPi1l3FMXYXbv1JD3b1yoO2AHoIjhsvfjtwcv6j4CSCZuWWd2B0g98Z2hlf+TJ+gNMsgdTXnlPbVj5E2F42s9I87IVD00w6MiGmcukgt+h0c0zvPl1JikR116EJWXFr4VKwm8E694MQJ/kg==

(with some variation, that blob for instance is not valid after June 7 2020, and the "44952" will certainly vary, it's the remaining lifetime in seconds during which it may be cached) then you're most likely good.

Easy as pie!

/mansaxel, mentioned in a DNSSEC RFC.

Hold your horses.
I need to SSH into my pfSense box and run your code. I will do it but yes, of course dnssec is active in my Unbound.

I also find very interesting this. I am trying it out since yesterday evening and I have to say I get less ads on my web surfing. I do not exactely understand why but I appreaciate it.

Further I have to say I am biting my hands and fingers to not have had an Unbound DNS Server since day 1. It is so a much cleaner solution.

I am still puzzled on what to do to for the DNS over TLS port 853 stuff, right now I have blocked all the requested generated in my LAN at the Firewall. I want to see/test if there are any problems.
A DNS TLS device  should go to the normal 53 Port as fallback solution???

Keep watching the pihole stuff very close, meh dnsmasq and not Unbound? Anyhow here seems to be different.
Right now I am a happy camper, pihole will come later when I can't stand the ads, right now they are below the pain line.

Thanks Mansa and all the other DNS Dragons, Sask and bd!

[mansaxel]

What's wrong with the DNS that your internet service provider offers (other than the fact that they probably resell your browsing history)?

They resell your browsing history. Especially in the US. It is enough.

I use 1.1.1.1 and 1.0.0.1 https://1.1.1.1/dns/. Seems like the least bad option to me. To do it right, you should encrypt your communications with your DNS since your ISP can read it otherwise. Some even spoof replies from other DNS servers you query. Sickening.

What makes you think they're any better than your ISP? Yeah, the presence of APNIC sort of helps, but, Cloudflare still is a company with share holders.

Firefox has an option for DNS over HTTPS that may work for you. Remember that Chrome essentially has it's own TCP stack and you can assume that your browsing history is being sent to Google some way or another. Internet Explorer is just a nightmare.

...and that DoH (official IETF acronym for that shit-storm of a stupid idea, not that I have strong opinions on that, Nooooo!) setup Firefox is using happily feeds Cloudflare with your query data.

There still is nothing wrong with running a validating resolver on your own iron, without stupid forwarders into the big data collecting gang (any of 8.8.8.8, 8.8.4.4, 1.1.1.1, 9.9.9.9 or your ISP), only bootstrapping with the root zone and its key.

Remember, validating DNS replies lets you verify that your queries aren't answered with lies. Regardless what shite filters they passed through on the way to you. Assuming the things you're looking for are signed, of course. In Sweden, most important things are. In the US, NIST has mandated it for federal authorities, and at least my little sampling indicates that it is so.

Your data is valuable to the hooverers of the Internet. But only to an extent. (depending on who you are)  In most cases, it is enough to make collection expensive, and it will stop.

You sending ALL your computers queries to one single instance, in an identifiable trail of breadcrumbs, is both valuable and cheap. 

All queries from your household, aggregated and cache optimised, then scattered over the entire corpus of name servers hosting zones on the Internet, that is expensive to collect.

Of course, you can be tracked anyway; the three-letter agencies are doing it (by tapping fibers and looking for things in the data), but the fire hose they drink from is pretty thick, so they must focus. 

The advertisers and ISP's either can't tap like that and most often couldn't afford to do it even if they technically could do it.

[Zucca]

What I did, is: I've created a cronjob on the raspi-pi, which checks the installation of the os for updates and does a reboot every 24 hours. Improves the stability a lot.

Here it is:

Code: [Select]

pi@raspberrypi:~ $ sudo su -
root@raspberrypi:~# crontab -l                                                                                     
* 4 * * *       /root/pihole.sh                                                                                   
root@raspberrypi:~# cat /root/pihole.sh                                                                           
#!/bin/bash                                                                                                       
apt-get update                                                                                                     
apt-get upgrade -y                                                                                                 
/usr/local/bin/pihole -up                                                                                         
init 6; exit           

Raspi is the best tool to understand how instable those little devil machines are, and you learn to dig into logs and understand more how a not windows system works. 
Thanks for the code, very smart solution. It confirms my feeling that nothing critical should run on a raspi.

[bd139]

I don't like the Pi's. They are far from what I'd consider minimal quality for any use. Toys yes, computer no. Junk. Those little Lenovo M600's work out about the same price by the time you've jammed all the bits to turn the Pi into something that isn't junk and are at least 2 orders of magnitude better quality as they are 100% duty industrial terminals really!

As for DNS, you have to pick your battles in life. While I agree with mansaxel ultimately, the effort to run your own validating server and the effort in understanding how to do it properly without shooting yourself in the face doesn't have a return over contracting it out to Google. You gain performance, security and geographical caching for your £0 spend and they only record data for <48 hours for DoS protection purposes, do not modify it and do not correlate it with any other info you provide.

[Zucca]

You gain performance, security and geographical caching

because a request to the DNS root server takes more time than the one to Google DNS?
Why it is always so complicated?