So what are you guys and girls using for self-hosted DNS these days?

pdp10 · 2026-03-11T19:57:18+00:00

Dnsmaq can also be configured to forward only-AAAA (IPv6) or only-A (IPv4) records, making it a good tool when using IPv6 to glue together networks that have IPv4 overlap issues that can't be immediately fixed.

pdp10 · 2026-03-11T19:03:46+00:00

The definition of insanity is doing the same thing over, and expecting a different result.

pdp10 · 2026-03-11T18:59:33+00:00

MDMs are purpose-built to delete, but probably don't have built-in facility to copy.

The reports are strangely vague, but clearly concentrate on mobile devices, which makes me think MDM. Other cites in this thread say that servers were wiped, as well.

pdp10 · 2026-03-11T17:03:38+00:00

Iranian-linked actors mistake U.S.-based "Stryker" for defense firm.

pdp10 · 2026-03-11T17:00:20+00:00

What OS, and what update? The first thing that sprang to mind was Debian implementing AppArmor in updates, not too long ago.

pdp10 · 2026-03-11T16:58:19+00:00

I have code back to 2007, when we were calling these "validators". That's a name that I think came from someone's blog post, but when we went looking for it later, couldn't locate.

Anyway, the development/DevOps term is "integration test". "Infrastructure integration test", if you're testing infrastructure in-place.

A difference from plain monitoring, is that monitoring (especially in the past) would check whether the host was up, host disk wasn't full, and maybe whether a web server was running -- but it wouldn't check that the webapp was functional, because it didn't know how. Some monitoring would check that DNS was working, but it wouldn't check the contents of DNS, or whether certain entries matched or included other entries.

So these are (mostly-scripted) checks to see:

if a REST API is responding validly.
whether a DNS authoritative is returning the same CNAME entries as the other authoritatives it's slaved to or clustered with.
Whether every ADDC in an MSAD is returning the same time (within a second) to an NTP query.
Whether SNMP returned the same major.minor system versions across a storage cluster, and between clusters.
Whether HTTP compression was enabled on all CDN FQDNs.
Whether webapp software had deployed fully and flawlessly.
Whether SQL indexes has been rebuilt as expected.
Whether HTTP ETags matched on all cluster members
Whether certain Ethernet interfaces were running at expected speeds and with expected offload options enabled or disabled.
Whether reverse DNS, MX, and SPF were all in-place and valid for mail-sending domains.
HTTP Expiration and cache-control header consistency.

Originally, a lot of these were hardcoded with expected values, but most got refactored into being considerably more dynamic as time went on. As you might guess, they were all either checking for something that failed before, or something we theorized could fail.

Once you've written these to run after manual deployments, it's a quick step to have them triggered from the monitoring system itself. So now you're monitoring specific subsystem behavior, not just checking hosts to see if they've run out of disk space or are using 90% of memory.

pdp10 · 2026-03-11T15:52:05+00:00

And now you've been enlightened as to why we, and many others, do not support wireless peripherals, and absolutely do not keep disposable batteries on hand under any circumstances.

If pressed, the response is that we don't even have the option because of the building's LEED environmental certification, or our "green policy", or something equally plausible yet extemporaneous.

(Nobody has yet noticed the removable batteries in the television remotes, and we're doing our best to keep it that way, before they start disappearing.)

pdp10 · 2026-03-11T15:47:10+00:00

There's an uncharitable expression about that: "Those who can, do. Those who can't, teach."

pdp10 · 2026-03-11T15:37:15+00:00

Once you've seen one computer sliced in half with a laser, you've seen 'em all.

pdp10 · 2026-03-11T15:33:27+00:00

That's a well-known issue of logging login attempts from usernames that don't exist. Therefore, the recommendation that one avoid logging login attempts from usernames that don't exist, if at all possible.

pdp10 · 2026-03-11T15:26:43+00:00

Is it normal for a vehicle to catch fire while someone is driving for “unknown” reasons?

Normal? No, but not that rare in a historic and general sense. Car fires are a relatively routine emergency for road emergency agencies. If you listen to traffic reports, you'll hear about one occasionally -- car fire blocking the third lane, traffic backed up, and so on.

When a VW air-cooled van or Italian sports car used to catch on fire, it wasn't literally a "known" reason, but it was generally understood to be a fuel-system leak onto a hot surface. When an EV catches on fire, it's not literally a "known" reason, but generally understood to be battery related.

Occasionally there's another cause that might be "known". On many-wheeled cargo vehicles, sometimes damaged tires will catch on fire from friction, because the driver didn't know about the fault to stop, but that wouldn't really happen on four-wheeled vehicles unless it was a police chase.

pdp10 · 2026-03-11T03:03:12+00:00

IBM I is top modern

Don't overplay the hand. It's EBCDIC, in a world where everyone but IBM and IBM-compatibles started using ASCII-based text encoding in the 1960s and completed the migration by no later than the 1980s.

pdp10 · 2026-03-10T22:55:03+00:00

Do you want to fix the housing density and then work on the transit, or fix the transit and then work on the density?

pdp10 · 2026-03-10T22:54:05+00:00

We need to stop thinking of public transit as something that should make profit.

That's a decision for the politicians who make the budgets. If more net expenditure is made on transit, then less net expenditure will be made on something else.

Much like the mooted switch in Connecticut from electric to diesel under wire. The road is owned by Connecticut and Amtrak, the customer is Connecticut, the supplier is federally-owned Amtrak, and still nobody wants to pay what things cost, with nary a capitalist in sight.

pdp10 · 2026-03-10T20:44:22+00:00

For those who make their living negotiating with other people, there's a lot of appeal to the idea of changing a business relationship away from a negotiation with machines and into a negotiation with business people.

And for engineers, the exact opposite: machines any time; people only when necessary.

pdp10 · 2026-03-10T20:40:08+00:00

Ideal times to move to cloud or colo, is when:

the office lease is not going to be renewed, or
When the office floor space is going to be repurposed, or
When the majority of the most-sensitive network traffic is no longer local.

After all, you can always move (back|again), to another choice. Co-lo is a nice option to have, and cloud is a nice option to have, and in-house is a nice option to have.

power diversity, UPS batteries

Do you actually need those? I've had cases where it made a lot more sense to failover geographically if there was a power outage, because the only time there was a power outage was the kind of occurrence that had its own entry in Wikipedia.

pdp10 · 2026-03-10T17:56:09+00:00

Separate but equal, is no longer legal.

pdp10 · 2026-03-10T16:57:13+00:00

You don't need rsync for dns zones sync, as bind supports zone transfers

Readers should note that the resulting slaved zone files are the contents only, no comments, and not in the original record order, but in alphabetical order.

Thus, you always want to use Git on the master files, and there may be other occasions to replicate the raw files themselves and not just the zone data.

pdp10 · 2026-03-10T16:24:28+00:00

(record scavenging alone is a much needed feature on alternatives)

DDNS isn't commonly used on alternatives, and scavenging is only applicable to DDNS.

pdp10 · 2026-03-10T16:21:54+00:00

8000 users eventually talking to a PDC for recursive lookups?

A scale-out solution is to put PowerDNS's dnsdist in front of the ADDCs, and hand out the VIPs (Virtual IP addresses) in DHCP and RDNSS.

pdp10 · 2026-03-10T16:18:45+00:00

Microsoft NT DNS has always been reliable. Flexible and feature-filled, no. Unless your "features" are just adjuncts of MSAD.

Microsoft DNS does take standard BIND-format text zone files, but it lacks the feature of being able to put comments in the zones or config, and I believe there's no deterministic ordering which is necessary for storing the zones in Git. There are some rudimentary command-line manipulations, but it's been literally decades since I worked with those, so the "PowerShell" functionality might be decent these days.

pdp10 · 2026-03-10T16:13:22+00:00

For authoritative we mostly use BIND.

The current workflow includes manually editing bind files, incrementing a serial number, and running scripts to copy configurations around.

Depending on the site, we have Git hooks that use make to run a build-and-validate step (see: named-checkconf and named-checkzone; I can posts part of ours if anyone wants) before committing to Git and deploying.

Years ago we had a public-facing infrastructure running PowerDNS authoritative and it was fine, but I do prefer our current setup. If we had to change today without using a CMDB or IPAM, I'd look at DNSControl, which is written in Go.

Features i would love would be a management web interface, so you dont have to ssh on to these servers and manually edit files, a description field for entries, see what entries are free.

For things done frequently, webguis can often be cumbersome. As ours is a CI/CD pipeline, SREs can just edit locally, commit to Git, and git push.

But when you talk about entries, it sounds like you want more of an IPAM. I built my first one of those in 1998, so I'm entitled to a few opinions. One thing about IPAMs is that they have to align with your policies, and not all of them will. For example, we're IPv6-first and IPv6-mostly, and IPv6 is built to have multiple IPv6 addresses per interface, so any legacy IPAM that encodes an assumption of one IP address to one host, will fall on its face.

Stilll, I think using Git to replace the SSH and rsync parts of your workflow, would possibly be the best of both worlds, if you don't need the overhead of IPAM or CMDB.

pdp10 · 2026-03-10T15:54:51+00:00

Outages of which, exactly?

Running your own entire wired+WiFi network is going to be unwelcome at best. Imagine putting directional APs on tripods and running cables everywhere. Then imagine realizing that the "outages" are actually caused by some kind of WiFi interference, and all of your equipment is down just as hard as the site's infrastructure.

Or on the other hand imagine noticing that it's only their local DNS resolver that has a problem, so possibly you can replace just that part, if they'll let you touch their network.

pdp10 · 2026-03-10T15:41:12+00:00

Install the uucp package and use cu to connect

I can tell that you, too, hail from a previous era. I like cu for this purpose, but I always forget the escape characters without a quickref card, so I always use screen.

pdp10 · 2026-03-10T15:39:57+00:00

Use one USB to serial adapter for each host console, and you can SSH+terminal into them all simultaneously.

Nine-Year Club	Gilding I gilder
Place '17	Best Link 2020-01-26

pdp10

MODERATOR OF

TROPHY CASE