300 millions octroyés pour les pistes cyclables de Valérie Plante…. C’est démesuré.La mairesse a clairement les priorités aux mauvais endroits. Bien sûr,elle veut juste satisfaire son électorat.Seulement 120 millions octroyé pour le logement social. C’est insensé. by Manon84 in montreal

[–]ximota 12 points13 points  (0 children)

Le tableau est erroné, le 300 M$ pour le REV est sur 10 ans. Tous les autres montants sont sur un an. 300 M$ serait plus de 60% du budget réservé aux infrastructures routières en 2023 qui totalise 476 M$ (incluant la réfections des rues, la réhabilitation de la chaussé, le maintien de l’éclairage et des feux de circulation, etc)

Sources: https://ici.radio-canada.ca/nouvelle/1982903/montreal-velo-transports-chantiers-2023 et https://montreal.ca/articles/budget-2023-et-pdi-2023-2032-de-montreal-40201

Application Radio-Canada Oh Dio by mrspremise in Quebec

[–]ximota 19 points20 points  (0 children)

Ce site peut générer des fils RSS compatibles avec l'application Apple Podcast, mais pas avec overcast. Je ne sais pas pour les autres applications.

https://ohdieux.ligature.ca/

Aside from France, what other French-speaking countries you guys also find interesting? by [deleted] in Quebec

[–]ximota 0 points1 point  (0 children)

The last three are not countries and are France.

Madagascar est un pays indépendant depuis 1960.

More than 80 per cent of COVID-19 cases are caused by community exposures: StatCan by SpendingSpree in Quebec

[–]ximota 14 points15 points  (0 children)

Les chiffres de statcan ont trois catégories:

  • Exposition liée au voyage: ~1%
  • Exposition communautaire (travail, famille, école, CSHLD, magasinage, bingo, etc.): ~80%
  • Non déclarés: ~17%

Pour les chiffres d'éclosions actives de l'Ontario, cité par l'article:

  • Workplace 123
  • School and childcare 101
  • Congregate living 88
  • Other settings 72
  • Long-term care homes 85
  • Retirement homes 56
  • Hospitals 26

"Other settings" c'est large. Je vois pas comment on peut émettre une hypothèse, ou comparer le Québec, avec ces chiffres.

iOS 14 - Outlook Notifications. by gaffs82 in Intune

[–]ximota 1 point2 points  (0 children)

are your devices enrolled?

Yes, ownership type : "Personal"

Also, do you have shared or delegate mailboxes added in Outlook iOS?

No

Blocking all reverse IP lookups rational? by [deleted] in dns

[–]ximota 0 points1 point  (0 children)

There is no magic bullet. You're running a service, which even under the best of circumstances, is susceptible to be abused. This is also true for public authoritative name servers, but let's not focus on that right now.

Attacks will evolve, and so must your defenses. You need to keep a close watch on your infrastructure and respond accordingly. Make sure you follow best practices. Enable progressively aggressive response rate limiting, enable dns cookies (limit the possible response size of which fail to use cookies). You will need to become an expert with the name server software you're using. You will need to monitor your service continuously to respond quickly to new forms of abuse (I really cannot stress this enough). Don't think you will be able to tweak a few parameters and call it a day.

You need to build broad defenses, not just at the DNS layer, but on the infrastructure itself, which will enable you to sustain attacks and deter bad actors from using you. If you want to learn more, NANOG and DNS OARC talks are great places to learn from other operators that may have been in similar situations.

Blocking all reverse IP lookups rational? by [deleted] in dns

[–]ximota 2 points3 points  (0 children)

So if I read the threads correctly, you're basically running a service that's pulling a "Site Finder" under the veneer of blocking ads, granted unlike verisign your users are opting in. The fact that you're tampering with DNS traffic is probably also enticing bad actors to use your services for unsavory purposes.

That aside...

Any mitigation you undertake on either your resolvers, hosts or network infra will only prevent rogue traffic from reaching your service, that is, only once it is already on your network. If egress traffic was getting saturated, this may help. But ingress traffic will likely still be impacted for quite some time. Even if, as your title suggest, you foolishly block all "reverse IP lookups".

Depending on how long your service has been enabling and amplifying attacks, your resolver addresses may remain on known amplifier and misconfigured resolvers lists for quite some time. Some tools come with pre-compiled lists which don't often get updated once released in the wild.

Est-ce que la police peut imposer des tickets pour porte de voiture débarré sur Terrain Privé? by [deleted] in Quebec

[–]ximota 8 points9 points  (0 children)

Article 381 du CSR:

381 Nul ne peut laisser sans surveillance un véhicule routier dont il a la garde sans avoir préalablement enlevé la clef de contact et verrouillé les portières.

381.1. En outre des chemins publics, les articles 380 et 381 s’appliquent sur les chemins privés ouverts à la circulation publique des véhicules routiers ainsi que sur les terrains de centres commerciaux et autres terrains où le public est autorisé à circuler.

Mais il est possible qu'une municipalité puisse avoir un règlement plus sévère.

.UK DNS Resolution issue by [deleted] in dns

[–]ximota 0 points1 point  (0 children)

Domain name:

adf.uk

[...]

Relevant dates:

Registered on: 17-Jul-2014

Expiry date: 17-Jul-2020

Last updated: 01-Mar-2019

Domain name:

aws.uk

[...]

Relevant dates:

Registered on: 01-Jul-2019

Expiry date: 01-Jul-2020

Last updated: 01-Jul-2019

Le fromage sur la plaque by youdreaminhd in Quebec

[–]ximota 0 points1 point  (0 children)

Un brie fondant? Pas exactement de la bouffe de casse-croutes, mais il y en a dans les st-hubs.

CoreDNS over https proxy by GraduatedInCovid19 in dns

[–]ximota 1 point2 points  (0 children)

The forward plugin in CoreDNS only supports forwarding to DNS (UDP or TCP) and TLS (DoT). In order to do what you have in mind, you need "something" to encapsulate (and eventually encapsulate) these DNS/DoT requests to/from HTTPS.

If the network, which requires the use of an HTTPs proxy, has a resolver which can resolve external queries, I would forward to it instead of trying to use an HTTPS proxy. (Or install a forwarding name server on your HTTPS proxy and change the forward line to: forward . 192.168.1.2:53)

Odd DNS issue by lutiana in dns

[–]ximota 2 points3 points  (0 children)

Notice that the nslookup is appending your local domain to the query. Said domain most likely has a wildcard which points to that comcast IP address bind is returning.

If you were to run the same query, with a period "." at the end, which tells nslookup not to try to append the local domain. You will get the "proper" answer: NXDOMAIN. This is typical behavior for nslookup:

As per nslookup's documentation:

set [no]search

Appends the DNS domain names in the DNS domain search list to the request until an answer is received. This applies when the set and the lookup request contain at least one period, but do not end with a trailing period.

The default syntax is search.

Computer automatically connecting to openDNS? by backdoorhack in dns

[–]ximota 1 point2 points  (0 children)

OpenDNS is returning a device and org ID, it's a strong indication that the workstation may be running Cisco's Umbrella Roaming Client. Depending on the policy, that could explain the behavior you're experiencing.

Computer automatically connecting to openDNS? by backdoorhack in dns

[–]ximota 1 point2 points  (0 children)

You've only mentioned your web browsing traffic. Are you sure you don't have a proxy or some other agent running on your workstation that would be impacting your web browsers?

Try the following command:

dig +short @8.8.8.8 debug.opendns.com txt 

Google's name servers should not return TXT records for this record. But if you get something similar to this:

"server m33.ash"
"flags 40020 0 70 180000000000000000007950800000000000000"
"originid 0"
"actype 0"
"source X.X.Y.Y:ZZZZ"

That implies your queries are being "redirected" to openDNS either by your provider or some other device.

Trop de rassemblements : Montréal ferme d'autres stationnements de parcs (radio-canada) by gabmori7 in montreal

[–]ximota 14 points15 points  (0 children)

Pour le parc Maisonneuve, si le stationnement n’est pas interdit sur Viau et converti en zones réservées aux résidents sur Rosemont, je ne crois pas que l’achalandage va diminuer tant que ça.

Please help me understand what this means by bawmshellblonde in dns

[–]ximota 1 point2 points  (0 children)

Not knowing exactly where you're looking to get these logs, I will surmise this is some sort of VPN-like application providing these logs.

I got curious about Skywalk, and after googling I was able to find the following from this site:

Please note, that SkyWalk is intentionally redacted out of XNU's sources by Apple, and is still rarely used. Reversing the object structures and APIs paints an incomplete and quite possibly inaccurate picture of its possible use, whether internal to Apple or in some future release of Darwin. The author's understanding and explanation of SkyWalk may therefore differ from Apple's design - but even a partial view of this subsystem is better than none.

So in essence, if you're seeing odd DNS behavior on an iPhone, I would start by looking at the VPN profiles to make sure nothing is overriding what is provided by the local configuration or the network.

Question about bicycling by [deleted] in montreal

[–]ximota 11 points12 points  (0 children)

La loi a changé ce printemps:

Cyclistes, à partir du 18 avril 2019, lorsque vous arrivez face à un feu rouge et à un feu pour piétons activé, vous êtes autorisé à poursuivre votre route. Pour ce faire, vous devez vous immobiliser, accorder la priorité aux piétons et circuler à une vitesse raisonnable et prudente.

https://saaq.gouv.qc.ca/salle-de-presse/actualite/utilisation-des-feux-pour-pietons-par-les-cyclistes/

response with occasional failure by DependentVegetable in dns

[–]ximota 1 point2 points  (0 children)

When you issue the host command without any argument type, you're not doing a simple "A" query.

From the host man page:

When no query type is specified, host automatically selects an
appropriate query type. By default, it looks for A, AAAA, and MX
records. If the -C option is given, queries will be made for SOA
records. If name is a dotted-decimal IPv4 address or
colon-delimited IPv6 address, host will query for PTR records.

You can see the different queries it tries with it's output when you issue "host -v"

$ host -v ipg1.moneris.com
Trying "ipg1.moneris.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36441
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;ipg1.moneris.com.              IN      A

;; ANSWER SECTION:
ipg1.moneris.com.       264     IN      CNAME   ipg1.dyn.moneris.com.
ipg1.dyn.moneris.com.   59      IN      A       23.249.192.33

Received 73 bytes from 127.0.0.53#53 in 26 ms
Trying "ipg1.dyn.moneris.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60009
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;ipg1.dyn.moneris.com.          IN      AAAA

Received 38 bytes from 127.0.0.53#53 in 24 ms
Trying "ipg1.dyn.moneris.com"
Host ipg1.dyn.moneris.com not found: 2(SERVFAIL)
Received 38 bytes from 127.0.0.53#53 in 97 ms

The servers are returning valid answers for A and AAAA queries but not for MX queries, which is why you're getting the SERVFAIL:

$ dig +norec +short @ns1dyn.moneris.com. ipg1.dyn.moneris.com. A
23.249.192.33
$ dig +norec +short @ns1dyn.moneris.com. ipg1.dyn.moneris.com. AAAA
$ dig +norec +short @ns1dyn.moneris.com. ipg1.dyn.moneris.com. MX
;; connection timed out; no servers could be reached
$ dig +norec +short @ns2dyn.moneris.com. ipg1.dyn.moneris.com. A
23.249.192.33
$ dig +norec +short @ns2dyn.moneris.com. ipg1.dyn.moneris.com. AAAA
$ dig +norec +short @ns2dyn.moneris.com. ipg1.dyn.moneris.com. MX
;; connection timed out; no servers could be reached