macpapo: missing kcmp is not a fatal error, it's fixed in current versions of freebsd (at least 15.0) but maybe wasn't backported yet, it shouldn't cause any issues though

hi. i was testing pf/altq, and noticed something strange. i have a very reduced pf.conf that defines different queues for different interfaces, and rules that i think should put traffic for each interface in their own queue. but all traffic seems to end up in the priq for the first interface. any idea whats wrong? here's my pf.conf. 0x0.st/XgTn.txt

ober: your iwlwifi isn't working ?

nope

gist.github.com/ober/12bca2760afe785b1de65d80981b402b my rc.conf/wpa_supplicant.conf

reinstalling it, I see it adds fcc rules to iwlwifi in rc.conf which make it work

maybe someone who still remembers X11: stackoverflow.com/questions/7903562…to-type-xftfont-and-why-no-labels-t

does anyone use these 15.0 stab week builds? how are they?

jls

whoops

don't ever understand, it's bad for your health

ober: so its working ?

Where /etc/ttys defines vtys with getty and a display manager, is there a way to get one of the getty vtys (preferably ttyv0) to the foreground on boot?

/25

sorry

ober: I've heard that completely disabling powersaving is apparently one of the trick to make it work, so you could try that.

ivy: last week of the month

debdrup: the first rule of window 25 club is don't talk about window 25 club

kona: ha!

ivy: Gleb thankfully took my advice and included instructions on how to grab the tags he creates on his own branch, which makes it a lot easier to track and grab without paying attention to a busy mailing list.

Hey

about 10 days ago, I asked for help - how to trace and find what application was "triggering" a binary (executing it).

Got good replies and tips on how to 'investigate' it.

ktrace and kdump?

Want to tell I manage to identify it, using ktrace/fake facade script point to real binary, etc...

the application generating the unwanted command was a network discovery tool, which was executing every 60 seconds. I disable it and now is working accordingly.

many thanks.

I would try dtrace and listen to exec probes

Where in FreeBSD can I find the DNS root servers IP addresses?

It must have them, right?

Very good cybercrypto! Always good to hear success stories. :-)

The way it works is you query some DNS server, say your ISP or Google's famous 8.8.8.8. What they query is anyone's [informed] guess. There's a lot going on.

why would they be needed? the common setup is recursive dns, not iterative dns starting at rootservers, is there even a iterative dns resolver in base?

The root servers list is typically "built" into a DNS server, as in the DNS server package such as bind918 or nsd.

s/nsd/unbound/

I think any resolver must have a list of root servers. So I'd believe I'd find them somewere in a FreeBSD.

Although unbound usually just works from whatever upstream resolvers provide.

dansa, The root server file is /usr/local/etc/namedb/named.root

To find the IP address of ``hello.to.'', my resolver must get to the name servers of the /to/ TLD. The resolver won't know that until it asks the root servers who is responsible for the /to/ TLD.

rwp: I don't have that file. Must I install some package?

If you've installed bind918 or some other bind package, that one comes with root servers listed in /usr/local/etc/namedb/named.root

pkg install bind918

wouldn't a iterative resolver just ship a first cache of *.root-servers.net ?

If you don't have the file then you don't have BIND installed.

Yes, I don't have it then.

But shouldn't my resolver have such a list?

Maybe it's like embedded in the source code directly or something like that?

dansa: do you have a iterative resolver configured?

I presume that unbound has the similar file located elsewhere. It's usually called db.root elsewhere and it took me a moment to deduce it for use on BIND named.

nimaje: I don't know. Here's my resolv.conf: %cat /etc/resolv.conf

# Generated by resolvconf

search ec2.internal

nameserver 172.26.0.2

 

That will point to the nameserver running on 172.26.0.2. But on THAT nameserver it must either forward again or it will have a root nameserver file accessible on it.

The DNS names of the root servers are pretty static AIUI, though it has been a long time since I dug into that aspect of DNS. Anyway, if that's the case, then you can get (and presumably cache) the root servers by looking up (if you have a recursive resolver you can reach) a.root-servers.net through m.root-servers.net

Oh, so I don't really have a resolver, right? I'm only forwarding my requests to someone else?

It's basically a bootstrapping problem. When a nameserver powers up from a cold boot it has no idea where to start looking for data to convert from a name to a number. It consults the db.root file, ahem the named.root file here, and then finds the IP addresses of the 13 top level nameservers that can provide this data. Then it starts querying them for the next bit of information in the chain.

tmp_: IANA tells us who they are at iana.org/domains/root/servers

dansa: Ah, thanks. Like it wrote, it has been a while.

dansa, Your nameserver 172.26.0.2 directive is forwarding your query to that system and your system is not running a nameserver but the other system is.

rwp: that's what I think too, but my system seems unable to do that because it doesn't have the addresses of the root servers, so I guess it simply sends it all requests to an AWS server hoping to get the answers it needs?

rwp: got ya! that makes sense to me now.

tmp_, The list of top level nameservers are fairly stable but they do change at times. And when it changes things still work because 12 is doing the work of the 13 okay. But that allows a slow progression of upgrade of the file.

how can I run my own true resolver in FreeBSD? (I don't want a DNS server; just a resolver). Is there a nice little package? I guess DJBDNS, right?

FreeBSD comes with a basic unbound resolver built in.

Install either unbound or bind. Is unbound in base? /me goes to look...

Which just needs at least one forwarder to get started.

What's the /unbound/ word? The name of the package?

unbound looks like a port/pkg to me on 14.1R

BIND is the Berkeley Internet Name Daemon. BIND. So "unbound" is a joke. It's the opposite of bind. Joke.

unbound is the name of the software. There's a built-in version, and one in packages. If you have both, the built-in gets called local_unbound, often enough.

Similarly there is a tool called "dig" which can be used to dig into the DNS data. Though as a backronym it is called the domain internet groper. Whatever. We dig for data from dns.

rwp: nice! :)

The configuration for the built in is in /var/unbound/

I kinda dislike dig because I never understand that output.

So an newer alternative of dig that a lot of people will be using now is "drill". Get it? dig. drill. Jokes abound!

I like /host/, though.

rwp: lol---I love the UNIX world.

tmp_: :)

The host command comes with the set of BIND utilities. Though there is also another host command that comes from a different set of dns utils which has slightly different output. I prefer host from the bind set of utils and use it most often too.

I’m tempted to try selfhosted Bitwarden. My ancient but wonderful auth app (for TOTP - time based one time password - ie 2FA codes) no longer works on my watch. The app hasn’t been available for years, but I’ve always liked the UI. Might as well get started right now.

I believe I'm using the one from BIND. I'm not sure.

getent is a good source of truth. Unfortunately on other systems it's not a great tool. So we end up needing to know how to run all of them at different times.

No, no. It looks like I'm using the alternative one.

COMPATIBILITY

host aims to be reasonably compatible with ‘host’ utility from BIND9

SEE ALSO

drill(1), resolv.conf(5)

 

Looks like I'm using drill.

drill on FreeBSD comes with the built-in unbound.

If your drill's host command outputs something like "www.example.com has address 93.184.215.14" then I am okay with it.

It does. I never noticed any difference in fact.

%host www.example.com

www.example.com has address 93.184.215.14

www.example.com has IPv6 address 2606:2800:21f:cb07:6820:80da:af6b:8b2c

 

For me on 14.1R /usr/bin/drill exists in base but I do not have an unbound daemon unless I install it from ports/pkgs.

I don't have an unbound daemon either---and don't want it either.

dansa, That host command seems fully compatible to me and I would use it no problem.

Cool.

So... On a server I always install a local BIND9 named in a caching configuration. But on a mobile laptop I almost never do because I must connect to random WiFi networks that force me through captured portals.

rwp: You don't have /usr/sbin/local-unbound ?

if you want a local resolver which isn't a DNS server, I'm afraid you have to use unbound

and yes, there is some kind of unbound variant in base. the installer offers it.

If you run an SMTP mail server then you will pretty much be required to run your own nameserver. And it is trivial so not a problem. Because DNSBLs will rate limit and if you aggregate up to an AWS server for example then it will be too many queries and you will be blocked. You must do your own DNSBL queries at your own rate. And by the time you get past the free level you will know what you are doing already.

duncan: I guess djbdns would do it too

I mean, /usr/sbin/local-unbound has been part of the system for quite a while now.

I do not know what distinguishes in from the port

here's something I'm puzzled about: if i tell my shell ``drill xyz. @198.41.0.4'' I get the addresses of the authorities for xyz; but if I say ``host -t ns xyz. 198.41.0.4'', I get nothing.

On a mobile laptop tryign to connect to a captured portal system a local caching nameserver will block the action of the captured portal as a security issue. Which it is correct in doing! But we must allow it. So to get through a captured portal one needs to forward through the DNS nameserver given by the DHCP exchange.

Difference between the built-in and the port is essentially version. Built-in on 14.1 is 1.15 while the port has 1.21.

tmp_, Oh /usr/sbin/local-unbound! That must be the local unbound that is offered to be configured for me automatically at installation time? I have tried that several times and it NEVER WORKS for me. NEVER! I have stopped trying.

dansa, What is "xyz." which cannot be a valid FQDN. I would not expect anything from it. Try "example.com." there instead.

well, xyz. is the address of the top-level domain xyz

no?

Perhaps one can query on a TLD name directly but it's not something I would have ever thought of doing.

Also the setup on the built-in is focused on having a cacheing resolver. With what would have been nameserver entries in /etc/resolv.conf going into unbound's forward-addr list, while /etc/resolv.conf switches nameserver to localhost.

You can't query "dig com." either.

And com is a TLD as well.

I can get the addresses of ``.''

check it out: hastebin.skyra.pw/noholetiyo.prolog

rwp: I set up a local-unbound ages ago, so I don't remember how that works during the install. I've extended the config to have stub-zone entries for the local full DNS servers, so I pretty much just import that rather than set it up from scratch anymore.

I like using unbound on my laptop. I enable and disable it as I need for the captured portable problem. I simply install unbound on it. I can see that unbound is easier and simpler and more trouble free for resolving DNSSEC than BIND's named. But both do work.

For serving my DNS zones I have been using BIND's named forever so continue to do so.

Oh, I believe 198.41.0.4 doesn't know the XYZ top-level domain.

because if you just say ``host -t ns xyz.'', we get the authorities for it correctly.

They do different jobs, or rather, unbound does the caching recursive resolver, while nsd does the non-recursive server part. BIND does everything.

The trouble with BIND's named for DNSSEC is that when forwarding then DNSSEC validation must trust the server being forwarded the query. The unbound handles that part perfectly. But bind named needs to be instructed to do it that way needing one more line of config, which is one line that maybe isn't known to be needed. And then it doesn't work right.

The dig equiv to that host command is "dig com. ns"

And pretty much everything I say about dig is the same syntax for drill which is written to be dig compatible.

I am not saying not to use host -t ns as I use the host command for casual use all of the time too. Just also giving the dig syntax for it.

Which I should have added +short to in order to be the same as host: dig com. ns +short

And as long as I am passing by, to direct to a specific nameserver: dig @8.8.8.8 com. ns +short

yeah, with drill I get the expected answer (with ``%drill xyz. ns @198.41.0.4'').

But not with host.

Using host, I asked all root servers for xyz. and none of them knew what to say.

I asked one by one by hand.

I'm puzzled with that.

rwp: IIRC, local-unbound needs three things to work: A forward-zone: with forward-addr: entries in /var/unbound/unbound.conf , /etc/resolv.conf including a nameserver localhost line, and a local_unbound_enable="YES" in /etc/rc.conf

One at a time like this? for ns in $(dig @8.8.8.8 xyz. ns +short); do dig @$ns xyz. ns +short; done

I did manually. :)

I did [it]

tmp_, I will try local-unbound again at some point and figure out why it doesn't work for me. The /etc/resolv.conf always has "nameserver 127.0.0.1" when using a local caching nameserver. Since that's the point. The rc.conf is perfectly normal too. So it must be the /var/unbound/unbound.conf file which is mangled up for some reason.

As I said I just install unbound and configure it normally for using unbound when I want it to work. That always works as normal as things work and so I do it that way.

getting called away irl here bbiab

rwp: I can send you a copy of mine with the stub-zone:s stripped.

hiii!

I need help with NFSv4 ACL and ZFS

it's best to just ask your question

ScrewDriver1337: dontasktoask.com/

create_args_wlan0="country US regdomain FCC"

seems to fix it jb1277976 debdrup

I have this NFS ACL on my share everyone@:--------------:-------:deny, owner@:rwxp--aARWcCos:fd-----:allow, group@:rwxp--aARWcCos:fd-----:allow

and I can't mount it with NFSv4

but I can mount another zfs dataset which has posixacl

so I enabled NFS_DEBUG in kernel

where I can see debug logs? how can I debug NFS?

hi, I have the following partition in the host that contains several jails: /dev/mfid2p1 on /data what can be done to share that partition with one jail?

uskerine: what do you mean? you want 2 jails to have a common disk area?

I have this partition mounted in the host: /dev/mfid2p1 on /data

and I would like /data be available for one jail

i think you would need to mount it in /jails/myjail/blah for the jail to have access to it

what about sharing it with the host or other jail?

the host can always access it

with another jail i suspect you would need something else,perhaps nfs ?

but this is an educated guess from what I am reading, right? like you have not had such setup before

i haven't had the need

what virtualization are you using and can it even access partitions directly?

zfs might be able to mount something and then use directories like normal if doing zfs, but I'm a bit fuzzy on that

but that's below partitions

networkmgr known to work? it seems to hang forever. despite being in the wheel group

cccccchchlkgjcdhultifbcgthjengefnvnlhjhuvggb

Hi Ober.. i cam now online.. which kind of issue are you facing ?

i am new to Freebsd but will try to help you :)..

irc is hard

ober IRC is atleast easy way to chat with other people regarding issues.. :)

uskerine: how about nullfs?

the_oz_: jails