currently i use github.com/Trellmor/bind-adblock

Ketas that's chrome it has some security crap that uses its own dns stuffs

cpet: might be chrome component embedded yes but i busted it

:p

Bastard

Most of my security sits in the hands of a netgate appliance

It used to be a firewalla

Now a netgate 4200S

I did not like the old software atleast the netgate runs a jan 15 current

Here is a good list for those that use unbound: pgl.yoyo.org/adservers/serverlist.p…ound&showintro=0&mimetype=plaintext

Also does other formats like bind.

cpet: you love backd00rs

I guess

They said the same about open bsd

that is some legendary plain sight back door

Netgate and OpenBSD have backdoors?

Who.knows

What you read online isn't always true

>:)

Especially coming from a bad kat

nice point

Cause bad Kats are bad

as cigarettes

I smoke cigars

i prefer to smoke asm

Can't smoke 0 and 1's

hello

Hi

luser: it's in that thing i use, one of lists

i haven't updated it but meh no ads appear so

10M Jun 30 2024 ad

also bind wastes memory for every view?

actually i have one view with that

but i acl it to 2 /24's & 2 /64's

ketas: I have a weekly cron to update it. Works great. I do strip out a couple of domains which break sites I use but that is a part of my script so simple as.

Also, I use unbound for DNS caching and forwarding (to NSD for my local domain and DoT for external).

hmm

i could try that chain of dns servers maybe

I used BIND for 20 years and I think unbound/nsd is better. You can use unbound to set static host entries much like /etc/hosts if you have a small enough network.

but it gets awfully complex i think

Not really. I used NSD for with replication but I could just as easily use unbound. The only down fall I would say is dynamic DNS for DHCP doesn't exist (at least the last time I checked).

like i have ad filter, recursive and auth dns, and different views, all in one bind

how do i split it up?

it's also kind of past /etc/hosts

unbound will have your ad filter, views and recursion; nsd for authority dns.

i include static and dynamic parts in my zones and i autogenerate them from ips, making it my own dynamic dns too

No, I'm not saying using /etc/hosts, I'm saying you can use unbound much like /etc/hosts was used to set static DNS entries.

i include same content in two different zones and in two different levels eh

fancy setup

Does BIND implement DoT yet? Last I read it was a work in progress but required an external process to achieve.

that would maybe good idea indeed

to have

bind has it

Nice. Do you use it?

Just stumbled on this if anyone is interested. 2025 FreeBSD Community Survey: freebsdfoundation.org/blog/the-2025-freebsd-community-survey-is-here

no, unless it does it hiddenly

:p

i filled that survey up

was better than last time

No, it will be an explict configuration.

i don't even gave dnssec yet :/

granted, personal domains eh

s/g /h /

I wouldn't say it's a necessary on your own network, but you should encrypt your DNS traffic for external requests.

s/ g/ h/

:p

how many servers do it?

dnscrypt-proxy full featured is great :))

you can put a recursive resolver on top ofc

in reality i should indeed split it up to 3 parts maybe

ketas: I use quad9.net

g0v9? roflma0

if you have own dns server, why bother using public recursors?

ketas: i meant to have your own RR with dnscrypt-proxy as upstream

unbound/bind/any you line

like*

ketas: how else am I going to resolve external DNS that I don't manage?

badkat: you seem to think everything is a backdoor.

which external dns?

I don't doubt for a second the .gov isn't implementing honey traps though.

how do you resolve google.com, ketas?

bind does it locally along the path

luser: they can issue certificates trusted by your root CA just in seconds, no vulnerabilities or such involved :)))

it has copy of . so it don't need to go ask roots wherr com is

then it caches it and next time it's fast

ketas: right, and it queries external DNS servers in plain text unless you encrypt it.

yeah should fix it :p

badkat: no they can't.

luser: maybe you dont know HOW that works, you could tho.

I understand very well how it works and they can't.

dot can be used towards auths as well?

before this internet that is a leftover of the original fenomenom is over, in 10 years you will no have any access to information like today.

luser: r0flma0

internet is not same before and after 2013

next checkpoint 2033

after that 2045

buy some top grade storage devices, LTO should be fine

I don't doubt that govs are trying to restrict info, but they aren't seemlessly issuing fake digital certificates to MitM traffic to snoop on everyone.

luser: not everyone lol, i never meant that.

ketas: do you mean your own authoritive DNS?

those certs are not fake lol, are real, trusted certs.

luser: no, others

And the private keys accossiated to those certs?

luser: they have private programs with the owners, big companies of the north, $$$$$$$$$$$

ketas: in BIND, you will set your forwarders to an external DNS provider that supports DoT and then enable DoT. Who do you currently use?

badkat: without private keys, they can't generate trusted certificates to anyone 3rd party.

no forwarders at all

luser: they have the private keys r0flma0 its just a file, did you even read?

i took forwarders off since govt mandated filtering started

was isp before

badkat: you have no idea what you're talking about. FIN.

luser: 0k, l00ser.

SYN SYN SYN

ketas: you must have forwarders somewhere to resolve external DNS (like google.com).

no it's direct outside conns now

Ok. So set up forwarders to quad9 with DoT and your DNS will be encrypted.

Cloudflare also offers DoT I believe.

seems like more trouble to me

extra resolvers in the way

ketas: $(just resolve the entire internet once a week) > /etc/hosts

not at all. Instead of recursing from TLD down, you forward to resolvers and utilise their cache (if already resolved) or make them recurse. The difference is your DNS requests are now encrypted and can't be snooped or interfered with on the line.

badkat: hahaha

why don't we encrypt them in the way there then?

i read that dot/doh is only for clients to recursive resolvers

what protects traffic going outside of quad9

nothing hides it iirc, dnssec only signs it

DNSSEC would provide integrity for quad9 requests however there is no attribution to you for the those requests. Encrypting is about protecting your DNS requests: both integrity and from snooping.

well that's correct, can't correlate them to me, well, easily

but i would like dns to have full ssl

:p

when do we get there?

That would be great but that would require every authoritative DNS server to implement TLS in some way to encrypt requests.

some do?

i never looked

You'e using recursive resolution so the best you have is DNSSEC but that's still in the clear.

at that paranoid level, what are chances my sim would get remotely owned?

sim?

yeah like in my phone

phones are completely insecure and, as badkat would attest to, completely backdoored.

or yeah baseband too

it's all fuckup

ketas: by who? build a threat model first

all CPU's have a out of band processor, in mobile communications its worse because it have a pretty damn good antenna xD

who would even sniff in actual internet backbone or isp access network

law enforcement?

they dont need to.

and mitming

they get netflow traffic exported from every IXP

so when you setup your tricky dns circus they can just correlate with a few params

i don't think they actually do?

no mitm, broke ass hoodie techniques

who the hell filters that also

remember they also like have to use same hw as everyone else

depends, blues are at the same level as civs

i mean those systems are not for massive surv, no need to get a shiton of useless data every sec

V.I.Ps make use of those systems to get private monitoring for example, they pay to be protected in real time

i wonder if dns is such a big target anyway

not really

because what happens after dns

if i can get a traffic export even without layer 7 data of the communications

i could simple do a TLS SNI resolution and know which site did you went to

who cares about dns roflma0

first who would even get targeted like thst

in first place

thats a good question

i mean past coffee shop open wifi, it gets hard

but thats the political logic of the issue, im just heading the technical part ;)

we are talkin about companies/countries capacities, not random n00bs using kali linux

of course i would love end to end encrypted channels

in anything

then it gets harder and harder even if you want

fun, even nsa 2013 docs said

we can't

which is like

good

in disney land, sure

look, thing is not the encryption mathematical-theorical power

is about *implementations* of such

did you ever check out how DES encryption works in consumer-grade devices?

i mean if it's faultless implementation with pfs and you can't downgrade, or correlate ot do thise things

yesh

implementations suck

start with DES then research about AES, then RSA

oh it's difficulg

t

the CPU makes the dirty job with the specialized crypto instructions

i like to think it's math

cpu crypto instructions are fun

yep, thats the problem with non-engineers they just believe internet posts, cant have a critical thinking because they are 100% blind on the production process

they could be backdoored :)

but has anyone proven it?

is not backdored actually: degraded performance

well i have to believe since i can't check all

the CPUs are beautiful black boxes

cpu bugs are fun too

yeah :D

there have been several

but you'd bet people look into them

cool micros to play with are the ones with goldmont platform, you can patch/modify microcode :D

after that series, intel enforced a really pain in the ass encryption method that makes it pretty difficult to accomplish

difficult

i once had cpu arch teaching gf, but she ran away

she took that in uni

i haven't

ketas: lucky you :), i never had a techy girl on my life :((((

you can still have a techy granny

a granny that uses the latest technology to clean her dentures.

la_mettrie: i hope so, common girls dont like my retro-computers/consoles room they think is total trash hoarding i dont give tours there anymore

where are uncommons?

grannies.

Margaret Hamilton is such a hottie tho

w00f w00f

i mean they do exist

even younger ones

somewhere

lol @ margaret hamilton. puke.

luser: actually, puke on your damn ass-tracked pinpointed face

lol

her?

who else, ofc <3

photo of room btw

i have like unorganized rooms

CRTs are the biggest problem

along JAMMA boards

and the fact that some ICs wont be working in 10-20 years makes me even more anxious :((

they will just die :(

had to google jamma

japanese arcade systems

i only have some weird soviet nes clone

:p

great!

6052 cpu clones?

I think we should be fearful of solder. It's linked to 5G technology. They're playing the long game.

actually china maybe

but same thing

i don't know what's inside yet

i know it works

there was some interesting CPU/MCUs made in the URSS

prolly not chinese

yeah they cloned

actually i only later found what else did they clone

many things

just like china noe

now

luser: did you ever considered join the ch1n4 military?

china is now curseword :p

no point. they hacked our brains and now control us via their satellites. We're all chinese soldiers now.

they cloned the us satellites using space-based 3d rpinters. don't ya know?

我們製造您的裝置，所以我們管理網際網路，您的屁股屬於深圳的霸主。

luser: not really, but you should join them, they will put a 5g 發射器 in your butt so you can report to the HQ over a encrypted dns tunnel

but it's all hacked bro, so it's pointless, right?

yep, prolly i could get access to your butt remotely if its running linux kernel :)

I'm confident my private keys are private, btw, and have zero concern my digital certificates are safe and secure.

Neat, certified l0o0s3r

We build your device, so we manage the Internet, and you

The butt belongs to the overlord of Shenzhen.

hahaha

x)

hmm, according to google translate, the second one is transmitter, or hair shoot device in separate

hahah yes transceiver

that language is fun

are you khinese kat

:p

imagine having your butt connected to quad9, security is a must!

no lma0, im not.

badapple

nice song :)

:)

how's the desktop failing?

now

thanks for remind me that, by now its ok because i was not using much the desktop today

i think the problem maybe is not be related to ZFS in special

but some virtual memory allocator is doing nasty stuff while using firefox

allocating 14GB for 2 damn tabs is total stupid in my opinion

3G in use and 14GB in INACTIVE state from virtual memory reports

those 14g are from ff process, i dont like that

if i completly close firefox, the desktop stills feels a bit laggy, tried to rest a bit of computers today, tomorrow i will go deep with the kernel i built yesterday to discard some assumptions

14g for 2 tabs?

what do they run

i used to run ff/tb on 2g ram ufs

ff&tb

often 300 tabs etc

i bet 14g is leak tho

badkat: give your system more swap and you will not have that problem.

swap wouldn't help

if you want to use it

In Firefox navigate to "about:memory" in the URL bar and it'll show the breakdown of memory allocation.

it has also tuning there

swap is for god knows what... 100 jails with idle dhclients?

active swapping is bad

and he already has relatively high ram

i mean i can build rust here and llvm

takes most of 4g ram and also allocates 10g swap

takes a day and it does complete

and the huge cost of time

s/and/at/

oh hw is fun, what was that demo, some game console iirc, the color palette was meh but they found some hack to put full color photo there

do we even use the /development directory on the FreeBSD downloads page anymore? it has CSRG and CVS/SVN files. too old to sync now, right?

From base, how can I create a password hash on the command line? e.g. $2a$12$UkMrEMMQocdYI4yj4VBPs.69yAtPne3D2MT3KpuMAfg48ZbetzZvq

I know passwd can do that, but that would modify my password, I just want the hash.

htpasswd would also work, but that's not in base.

echo -n "password" | openssl passwd -6 stdin

man openssl-passwd for more details

luser: Works, thanks. Seems that AdGuard can't use that 'advanced' hashing algorithm. Also tried -1 etc. Seems only a password, so far, starting with $2.. works

No proebs. I got that from search.brave.com in the AI response and it got that from FreeBSD forums, so there might be additional information from there.

ivy: yes I saw that comments, I think its great somebody(tm) is putting more thought into it. Once we hit 15.0-RELEASE we'll be largely stuck with it for quite a while.

benjamino: I suspect you can't use syscons & drm-kmod together, got to pick either 1990s tech or 2010s tech

but I would like to know for sure

dch: yeah, i figured it out in the morning, i opted for vt in the end, it works fine i suppose, especially because man pages say that syscons will be removed in newer versions of freebsd

we keep saying things like that in manpages but it might take a decade :D

oh

why did you have to tell me this... now i'm reconsidering syscons again

unless vt is broken for your use case may as well stick with it

dch: well, it's alright... for now. thanks!

beastie: my system doesnt even reachs swap, wtf?

what do you mean?

that's not true...

?

O_o

how can't your system reach swap if you have virtual memory?

you add swap for the irregular case that you have more memory in use than your actual physical memory. that simply allows your system to continue, instead of start spitting a lot of out of memory errors.

my swap device is never used

i have 2G swap, always 2048 unused, what do you mean

i have like 10G free memory also

what do you mean?

my system has 8Gb of memory and normally has over triple that quantity of swap in use, by several users using google chrome simultaneously.

i have 32gb + 2gb swap

i never reach to write the swap device

also vm.overcommit=0

actuallyy have 8 gigas of ram and 48Gb of swap distributed in 4 mechanical disks... this allows me to hold several users with a desktop each, and running theyr own chrome browser without having out of memory messages.

i never get out of memory issues

dont know what you talk about

thanks tho

i dont either... but I did.

I did my acocunting and the issue revealed.

I have four hard disks actually dedicated exclusivelly to swap.

im sure we are talking about different issues beastie

probably... but I was mentioned, like now...

i have weird freezing problems, outside of firefox too, with even 30gb free of ram

started to happen after upgrade to 14.2 from .1

I have not even read the discussion... probably the mention was for you, and the tab key intervened to change the nicks.

I'm running 14.2

have you upgraded recently, 14 has a change of abi, so you should upgrade probably many packages.

I have had freezes after an update that have repaired with that.... not a swap problem.

almost anything (any kernel loaded module... video driver... etc. can trigger a halt)

i did pkg upgrade -f as i do every time i do minor/major base-upgrades

yes i suspect about 3 modules, openzfs/drm61-kmod and ethernet-kmod from pkg

realtek-re-kmod

anyone is using Gitlab? I'm wondering how do you turn off logging for api_json.log

mage: check the gitlab-rails configuration, use a symlink to /dev/null in the output file for api_json

gitlab-rails ..?

I don't have such thing .. it's gitlab-ce compiled from poudriere

mage: is a component of it

gitlab.rb should have the logging subsystem configuration

should be in /usr/local/www/gitlab-ce/...

each "rail" is the logging channel iirc

I have gist.github.com/silenius/0fa74ff60c7531fb35bde625ab4a9f53

I'm wondering why it is simply not configurable in the config/gitlab.yml file

gitlab is complex, i would choose cgit/gitea/forgejo if im managing a git service for small-medium organization

gitlab is a hog, i switched to gitea and haven't been happier

yep but switching is currently not an option .. maybe on the mid/long term ..

mage: is gitlab-ce in ports the omnibus? does it run their ansible scripts when you do stuff?

no

is the api_log from rails or from nginx?

rails ofc

(also how is this a problem?)

xD, maybe is running out of space in the logs partition

so logrotate the shit out of it, with minimal retention

the problem is that it grows to multiple gigabytes in some days

same for sidekiq.log

logrotate, check gitlab community edition docs

er, sorry,

yeah.. I could manage it with newsyslog

yes, i meant newsyslog.. working the wrong OS for too long

but it's crazy that you can't configure that in config/gitlab.yml or config/another.yml file

you can, doesnt seem like you want to read the docs

so.. rftm :)

the number of times i've had to grep the source to understand how to set something in the config file is nonzero

I'd like to be happy to see where in the doc

the gitlab docs website? lol

apparenlty it doesn't apply to the "version" which is in the ports

it does, the files are layered a bit different, thats all

that was the other thing that tested my patience with gitlab, the six or so versions from free to enterprise

and varying features in each

i managed gitlab over freebsd for years

everything is there, you should not bother with ruby code

just learn where is everything and how to use rake

i also got tired that every rake operation took a nontrivial amount of time

likewise for mastodon, how does `tootctl help` take 20 seconds to run

:P

I have to use rake to configure logging?

no, i mean is part of the administrator must-know

my last bit of sand to help you, google: log rotation gitlab community docs

get into the website, read.

badkat: I'm FreeBSD admin for years.. I don't need doc to configure newsyslog

I have read the doc several times, nothing works (their GITLAB_LOG_LEVEL, etc)

I'm on docs.gitlab.com/administration/logs

have you asked in a gitlab channel?

i had explained you about the gitlab rails first, is gitlab.rb inexistent?

i dont have an gitlab installation on freebsd at hand now, but check in config directory if not and grep for logrotate_size

19:59 < mage> I have gist.github.com/silenius/0fa74ff60c7531fb35bde625ab4a9f53

and logrotate_size is unknown

but I don't care about logrotate

I just want to change log level from DEBUG to WARN or ERROR that's all

anyway, I've ln -s to /dev/null ; thank anyway

and even if I tried, I'd get nothing done, I get too scatterbrained

wrong channel

wi 2

/

alt+2

M-a

i've spent three days on rebuilding my blog

anyone wanna see?

\i mean few hours a day but still

What's the backend wordpress

I like gravcms or Hugo

i used eleventy

it's a js markdown chewer

that's the link anyway, if you care wskyx.github.io

Node

maybe few more touches but more or less it's done

yes, node

I always used ghost until they made it hard to install using some cli

I personally don't like node but to each there own my current beer blog is hugo

works for me

i don't even know js :D

most of work i did was html/css editing. work on files, and bash scripting

i am tired now >:(

also, two nicks i just pinged :DD

oh yeah, and markdown editing obviously

the most fun part of it was when my bash script fired off and converted almost 400 markdown files :D

however some file editing i had to do manually, iit wasn't possible to get it done by a script

wsky: nice store, how do you print the canvas?

i order that online :D

no one ever ordered one from me yet tho :DD

my previous site had a poor theme ( vlepy.github.io )