Re: This DNS over HTTP thing

On Mon Sep 30, 2019 at 10:38:31PM -0700, Matt Corallo wrote: > It was mentioned in this (partially related) thread, with all the responses > being the predictable ???lol these folks in Silicon Valley need to lay off > the drugs???. > >

Re: This DNS over HTTP thing

On Mon, Sep 30, 2019 at 11:56:33PM -0400, Brandon Martin wrote a message of 10 lines which said: > It's use-application-dns.net. NXDOMAIN it, and Mozilla (at least) > will go back to using your local DNS server list as per usual. Unless, I hope, the user explicitely overrides this. (Because

Re: AWS issues with 172.0.0.0/12

On Tue, Oct 01, 2019 at 09:09:38AM +0100, Christopher Morrow wrote a message of 27 lines which said: > possible that this is various AWS customers making iptables/firewall mistakes? > "block that pesky rfc1918 172/12 space!!" May be, but I used the same target as Mehmet.

Re: This DNS over HTTP thing

On 2019-10-01 10:08, Stephane Bortzmeyer wrote: > On Tue, Oct 01, 2019 at 09:55:54AM +0200, > Jeroen Massar wrote > a message of 26 lines which said: > >>> (Because this canary domain contradicts DoH's goals, by allowing >>> the very party you don't trust to remotely disable security.) >> >>

Re: This DNS over HTTP thing

On Mon, Sep 30, 2019 at 11:46:04PM -0400, Fred Baker wrote a message of 28 lines which said: > > Is there an official name for it I should be searching for? > > The IETF calls it "DoH", pronounced like > "Dough". https://datatracker.ietf.org/wg/doh/about/ And it is standardized in RFC 8484,

Re: This DNS over HTTP thing

On 10/1/19 3:38 AM, Stephane Bortzmeyer wrote: It's use-application-dns.net. NXDOMAIN it, and Mozilla (at least) will go back to using your local DNS server list as per usual. Unless, I hope, the user explicitely overrides this. (Because this canary domain contradicts DoH's goals, by allowing

RE: This DNS over HTTP thing

On Tuesday, 1 October, 2019 01:39, Stephane Bortzmeyer wrote: >On Mon, Sep 30, 2019 at 11:56:33PM -0400, Brandon Martin wrote >> It's use-application-dns.net. NXDOMAIN it, and Mozilla (at least) >> will go back to using your local DNS server list as per usual. > Unless, I hope, the user

Re: This DNS over HTTP thing

On Tue, Oct 01, 2019 at 10:35:31AM +0200, Jeroen Massar wrote a message of 29 lines which said: > Correct: for the DoH protocol it is not that goal, there it solely > is "encryption". But DoT already solves that. DoT is fine, (and my own public resolver activates it) but, as you know, it is

Re: This DNS over HTTP thing

On Tue, Oct 01, 2019 at 08:22:58AM +0100, Brandon Butterworth wrote a message of 37 lines which said: > Here are some UKNOF presentations on it - Note that the UK is probably the country in Europe with the biggest use of lying DNS resolvers for censorship. No wonder that the people who

Re: This DNS over HTTP thing

On 2019-10-01 09:38, Stephane Bortzmeyer wrote: > On Mon, Sep 30, 2019 at 11:56:33PM -0400, > Brandon Martin wrote > a message of 10 lines which said: > >> It's use-application-dns.net. NXDOMAIN it, and Mozilla (at least) >> will go back to using your local DNS server list as per usual. > >

Re: This DNS over HTTP thing

> The bare about:config pref you want is "network.trr.mode".  Short and > sweet of it, set to 5 (off by choice), and it should disable the > function entirely.  3 would be the opposite: always use it. Thank you, IMO this is by far the most useful piece of information on the subject! Robert

Re: AWS issues with 172.0.0.0/12

possible that this is various AWS customers making iptables/firewall mistakes? "block that pesky rfc1918 172/12 space!!" On Tue, Oct 1, 2019 at 8:51 AM Stephane Bortzmeyer wrote: > > On Mon, Sep 30, 2019 at 11:38:25PM -0700, > Mehmet Akcin wrote > a message of 131 lines which said: > > >

Re: AWS issues with 172.0.0.0/12

On Mon, Sep 30, 2019 at 11:38:25PM -0700, Mehmet Akcin wrote a message of 131 lines which said: > Here you go The two RIPE Atlas probes in the AT prefix seem able to reach AWS: % blaeu-traceroute --protocol TCP --size=0 --port=80 --first_hop=64 --format --prefix 172.0.0.0/12 --requested

Re: This DNS over HTTP thing

On Tue, Oct 01, 2019 at 09:55:54AM +0200, Jeroen Massar wrote a message of 26 lines which said: > > (Because this canary domain contradicts DoH's goals, by allowing > > the very party you don't trust to remotely disable security.) > > The goal is centralization of DNS Hmmm, no, read RFC

Re: This DNS over HTTP thing

On 01/10/2019 09:22, Brandon Butterworth wrote: Here are some UKNOF presentations on it - Also very interesting from NLNOG (but in English): https://www.youtube.com/watch?v=pjin3nv8jAo -- Grzegorz Janoszka

AWS issues with 172.0.0.0/12

Hey there AT is using 172.0.0.0/12 block as public IP for customers in USA. AWS seems to be blocking this block, I can reach to many sites just fine but i can’t get to some sites hosted on AWS such as reolink.com If someone from AWS is reading the list, please fix this issue Mehmet -- Mehmet

Re: AWS issues with 172.0.0.0/12

Hey Andras Here you go Warning: www.reolink.com has multiple addresses; using 52.21.66.90 traceroute to www.reolink.com (52.21.66.90) , 5 relative hops max, 52 byte packets 1 192.168.7.1 (192.168.7.1) 4.200 ms 55.354 ms 56.375 ms 2 192.168.1.254 (192.168.1.254) 5.175 ms 56.006 ms 57.214 ms

Re: AWS issues with 172.0.0.0/12

Hi Mehmet, A traceroute would be particularly useful. Have you tried accessing http://ec2-reachability.amazonaws.com/ to verify if the green icons load? If not, any particular region that's broken? Could you collect a traceroute towards some of the working and non-working IPs listed there?

Re: This DNS over HTTP thing

TDLR: - Using DoT or DoH as a protocol is fine, though the recursor still controls/views the DNS queries - Using a centralized/forced-upon DNS service (be that over DoT/DoH or even plain old Do53 is does not improve security or privacy... Getting that forced fed by the monopolies

Re: This DNS over HTTP thing

On 2019-10-01 15:22, Stephane Bortzmeyer wrote: > On Tue, Oct 01, 2019 at 12:11:32PM +0200, > Jeroen Massar wrote > a message of 101 lines which said: > >> - Using a centralized/forced-upon DNS service (be that over DoT/DoH >> or even plain old Do53 > > Yes, but people using a public DNS

Re: This DNS over HTTP thing

On Tue, Oct 1, 2019 at 6:23 AM Stephane Bortzmeyer wrote: > On Tue, Oct 01, 2019 at 12:11:32PM +0200, > Jeroen Massar wrote > a message of 101 lines which said: > > > - Using a centralized/forced-upon DNS service (be that over DoT/DoH > > or even plain old Do53 > > Yes, but people using a

Re: This DNS over HTTP thing

> On Oct 1, 2019, at 6:11 AM, Jeroen Massar wrote: > > TDLR: > - Using DoT or DoH as a protocol is fine, though the recursor still > controls/views the DNS queries > - Using a centralized/forced-upon DNS service (be that over DoT/DoH or even > plain old Do53 is does not improve security or

Re: This DNS over HTTP thing

On Tue, Oct 01, 2019 at 12:11:32PM +0200, Jeroen Massar wrote a message of 101 lines which said: > - Using a centralized/forced-upon DNS service (be that over DoT/DoH > or even plain old Do53 Yes, but people using a public DNS resolver (of a big US corporation) over UDP is quite an old

Re: This DNS over HTTP thing

> On Oct 1, 2019, at 9:22 AM, Stephane Bortzmeyer wrote: > > On Tue, Oct 01, 2019 at 12:11:32PM +0200, > Jeroen Massar wrote > a message of 101 lines which said: > >> - Using a centralized/forced-upon DNS service (be that over DoT/DoH >> or even plain old Do53 > > Yes, but people using a

Re: This DNS over HTTP thing

On Mon, Sep 30, 2019 at 7:27 PM Jay R. Ashworth wrote: > I've been embroiled in my first house-move in 28 years, and just got back > to the table. I don't see any threads here about whatever this > thing-which- > appears-to-me-to-be-a-monstrosity; has it been discussed here and I missed > it? >

Re: This DNS over HTTP thing

On Tue, Oct 1, 2019 at 8:22 AM Stephane Bortzmeyer wrote: > On Tue, Oct 01, 2019 at 12:11:32PM +0200, > Jeroen Massar wrote > a message of 101 lines which said: > > > - Using a centralized/forced-upon DNS service (be that over DoT/DoH > > or even plain old Do53 > > Yes, but people using a

Re: This DNS over HTTP thing

DNS over HTTPS. And yesDNS over TLS would be better in my opinion. -- Greg Grimes Senior Network Analyst Information Technology Services Mississippi State University 662-325-9311(w) From: NANOG on behalf of Jay R. Ashworth Sent: Monday, September 30, 2019

Re: This DNS over HTTP thing

On 01/10/2019 08:40, Stephane Bortzmeyer wrote: > Note that the UK is probably the country in Europe with the biggest > use of lying DNS resolvers for censorship. No wonder that the people > who censor don't like anti-censorship techniques. Do you have a (reputable) source to go with that claim?

Re: AWS issues with 172.0.0.0/12

On 10/1/2019 4:09 AM, Christopher Morrow wrote: possible that this is various AWS customers making iptables/firewall mistakes? "block that pesky rfc1918 172/12 space!!" AWS also uses some 172/12 space on their internal network (e.g. the network that sits between EC2 instances and the AWS

Re: This DNS over HTTP thing

Jay, On Oct 1, 2019, at 12:18 PM, Jay R. Ashworth wrote: > This is thought to be about security? > > Didn't we already *fix* DNS SECurity? No. DNSSEC solves a different problem (being able to verify what you get is what the domain owner published). DoH (and DoT) encrypt (and authenticate)

Re: AWS issues with 172.0.0.0/12

On Tue, Oct 01, 2019 at 04:50:33AM -0400, Jim Popovitch via NANOG wrote: > On 10/1/2019 4:09 AM, Christopher Morrow wrote: > > possible that this is various AWS customers making iptables/firewall > > mistakes? > >"block that pesky rfc1918 172/12 space!!" > > AWS also uses some 172/12 space

Re: AWS issues with 172.0.0.0/12

On October 1, 2019 9:39:03 PM UTC, Matt Palmer wrote: >On Tue, Oct 01, 2019 at 04:50:33AM -0400, Jim Popovitch via NANOG >wrote: >> On 10/1/2019 4:09 AM, Christopher Morrow wrote: >> > possible that this is various AWS customers making >iptables/firewall mistakes? >> >"block that pesky

Re: Optical training

On 10/01/2019 17:05, Mel Beckman wrote: If you’re looking for DWDM design and provisioning, you’ll probably have to pay for vendor-specific courses. Are there really even any significant (i.e. usefully deployed) vendor-neutral mechanisms for DWDM provisioning? All the systems I know of are

Re: This DNS over HTTP thing

- Original Message - > From: "Matt Corallo" > It was mentioned in this (partially related) thread, with all the responses > being the predictable “lol these folks in Silicon Valley need to lay off the > drugs”. > > https://mailman.nanog.org/pipermail/nanog/2019-September/103059.html

Re: This DNS over HTTP thing

On Tue, Oct 1, 2019 at 3:42 PM K. Scott Helms wrote: > > They almost have to change the default since there are (comparatively) very > few DoH providers compared to DNS providers. >From the link that Damian sent (emphasis mine): "More concretely, the experiment in Chrome 78 will **check if the

Re: This DNS over HTTP thing

Everyone's (who's anyone) is looking for free curation of the net! Maybe one more law or regulation will do it. Look at how well it stomped out spam! Put more grimly: For over 100 years Europe, and others, have imagined the path to paradise is paved with new and improved censorship. Results

Re: This DNS over HTTP thing

"For the children!" "Stop resisting!" "I was in fear for my life!" The age-old cries of the oppressor. The problem is that children are being kidnapped, trafficked, and abused. DNS blocking doesn't solve that. It's not a technical problem. Go to the source--the kidnappers, traffickers, and

Re: This DNS over HTTP thing

- Original Message - > From: "Matt Corallo" > I’m not sure that google has announced any plans to, but Firefox has announced > plans to switch everyone to Cloudflare’s DNS. > > Hope none of y’all are running competing CDNs, cause they’re about to get > real > slow on Firefox. But

Re: This DNS over HTTP thing

On Tue, Oct 1, 2019 at 1:22 PM Jeroen Massar wrote: > On 2019-10-01 21:38, Damian Menscher wrote: > > > Could someone provide a reference of Google saying they'll change the > default nameserver? Without that, I think all of Jeroen's arguments fall > apart? > > While I stated: > > >> Moving

Re: Optical training

Sorry... forgot to mention that I'm looking for recommendation of training courses in this particular area. Thanks, James On Tue, Oct 1, 2019 at 4:21 PM James Chang wrote: > Hi All, > > Hopefully this is the right place to post this question.I'm a routing > guy mainly working with ISIS/BGP

Clueful netops/sysops persons at Canon

Hello, One of our customers is having issues with his Canon printers that needs to connect to https://ugwportal.net for whatever reason. The issue is only visible from one of our netblock to a few IPs in 202.248.100.0/24. I don't believe this is a routing issue. The netblock is routed by

Re: This DNS over HTTP thing

I assumed my point was obvious but evidently I overestimated my audience. While it is stupid to assert that the only reason to circumvent DNS filters is to look at child abuse material, it is equally stupid to assert that the only reason to filter is to lie, or to censor. There are plenty of

Re: This DNS over HTTP thing

On Tue, Oct 1, 2019 at 2:06 PM Jeroen Massar wrote: > On 2019-10-01 23:03, Damian Menscher wrote: > > On Tue, Oct 1, 2019 at 1:22 PM Jeroen Massar jer...@massar.ch>> wrote: > > > > On 2019-10-01 21:38, Damian Menscher wrote: > > > > > Could someone provide a reference of Google saying

Optical training

Hi All, Hopefully this is the right place to post this question.I'm a routing guy mainly working with ISIS/BGP for my company in our core space. I have an opportunity to get involve with our L2 DWDM network. We are a Cisco shop using NCS2K as DWDM nodes. But before jump into learning the

Re: This DNS over HTTP thing

- Original Message - > From: "Stephane Bortzmeyer" > On Mon, Sep 30, 2019 at 11:56:33PM -0400, > Brandon Martin wrote > a message of 10 lines which said: > >> It's use-application-dns.net. NXDOMAIN it, and Mozilla (at least) >> will go back to using your local DNS server list as per

Re: This DNS over HTTP thing

On 10/1/19 12:18 PM, Jay R. Ashworth wrote: - Original Message - From: "Stephane Bortzmeyer" On Mon, Sep 30, 2019 at 11:56:33PM -0400, Brandon Martin wrote a message of 10 lines which said: It's use-application-dns.net. NXDOMAIN it, and Mozilla (at least) will go back to using

Re: This DNS over HTTP thing

On 2019-10-01 23:03, Damian Menscher wrote: > On Tue, Oct 1, 2019 at 1:22 PM Jeroen Massar > wrote: > > On 2019-10-01 21:38, Damian Menscher wrote: > > > Could someone provide a reference of Google saying they'll change the > default nameserver?  Without that,

Re: This DNS over HTTP thing

Hi, On 01/10/2019 23:24, Warren Kumari wrote: > On Tue, Oct 1, 2019 at 3:42 PM K. Scott Helms wrote: >> >> They almost have to change the default since there are (comparatively) very >> few DoH providers compared to DNS providers. > > From the link that Damian sent (emphasis mine): > "More

Re: This DNS over HTTP thing

They almost have to change the default since there are (comparatively) very few DoH providers compared to DNS providers. On Tue, Oct 1, 2019, 2:40 PM Damian Menscher via NANOG wrote: > On Tue, Oct 1, 2019 at 12:24 PM Jay R. Ashworth wrote: > >> - Original Message - >> > From: "Stephane

Re: This DNS over HTTP thing

On Tue, 01 Oct 2019 16:24:30 -0400, Warren Kumari said: > "More concretely, the experiment in Chrome 78 will **check if the > user’s current DNS provider** is among a list of DoH-compatible > providers, and upgrade to the equivalent DoH service **from the same > provider**. If the DNS provider

Re: This DNS over HTTP thing

In article <20191001074011.n4xjouqg6lhsv...@nic.fr> you write: >Note that the UK is probably the country in Europe with the biggest >use of lying DNS resolvers for censorship. No wonder that the people >who censor don't like anti-censorship techniques. Most UK ISPs use the Internet Watch

Re: This DNS over HTTP thing

On Tue, Oct 1, 2019 at 12:24 PM Jay R. Ashworth wrote: > - Original Message - > > From: "Stephane Bortzmeyer" > > To: "Jeroen Massar" > > >> While the 'connection to the recursor' is 'encrypted', the recursor > >> is still in clear text... one just moves who can see what you are > >>

Re: This DNS over HTTP thing

- Original Message - > From: "Stephane Bortzmeyer" > To: "Jeroen Massar" >> While the 'connection to the recursor' is 'encrypted', the recursor >> is still in clear text... one just moves who can see what you are >> doing with this. > > As with any cryptographic protocol. Same thing

Re: This DNS over HTTP thing

On 2019-10-01 21:38, Damian Menscher wrote: > Could someone provide a reference of Google saying they'll change the default > nameserver?  Without that, I think all of Jeroen's arguments fall apart? While I stated: >> Moving only your DNS to Cloudflare or Google does not solve the security >>

Re: Optical training

FiberU (https://fiberu.org) has a lot of decent free training materials. Their emphasis is on physical installation, but they do cover DWDM, Bi-Di, and related physics in some of their videos. If you’re looking for DWDM design and provisioning, you’ll probably have to pay for vendor-specific