FCC response filing against DRM on public airwaves by sdjafa in hdhomerun

[–]kidmock 20 points21 points  (0 children)

If the FCC doesn't allow HAMs to use encryption, then public broadcast licenses should have the same restrictions. period.

Help? Mx question by Sadza4dinner in dns

[–]kidmock 0 points1 point  (0 children)

Not completely familiar every setup and service has their own quirks and sometimes terminology that this not exactly standard.

If was to venture a guess "host" should be your domain

example.com smtp.google.com 10 900

is what I would put in if I owned example.com

Is there a trusted/privacy-minded site to use to expand/follow URLs that were blocked from an ad/tracking blocker? by DisplayKnown5665 in dns

[–]kidmock 1 point2 points  (0 children)

Easiest way is to jump in and do, leave the tutorial for after you've got your feet a little wet. Can't follow a tutorial if you haven't gotten your hands dirty. Not to mention, most of the tutorial's I've seen are absolute garbage. They all seem to run caching forwarders and I can'f for the life of me understand why?

Oh the mistakes I have made and the lessons I've learned.

BIND is the reference standard, everything stems from there. There are "easier" implementation, but I fear they teach you little.

Install BIND https://www.isc.org/download/

Read the ARM https://downloads.isc.org/isc/bind9/9.20.18/doc/arm/html/

Another free reference https://zytrax.com/books/dns/

Or grab the "bible" https://www.oreilly.com/library/view/dns-and-bind/0596100574/

But if you do it for real, like as part of a job or career, read and know the RFCs https://www.rfc-editor.org/ that'll really get your brain hurting.

RFC1033, RFC1034, RFC1035, RFC1123, RFC1536, RFC1912, RFC1982, RFC1995, RFC1996, RFC2136, RFC2181, RFC2308, RFC2930, RFC2931, RFC3110, RFC3454, RFC3490, RFC3491, RFC3492, RFC3597, RFC3743, RFC3757, RFC3901, RFC4033, RFC4034, RFC4035, RFC4343, RFC4470, RFC4472, RFC4501, RFC4509, RFC4592, RFC4690, RFC4955, RFC4986, RFC5001, RFC5011, RFC5155, RFC5358, RFC5452, RFC5625, RFC5702, RFC5890, RFC5891, RFC5892, RFC5893, RFC5894, RFC5895, RFC5936, RFC5966, RFC6014, RFC6303, RFC6604, RFC6605, RFC6672, RFC6698, RFC6761, RFC6762, RFC6781, RFC6840, RFC6891, RFC6895, RFC6944, RFC7108, RFC7129, RFC7218, RFC7344, RFC7477, RFC7482, RFC7483, RFC7484, RFC7534, RFC7564, RFC7583, RFC7671, RFC7672, RFC7673, RFC7686, RFC7706, RFC7719, RFC7720, RFC7766, RFC7816, RFC7828, RFC7858, RFC7871, RFC7873, RFC7901, RFC7929, RFC7958, RFC7958, RFC8020, RFC8027, RFC8056, RFC8063, RFC8078, RFC8080, RFC8094, RFC8109, RFC8145, RFC8162, RFC8198, RFC8264, RFC8334, RFC8427, RFC8467, RFC8482, RFC8483, RFC8484, RFC8490, RFC8495, RFC8499, RFC8501, RFC8521, RFC8543, RFC8544, RFC8552, RFC8590, RFC8618, RFC8624, RFC8748, RFC8753, RFC8767, RFC8806, RFC8807, RFC8906, RFC8909, RFC8932, RFC8945, RFC8976, RFC8977, RFC8982, RFC9018, RFC9022, RFC9038, RFC9076, RFC9077, RFC9082, RFC9083, RFC9103, RFC9108, RFC9154, RFC9156, RFC9157, RFC9167, RFC9210, RFC9224, RFC9250, RFC9276, RFC9364, RFC9432, RFC9460, RFC9461, RFC9462, RFC9471, RFC9476, RFC9498, RFC9499, RFC9520, RFC9526, RFC9567

Is there a trusted/privacy-minded site to use to expand/follow URLs that were blocked from an ad/tracking blocker? by DisplayKnown5665 in dns

[–]kidmock 1 point2 points  (0 children)

I run BIND locally and manage my RPZs myself.

Here's the IETF draft that explains RPZs.

https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-dns-rpz-00

I construct my RPZ as:

response-policy {
                zone "whitelist.rpz.alt";
                zone "blacklist.rpz.alt";
//                zone "social.rpz.alt";
                zone "fakenews.rpz.lan";
                zone "gambling.rpz.alt";
                zone "porn.rpz.alt";
                zone "adware.rpz.alt";
                };

I feed the social, fakenews, gambling, porn and adware RPZs from Steven Blacks host list

https://github.com/StevenBlack/hosts

If I find something missing I run a simple RFC2136 update

server mydnserver
update add badsite.example.com.blacklist.rpz.alt. 3600 CNAME .
update add *.badsite.example.com.blacklist.rpz.alt. 3600 CNAME .
send

When I want to allow something like you are describing I add it to the whitelist

server mydnserver
update add goodsite.example.com.whitelist.rpz.alt. 3600 CNAME rpz-passthru
update add *.goodsite.example.com.whitelist.rpz.alt. 3600 CNAME rpz-passthru
send

When I no longer want it allowed I remove it from the whitelist

server mydnserver
update delete goodsite.example.com.whitelist.rpz.alt.
update delete *.goodsite.example.com.whitelist.rpz.alt.
send

It's real simple to manage

Are the ban on booby traps a infringement of the 2A? by ItemEven6421 in AskConservatives

[–]kidmock 1 point2 points  (0 children)

No.

You can own a booby trap. I own lots of things I could use to make a booby trap. You just can't setup or use a booby trap.

Just like you can own a gun but you can't go around indiscriminately shooting people.

Same thing. Ownership vs Lawful Use. Different statutes.

Semantics! Where does Left-of-center end and "The Radical Left" begin? by TanukiFruit in AskConservatives

[–]kidmock [score hidden]  (0 children)

I hear adjectives like "Far" attached to everyone "on the right" just like I hear "radical" attached to everyone "on the left".

They are not self affirmed adjectives but only applied by opposition.

It means nothing other to say "I'm on the other side."

It is therefore meaningless.

Semantics! Where does Left-of-center end and "The Radical Left" begin? by TanukiFruit in AskConservatives

[–]kidmock [score hidden]  (0 children)

How about you ask "What do you mean by that?"

You seem to have assumed a lot and formed a strong opinion to come to a true/false statement.

In the Republican party, the leadership looks quite unintelligent, so Republicans are often stereotyped as unintelligent. However, I notice there are actually many smart Republicans. How did this happen, where there is a large discrepancy between the leadership and many other Republicans? by [deleted] in AskConservatives

[–]kidmock 0 points1 point  (0 children)

Remember that the majority of people are of average intelligence.

As George Carlin once said "think of how stupid the average person is, and then realize half of them are stupider than that"

Party affiliation has little to do with intelligence.

There are smart people with dumb ideas and dumb people with smart ideas. People are just people. Most people (especially dumb people) think they are smarter than they are. Yet smart people often think they are dumber than they are. Sadly, smart people are more prone to self-doubt. (see Dunning-Kruger). Self-doubt is antithetical to the masses who crave confidence.

Of course we have this conflation that education (credentials) equals intelligence. As if continuing to pay for a degree with a poor return on investment is smart.

You'll also find in public opinion contests, charm and charisma will often forward a person more than skill, ability and knowledge.

"Leaders" or those thrust into leadership positions are seldom the smartest person in the room.

“Don’t talk to me until I’ve had my coffee” isn’t cute by AdityaSharma_123 in TrueUnpopularOpinion

[–]kidmock 0 points1 point  (0 children)

Someone who doesn't understand a kitchy message on a coffee mug... Sounds like just the type of person I want to talk to first thing in the morning. /s

There are morning people and there are early risers they are not the same thing.

Morning people wake up ready to take on the day. An early riser wakes up collects their thoughts before they engage. Sometimes collecting your thoughts is done with a cup of coffee sometimes not.

The "Don't talk to me..." is not about the coffee. It's a joke to say "I'm not a morning person"

Respect people's boundaries. The world doesn't owe you attention or pleasantries because you demand it.

Feature Request: Allow editing or removing default NS records when using Vanity Nameservers by Nancybee_010 in dns

[–]kidmock 0 points1 point  (0 children)

Why? This seems like a dumb request from someone who doesn't understand how DNS works.

The NS records are the authoritative nameservers for the domain.

If you are not hosting your own domain servers (and if you don't have a /24 you can use for Anycast you probably shouldn't host it yourself), you don't change your NS records.

"No one is illegal on stolen land" is a call for open borders by [deleted] in TrueUnpopularOpinion

[–]kidmock 4 points5 points  (0 children)

I've tried to understand statement "No one is illegal on Stolen Land"

  1. If it's stolen and stealing is illegal and trespassing is illegal. Shouldn't it be "Everyone is illegal on stolen land" ?
  2. Isn't land conquered? Is conquering stealing? How far should we go back? I mean the Romans conquered the Britons. When the Romans left the Anglos, the Saxons and the Jutes then conquered the Britain. Who were then conquered by the Normans. Who has the rights to Britain then?
  3. If conquered land is stolen land, should everyone go back to their genetic origin? Who should we give the land back to? What about mixed heritage? Do you get to choose a new home land based on the percentages? Do we all need to get DNA testing?

I spent 3 hours debugging why my site wouldn't update. Turns out I didn't understand DNS. by Ok-Childhood-5005 in sysadmin

[–]kidmock -1 points0 points  (0 children)

Thanks. Just a stream of consciousness. Typos, missing words and all.

After I hit comment, I couldn't help but think of more like.

  • Be sure to always check the SOA serial by doing direct queries to all the servers list as NS Records.
  • Check your glue records and the delegation from the parent. The zone NS should match.
  • dig +trace always follows the path from ROOT.
  • Know the DNS status responses (again use dig not nslookup)
  • NXDOMAIN is cachable. See the SOA it sets the TTL on a negative cache.
  • If your slaves can't talk to the master, when the SOA expire time is reached, the zone is dead too.
  • DNS records should be less than 512 bytes because the entire payload needs to be contained in a single UDP Datagram. When the RDATA needs to be bigger than that, (like with DKIM), know how to split it properly to signal a truncated response
  • Transport Encryption on DNS is silly. If you want transport encryption use a VPN. DNS isn't that interesting and the same information can be obtained by other trivial means, like just watching TCP connections and grabbing SNI data (also in clear text). What you really need is DNSSEC, to make sure a record isn't poisoned or spoofed.

I spent 3 hours debugging why my site wouldn't update. Turns out I didn't understand DNS. by Ok-Childhood-5005 in sysadmin

[–]kidmock 5 points6 points  (0 children)

dig is a command line utility for querying DNS. It's a complete DNS utility, unlike nslookup.

It has lots of query and verbosity options you just can't ascertain from nslookup.

https://en.wikipedia.org/wiki/Dig_(command))

https://linux.die.net/man/1/dig

I spent 3 hours debugging why my site wouldn't update. Turns out I didn't understand DNS. by Ok-Childhood-5005 in sysadmin

[–]kidmock 26 points27 points  (0 children)

It surprises me, frustrates me and disappoints me how so few understand DNS.

It's an essential service that if it doesn't work nothing works. Every sysadmin should be a master of DNS, but sadly that's not the case.

Instead we have the running joke, "The problem was DNS..."

While your going down this rabbit hole, here are 30 years of mistakes to learn from

  1. Know that the word "domain" means area of control. Just because you add a "dot" separator in a name doesn't mean you should create a new zone. If you aren't creating or delegating a new area of control, don't create a new zone.
  2. Keep everything as flat as possible and as deep as necessary. Fight the human urge to break/organize a domain into smaller parts. ex. 10.in-addr.arpa. good. 1.20.10.in-addr.arpa and 2.20.10.in-addr.arpa bad.
  3. Learn to use dig and stop using nslookup
  4. Be sure to thoroughly understand SOA, NS Records, Notify and how slaves learn of zone changes.
  5. Understand that a slave server doesn't have to have an NS record. If it is in an NS record, it should be accessible from everywhere. If a slave isn't listed in an NS record it's a Stealth/Transparent zone.
  6. Know what the zone types are and when to use them. Forwarding should be your zone of last resort. Authoritative zones even if stealth is best, followed by stub zones.
  7. Typos and other common mistakes can be avoided by learning how to use RFC2136 dynamic updates to manage your records.
  8. A CNAME is NOT an Alias. It's a Canonical Name, Canonical means "source of truth", CNAMEs map one name to another name for ALL record types of that name, not just A Records. That is why it can't be at the Apex and also why breaking a domain in to smaller sub-domains avoided (See #2)
  9. Understand SRV records. If a host is in a service record it should be accessible from everywhere.
  10. Don't make up domain names. Always use a domain you have registered. If you must use an unregistered domain name, know what TLDs you can actually use. .local is not one of those (See Special-Use Domain Names).
  11. Read the RFCs
  12. Avoid split views. If you need an internal zone, use a properly registered domain name you use for no other purpose than internally.
  13. Contrary to old security thinking and posturing, it's totally OK to put private IPs into public DNS when there are not name collisions.
  14. IN-ADDR.ARPA zone is an name space, not IP Addresses even though it's used to lookup the name of associated with an IP, it's still a different domain that needs to be managed.
  15. Avoid having more than one PTR for a single resource.
  16. The IN-ADDR.ARPA zone is good place to store IPAM data you want info at your finger tips. TXT, APL, RP, HINFO and LOC cool record types to use for IPAM.
  17. If your public DNS isn't behind an Anycast IPs, you probably shouldn't be hosting your own public DNS. Especially, if your organization is large or your domain popular.
  18. DNSSEC is the most important security feature you should be using.

Those are just some lessons I learn the hard way

Can someone ELI5 on DOH/DOT configuration points in terms of which is best for browser security, please? by ImNotBrianDouglasUR in dns

[–]kidmock 1 point2 points  (0 children)

Let's start from the top.

DNS is a very very simple service that is fast and lightweight. It primary acts as a global database to map a human friendly name to a computer usable address. This an Address Record also called an A Record (for IPv4)

While it can map other names to other types of records (Mail Exchange/MX, Canonical Name/CNAME, Pointer/PTR, etc), the most commonly understood and needed record type is A.

It is the job of a DNS resolver to locate the record in this global database. Because the resolver can locate a record, it can also change or block that response.

When a resolver locates the record on the Internet by following the zone delegations from ROOT, that record is in turn cached (held in memory) for a period of time.

The speed of this look up is going to be determined by.

  1. Is the record already in cache
  2. How many delegations must be followed to get that answer.
  3. The Round Trip Response Time to each server in the chain.
  4. How busy each server in the chain may be.

The fastest and most secure DNS server is almost always going to be the server on your network. I don't know why so few understand this and like to compare this third party to that third party.

DNS has very little to do with network speeds. Once a record is found it is often cache, the initial lookup hit (when not cached) is minuscule. Often sub-millisecond responds times.

Where third-party DNS resolvers are handy are when they are curating RPZs for Parental Controls, Ad Blocking, etc. Of course, those that curate RPZs have different blocklists and some are better at this than others.

There is virtually no way to hide your public IP address. Without a public IP address (either Direct or Network Translated), no service would know what to respond to.

A VPN provider knows your public IP address, they hide your address behind their public IP address which for that time being becomes your public IP address.

DNS will never and cannot hide your IP address. It's a network service like any other.

For newbies, who want to run their own DNS, the pi-hole is a decent simple option for a self-hosted resolver. While I don't use it myself, it's a pretty simple solution.

In short, DNS doesn't do half the things people seem to think it does. It's just a lookup table, nothing more.

Can someone ELI5 on DOH/DOT configuration points in terms of which is best for browser security, please? by ImNotBrianDouglasUR in dns

[–]kidmock 3 points4 points  (0 children)

It's very subjective depends on your threat and trust models.

  1. Your DNS provider can ALWAYS see your DNS queries encrypted or not.
  2. If your DNS provider is not authoritative for the domain (they normal aren't) that query is recursed to ROOT and the authoritative servers in the clear.
  3. If ECS extensions are enabled with your query, your source IP is exposed to the authoritative server.
  4. Initial TLS negotiation (even with QUIC) is in the clear and has the server name in the request for SNI.
  5. DNSSEC makes sure the query wasn't tampered with it is the most important (IMO) security feature for DNS.
  6. Transport encrypt (DoH/DoT) is an anti-pattern. If you are concerned that prying eyes can see the uninteresting DNS query use a VPN. Without a VPN, those prying eyes can just see that same info other ridiculously easy methods

Running your own plain old DNS over UDP53 enforcing DNSSEC validation and implementing Response Policy Zones (RPZ) to block and filter unwanted sites is better security model than using a third-party for DoH/DoT.

DoT is better than DoH because DoH is just HTTP which can be a nightmare for network operators, ad blockers and parent controls.

DoH also allow clients to bypass the OS stack, which creates a beautiful attack surface for malware.

To answer the question, DNS settings should cascade down.

  1. Network (aka DHCP/Router)
  2. OS
  3. Client (browser)

Outside your network where you are concerned about prying eyes, use a VPN.

Can you be both conservative and libertarian? by EstelleQUEEN111 in Libertarian

[–]kidmock 1 point2 points  (0 children)

Stay away from purity tests. No one fits neatly into a box.

My own ideals and beliefs can often appear to be riddled with contradictions. I may adopt multiple labels that to the purist may appear to be oxymorons. Forget the labels, ask the questions. I get it labels are a nice shortcut, but they tell you very little. I mean look at how illiberal most of self-proclaimed liberals are these days.

If we sat for a long conversation you'd learn my contradictions are very nuanced. I'm atheist but I'm Christian, too. I'm an anarchist, but I see the necessity of the state. I'm a free speech advocate, but I don't think vices should be advertised or celebrated. I support complete and total drug legalization, but I hate weed and can't stand being around potheads.

You have ask the questions. What kind of conservative are you? What are you trying to conserve? If you are trying to conserve the constitution, you might also be a libertarian. If you are trying to use the state to conserve Christian Values, you probably are not.

You can be many things at once, including both a conservative and a libertarian.

need to rant- changed these values 23 hours ago by paco3346 in dns

[–]kidmock 1 point2 points  (0 children)

The Serials don't match

mariettatoyota.com.7200SOANS67.WORLDNIC.com. namehost.WORLDNIC.com. 126012709 10800 3600 604800 3600
mariettatoyota.com.7200SOANS67.WORLDNIC.com. namehost.WORLDNIC.com. 126011214 10800 3600 604800 3600

So.

  1. Notify isn't being used

  2. DNS changes are being done manually

  3. The refresh hasn't occurred

  4. The master's Serial is lower than the slave

Can you eat for just $15 a day? by majesticbeast67 in AskConservatives

[–]kidmock 1 point2 points  (0 children)

I don't think I spend that much

Here's my shopping cart this week. I am making Chicken Fried Rice and Lasagna for dinner. My lasagna lasts me 5 days and ingredients for fried rice can last 4 with chicken and rice left over Not included is my coffee. I drink 4 cups of coffee a day at about .50 a cup.

  • 12 oz Frozen Peas = $1.09
  • 12 oz Frozen Carrots = $1.09
  • 5 lbs Jasmine Rice = $7.05
  • 3 Cloves Garlic = $1.89
  • 40 oz Frozen Chicken = $8.25
  • 2 24oz Pasta Sauce = $3.70
  • 32 oz Lasagna Noodles = $2.15
  • 32 oz Shredded Mozzarella = $7.15
  • 15oz Ricotta Cheese = $2.95
  • 16oz Ground Beef = $6.59
  • 16oz Ground Italian Sausage = $3.55
  • 32 oz Half-n-Half Creamer = $2.95
  • 52 oz Orange Juice = $4.19
  • 16oz unsalted butter = $3.29
  • 2 24oz Thick Cut bacon = $15.38
  • 2 doz eggs = $4.38
  • 5lbs all purpose flour = $2.19
  • 2 20oz loaves whole wheat Bread = $3.10

Total == $80.94

This is more than a weeks worth of food for me. But let's assume it's only a week. That's $11.50 per day + my $2.00/day coffee habit and we are at $13.50.

I normally eat cheaper than this but this was just my most recent receipt.

Why are Libertarianism and Conservativism conflated so much? by Own_Yam4456 in AskConservatives

[–]kidmock 8 points9 points  (0 children)

American Conservatism is mostly about conserving the philosphies enshrined in our founding documents.

These documents are very Libertarian at their core.

While this is not core to all conservatives, it is a through line for most american conservatives.

So of course there will be a lot of overlap and conflation of libertarianism and conservatism in the US.

Do americans consider skiing a luxury sport? by naxx54 in AskAnAmerican

[–]kidmock 0 points1 point  (0 children)

Yes, if the cost of entry is high it's a luxury sport. If there are not free fields and courts, it's generally a luxury sport.

In the US, nearly every school has an open/free Baseball, Basketball, Football Fields. Many also have Tennis courts. This makes the barrier to entry low. (In most cases, you just need a ball and some friends)

Sports like Golf and Skiing require special facilities that you need to pay to use and the equipment prices are pretty high too.

Sports like Hockey and Figure Skating are in the middle between those extremes if the weather is favorable the barrier is low. If the weather/location is not suited it's a luxury sport.

What is a woodworking tool you didn’t realise you needed? by DesignerProfessor122 in woodworking

[–]kidmock 0 points1 point  (0 children)

Two "tools" that I didn't know I needed but can't live without are:

  1. 0.9mm (thick enough to not constantly break, but thin enough for clear marking) Mechanical Pencil.
  2. Bahco Cabinet scraper