00:05:35 currently i use https://github.com/Trellmor/bind-adblock 00:17:14 Ketas that's chrome it has some security crap that uses its own dns stuffs 00:35:23 cpet: might be chrome component embedded yes but i busted it 00:35:25 :p 00:35:53 Bastard 00:52:35 Most of my security sits in the hands of a netgate appliance 00:52:49 It used to be a firewalla 00:53:00 Now a netgate 4200S 00:53:43 I did not like the old software atleast the netgate runs a jan 15 current 01:10:59 Here is a good list for those that use unbound: https://pgl.yoyo.org/adservers/serverlist.php?hostformat=unbound&showintro=0&mimetype=plaintext 01:11:29 Also does other formats like bind. 01:12:07 cpet: you love backd00rs 01:13:05 I guess 01:13:21 They said the same about open bsd 01:14:30 that is some legendary plain sight back door 01:15:13 Netgate and OpenBSD have backdoors? 01:15:21 Who.knows 01:15:30 What you read online isn't always true 01:15:31 >:) 01:16:05 Especially coming from a bad kat 01:16:20 nice point 01:17:29 Cause bad Kats are bad 01:19:57 as cigarettes 01:20:25 I smoke cigars 01:21:35 i prefer to smoke asm 01:22:35 Can't smoke 0 and 1's 03:16:50 hello 03:56:06 Hi 05:41:14 luser: it's in that thing i use, one of lists 05:42:17 i haven't updated it but meh no ads appear so 05:42:43 10M Jun 30 2024 ad 05:43:04 also bind wastes memory for every view? 05:45:03 actually i have one view with that 05:45:38 but i acl it to 2 /24's & 2 /64's 06:40:11 ketas: I have a weekly cron to update it. Works great. I do strip out a couple of domains which break sites I use but that is a part of my script so simple as. 06:45:14 Also, I use unbound for DNS caching and forwarding (to NSD for my local domain and DoT for external). 06:58:29 hmm 06:59:05 i could try that chain of dns servers maybe 07:02:56 I used BIND for 20 years and I think unbound/nsd is better. You can use unbound to set static host entries much like /etc/hosts if you have a small enough network. 07:03:22 but it gets awfully complex i think 07:04:47 Not really. I used NSD for with replication but I could just as easily use unbound. The only down fall I would say is dynamic DNS for DHCP doesn't exist (at least the last time I checked). 07:05:16 like i have ad filter, recursive and auth dns, and different views, all in one bind 07:05:25 how do i split it up? 07:06:01 it's also kind of past /etc/hosts 07:06:27 unbound will have your ad filter, views and recursion; nsd for authority dns. 07:06:56 i include static and dynamic parts in my zones and i autogenerate them from ips, making it my own dynamic dns too 07:06:56 No, I'm not saying using /etc/hosts, I'm saying you can use unbound much like /etc/hosts was used to set static DNS entries. 07:07:51 i include same content in two different zones and in two different levels eh 07:07:55 fancy setup 07:08:18 Does BIND implement DoT yet? Last I read it was a work in progress but required an external process to achieve. 07:08:46 that would maybe good idea indeed 07:08:48 to have 07:09:46 bind has it 07:10:27 Nice. Do you use it? 07:10:55 Just stumbled on this if anyone is interested. 2025 FreeBSD Community Survey: https://freebsdfoundation.org/blog/the-2025-freebsd-community-survey-is-here/ 07:11:14 no, unless it does it hiddenly 07:11:16 :p 07:11:36 i filled that survey up 07:11:52 was better than last time 07:11:54 No, it will be an explict configuration. 07:13:29 i don't even gave dnssec yet :/ 07:13:41 granted, personal domains eh 07:14:05 s/g /h / 07:14:16 I wouldn't say it's a necessary on your own network, but you should encrypt your DNS traffic for external requests. 07:14:18 s/ g/ h/ 07:14:19 :p 07:14:56 how many servers do it? 07:15:02 dnscrypt-proxy full featured is great :)) 07:15:14 you can put a recursive resolver on top ofc 07:16:30 in reality i should indeed split it up to 3 parts maybe 07:16:53 ketas: I use quad9.net 07:17:32 g0v9? roflma0 07:17:34 if you have own dns server, why bother using public recursors? 07:18:09 ketas: i meant to have your own RR with dnscrypt-proxy as upstream 07:18:25 unbound/bind/any you line 07:18:27 like* 07:19:09 ketas: how else am I going to resolve external DNS that I don't manage? 07:19:40 badkat: you seem to think everything is a backdoor. 07:19:49 which external dns? 07:20:11 I don't doubt for a second the .gov isn't implementing honey traps though. 07:20:22 how do you resolve google.com, ketas? 07:21:17 bind does it locally along the path 07:21:54 luser: they can issue certificates trusted by your root CA just in seconds, no vulnerabilities or such involved :))) 07:21:58 it has copy of . so it don't need to go ask roots wherr com is 07:22:12 then it caches it and next time it's fast 07:22:15 ketas: right, and it queries external DNS servers in plain text unless you encrypt it. 07:22:41 yeah should fix it :p 07:22:58 badkat: no they can't. 07:23:33 luser: maybe you dont know HOW that works, you could tho. 07:23:52 I understand very well how it works and they can't. 07:24:18 dot can be used towards auths as well? 07:24:23 before this internet that is a leftover of the original fenomenom is over, in 10 years you will no have any access to information like today. 07:25:04 luser: r0flma0 07:25:09 internet is not same before and after 2013 07:25:32 next checkpoint 2033 07:25:39 after that 2045 07:26:00 buy some top grade storage devices, LTO should be fine 07:26:09 I don't doubt that govs are trying to restrict info, but they aren't seemlessly issuing fake digital certificates to MitM traffic to snoop on everyone. 07:26:26 luser: not everyone lol, i never meant that. 07:27:08 ketas: do you mean your own authoritive DNS? 07:27:08 those certs are not fake lol, are real, trusted certs. 07:27:33 luser: no, others 07:27:46 And the private keys accossiated to those certs? 07:28:21 luser: they have private programs with the owners, big companies of the north, $$$$$$$$$$$ 07:28:34 ketas: in BIND, you will set your forwarders to an external DNS provider that supports DoT and then enable DoT. Who do you currently use? 07:29:37 badkat: without private keys, they can't generate trusted certificates to anyone 3rd party. 07:29:40 no forwarders at all 07:29:59 luser: they have the private keys r0flma0 its just a file, did you even read? 07:30:11 i took forwarders off since govt mandated filtering started 07:30:25 was isp before 07:31:53 badkat: you have no idea what you're talking about. FIN. 07:32:09 luser: 0k, l00ser. 07:32:24 SYN SYN SYN 07:32:26 ketas: you must have forwarders somewhere to resolve external DNS (like google.com). 07:32:51 no it's direct outside conns now 07:33:58 Ok. So set up forwarders to quad9 with DoT and your DNS will be encrypted. 07:34:21 Cloudflare also offers DoT I believe. 07:36:45 seems like more trouble to me 07:36:58 extra resolvers in the way 07:37:49 ketas: $(just resolve the entire internet once a week) > /etc/hosts 07:38:43 not at all. Instead of recursing from TLD down, you forward to resolvers and utilise their cache (if already resolved) or make them recurse. The difference is your DNS requests are now encrypted and can't be snooped or interfered with on the line. 07:40:12 badkat: hahaha 07:41:09 why don't we encrypt them in the way there then? 07:41:40 i read that dot/doh is only for clients to recursive resolvers 07:42:18 what protects traffic going outside of quad9 07:42:44 nothing hides it iirc, dnssec only signs it 07:44:48 DNSSEC would provide integrity for quad9 requests however there is no attribution to you for the those requests. Encrypting is about protecting your DNS requests: both integrity and from snooping. 07:49:08 well that's correct, can't correlate them to me, well, easily 07:49:29 but i would like dns to have full ssl 07:49:31 :p 07:49:45 when do we get there? 07:52:08 That would be great but that would require every authoritative DNS server to implement TLS in some way to encrypt requests. 07:53:24 some do? 07:53:29 i never looked 07:56:32 You'e using recursive resolution so the best you have is DNSSEC but that's still in the clear. 07:56:59 at that paranoid level, what are chances my sim would get remotely owned? 07:57:14 sim? 07:57:59 yeah like in my phone 07:59:00 phones are completely insecure and, as badkat would attest to, completely backdoored. 08:05:32 or yeah baseband too 08:05:39 it's all fuckup 08:05:44 ketas: by who? build a threat model first 08:06:40 all CPU's have a out of band processor, in mobile communications its worse because it have a pretty damn good antenna xD 08:06:50 who would even sniff in actual internet backbone or isp access network 08:06:57 law enforcement? 08:07:02 they dont need to. 08:07:03 and mitming 08:07:13 they get netflow traffic exported from every IXP 08:07:41 so when you setup your tricky dns circus they can just correlate with a few params 08:07:42 i don't think they actually do? 08:08:00 no mitm, broke ass hoodie techniques 08:08:10 who the hell filters that also 08:09:26 remember they also like have to use same hw as everyone else 08:10:25 depends, blues are at the same level as civs 08:11:29 i mean those systems are not for massive surv, no need to get a shiton of useless data every sec 08:12:16 V.I.Ps make use of those systems to get private monitoring for example, they pay to be protected in real time 08:12:46 i wonder if dns is such a big target anyway 08:12:59 not really 08:13:10 because what happens after dns 08:13:38 if i can get a traffic export even without layer 7 data of the communications 08:14:03 i could simple do a TLS SNI resolution and know which site did you went to 08:14:09 who cares about dns roflma0 08:14:17 first who would even get targeted like thst 08:14:25 in first place 08:14:46 thats a good question 08:15:08 i mean past coffee shop open wifi, it gets hard 08:15:13 but thats the political logic of the issue, im just heading the technical part ;) 08:15:44 we are talkin about companies/countries capacities, not random n00bs using kali linux 08:15:57 of course i would love end to end encrypted channels 08:16:00 in anything 08:16:25 then it gets harder and harder even if you want 08:16:47 fun, even nsa 2013 docs said 08:16:50 we can't 08:16:54 which is like 08:17:00 good 08:17:07 in disney land, sure 08:17:31 look, thing is not the encryption mathematical-theorical power 08:17:54 is about *implementations* of such 08:18:19 did you ever check out how DES encryption works in consumer-grade devices? 08:18:38 i mean if it's faultless implementation with pfs and you can't downgrade, or correlate ot do thise things 08:18:51 yesh 08:18:58 implementations suck 08:19:02 start with DES then research about AES, then RSA 08:19:16 oh it's difficulg 08:19:18 t 08:19:21 the CPU makes the dirty job with the specialized crypto instructions 08:19:40 i like to think it's math 08:20:12 cpu crypto instructions are fun 08:20:16 yep, thats the problem with non-engineers they just believe internet posts, cant have a critical thinking because they are 100% blind on the production process 08:20:22 they could be backdoored :) 08:20:35 but has anyone proven it? 08:20:38 is not backdored actually: degraded performance 08:21:09 well i have to believe since i can't check all 08:21:27 the CPUs are beautiful black boxes 08:21:51 cpu bugs are fun too 08:21:59 yeah :D 08:22:01 there have been several 08:22:17 but you'd bet people look into them 08:23:34 cool micros to play with are the ones with goldmont platform, you can patch/modify microcode :D 08:24:09 after that series, intel enforced a really pain in the ass encryption method that makes it pretty difficult to accomplish 08:41:00 difficult 08:41:21 i once had cpu arch teaching gf, but she ran away 08:41:31 she took that in uni 08:41:34 i haven't 08:50:42 ketas: lucky you :), i never had a techy girl on my life :(((( 08:55:31 you can still have a techy granny 08:56:32 a granny that uses the latest technology to clean her dentures. 08:59:57 la_mettrie: i hope so, common girls dont like my retro-computers/consoles room they think is total trash hoarding i dont give tours there anymore 09:00:21 where are uncommons? 09:00:54 grannies. 09:01:08 Margaret Hamilton is such a hottie tho 09:01:10 w00f w00f 09:01:23 i mean they do exist 09:01:35 even younger ones 09:01:40 somewhere 09:02:14 lol @ margaret hamilton. puke. 09:02:51 luser: actually, puke on your damn ass-tracked pinpointed face 09:03:11 lol 09:03:26 https://en.m.wikipedia.org/wiki/Margaret_Hamilton_(software_engineer) 09:03:34 her? 09:03:42 who else, ofc <3 09:04:33 photo of room btw 09:04:47 i have like unorganized rooms 09:07:32 CRTs are the biggest problem 09:07:38 along JAMMA boards 09:08:41 and the fact that some ICs wont be working in 10-20 years makes me even more anxious :(( 09:08:56 they will just die :( 09:09:55 had to google jamma 09:10:16 japanese arcade systems 09:10:39 i only have some weird soviet nes clone 09:10:43 :p 09:10:48 great! 09:10:56 6052 cpu clones? 09:11:22 I think we should be fearful of solder. It's linked to 5G technology. They're playing the long game. 09:11:40 actually china maybe 09:11:46 but same thing 09:12:04 i don't know what's inside yet 09:12:27 i know it works 09:12:28 there was some interesting CPU/MCUs made in the URSS 09:12:39 prolly not chinese 09:12:39 yeah they cloned 09:13:10 actually i only later found what else did they clone 09:13:12 many things 09:13:17 just like china noe 09:13:19 now 09:14:00 luser: did you ever considered join the ch1n4 military? 09:14:26 china is now curseword :p 09:16:06 no point. they hacked our brains and now control us via their satellites. We're all chinese soldiers now. 09:16:38 they cloned the us satellites using space-based 3d rpinters. don't ya know? 09:16:48 我們製造您的裝置，所以我們管理網際網路，您的屁股屬於深圳的霸主。 09:18:16 luser: not really, but you should join them, they will put a 5g 發射器 in your butt so you can report to the HQ over a encrypted dns tunnel 09:18:40 but it's all hacked bro, so it's pointless, right? 09:19:07 yep, prolly i could get access to your butt remotely if its running linux kernel :) 09:19:43 I'm confident my private keys are private, btw, and have zero concern my digital certificates are safe and secure. 09:20:32 Neat, certified l0o0s3r 09:21:25 We build your device, so we manage the Internet, and you 09:21:26 The butt belongs to the overlord of Shenzhen. 09:21:29 hahaha 09:23:48 x) 09:28:03 hmm, according to google translate, the second one is transmitter, or hair shoot device in separate 09:28:26 hahah yes transceiver 09:28:27 that language is fun 09:28:51 are you khinese kat 09:28:54 :p 09:28:57 imagine having your butt connected to quad9, security is a must! 09:29:19 no lma0, im not. 09:29:28 badapple 09:29:40 nice song :) 09:32:54 :) 09:33:12 how's the desktop failing? 09:33:13 now 09:42:49 thanks for remind me that, by now its ok because i was not using much the desktop today 09:43:16 i think the problem maybe is not be related to ZFS in special 09:43:54 but some virtual memory allocator is doing nasty stuff while using firefox 09:45:06 allocating 14GB for 2 damn tabs is total stupid in my opinion 09:45:37 3G in use and 14GB in INACTIVE state from virtual memory reports 09:45:56 those 14g are from ff process, i dont like that 09:47:38 if i completly close firefox, the desktop stills feels a bit laggy, tried to rest a bit of computers today, tomorrow i will go deep with the kernel i built yesterday to discard some assumptions 10:04:16 14g for 2 tabs? 10:04:28 what do they run 10:05:06 i used to run ff/tb on 2g ram ufs 10:05:11 ff&tb 10:05:17 often 300 tabs etc 10:05:29 i bet 14g is leak tho 10:05:32 badkat: give your system more swap and you will not have that problem. 10:05:48 swap wouldn't help 10:05:54 if you want to use it 10:06:13 In Firefox navigate to "about:memory" in the URL bar and it'll show the breakdown of memory allocation. 10:06:29 it has also tuning there 10:06:53 swap is for god knows what... 100 jails with idle dhclients? 10:07:30 active swapping is bad 10:07:54 and he already has relatively high ram 10:08:10 i mean i can build rust here and llvm 10:08:27 takes most of 4g ram and also allocates 10g swap 10:08:43 takes a day and it does complete 10:09:02 and the huge cost of time 10:13:16 s/and/at/ 11:18:11 oh hw is fun, what was that demo, some game console iirc, the color palette was meh but they found some hack to put full color photo there 11:20:11 do we even use the /development directory on the FreeBSD downloads page anymore? it has CSRG and CVS/SVN files. too old to sync now, right? 11:29:03 From base, how can I create a password hash on the command line? e.g. $2a$12$UkMrEMMQocdYI4yj4VBPs.69yAtPne3D2MT3KpuMAfg48ZbetzZvq 11:29:19 I know passwd can do that, but that would modify my password, I just want the hash. 11:30:01 htpasswd would also work, but that's not in base. 11:36:53 echo -n "password" | openssl passwd -6 stdin 11:37:36 man openssl-passwd for more details 11:47:23 luser: Works, thanks. Seems that AdGuard can't use that 'advanced' hashing algorithm. Also tried -1 etc. Seems only a password, so far, starting with $2.. works 11:49:57 No proebs. I got that from https://search.brave.com in the AI response and it got that from FreeBSD forums, so there might be additional information from there. 12:42:43 ivy: yes I saw that comments, I think its great somebody(tm) is putting more thought into it. Once we hit 15.0-RELEASE we'll be largely stuck with it for quite a while. 12:46:43 benjamino: I suspect you can't use syscons & drm-kmod together, got to pick either 1990s tech or 2010s tech 12:50:58 but I would like to know for sure 12:52:52 dch: yeah, i figured it out in the morning, i opted for vt in the end, it works fine i suppose, especially because man pages say that syscons will be removed in newer versions of freebsd 12:53:15 we keep saying things like that in manpages but it might take a decade :D 12:53:32 oh 12:53:53 why did you have to tell me this... now i'm reconsidering syscons again 12:54:46 unless vt is broken for your use case may as well stick with it 12:57:47 dch: well, it's alright... for now. thanks! 16:44:26 beastie: my system doesnt even reachs swap, wtf? 16:44:47 what do you mean? 16:44:53 that's not true... 16:44:59 ? 16:45:26 O_o 16:45:43 how can't your system reach swap if you have virtual memory? 16:47:05 you add swap for the irregular case that you have more memory in use than your actual physical memory. that simply allows your system to continue, instead of start spitting a lot of out of memory errors. 16:47:17 my swap device is never used 16:47:45 i have 2G swap, always 2048 unused, what do you mean 16:48:14 i have like 10G free memory also 16:48:19 what do you mean? 16:48:34 my system has 8Gb of memory and normally has over triple that quantity of swap in use, by several users using google chrome simultaneously. 16:48:56 i have 32gb + 2gb swap 16:49:04 i never reach to write the swap device 16:49:21 also vm.overcommit=0 16:50:26 actuallyy have 8 gigas of ram and 48Gb of swap distributed in 4 mechanical disks... this allows me to hold several users with a desktop each, and running theyr own chrome browser without having out of memory messages. 16:51:07 i never get out of memory issues 16:51:12 dont know what you talk about 16:51:15 thanks tho 16:51:23 i dont either... but I did. 16:51:37 I did my acocunting and the issue revealed. 16:52:07 I have four hard disks actually dedicated exclusivelly to swap. 16:52:14 im sure we are talking about different issues beastie 16:52:34 probably... but I was mentioned, like now... 16:52:51 i have weird freezing problems, outside of firefox too, with even 30gb free of ram 16:53:08 started to happen after upgrade to 14.2 from .1 16:53:27 I have not even read the discussion... probably the mention was for you, and the tab key intervened to change the nicks. 16:53:47 I'm running 14.2 16:54:29 have you upgraded recently, 14 has a change of abi, so you should upgrade probably many packages. 16:55:04 I have had freezes after an update that have repaired with that.... not a swap problem. 16:55:44 almost anything (any kernel loaded module... video driver... etc. can trigger a halt) 16:56:03 i did pkg upgrade -f as i do every time i do minor/major base-upgrades 16:57:09 yes i suspect about 3 modules, openzfs/drm61-kmod and ethernet-kmod from pkg 16:57:30 realtek-re-kmod 17:47:32 anyone is using Gitlab? I'm wondering how do you turn off logging for api_json.log 17:50:23 mage: check the gitlab-rails configuration, use a symlink to /dev/null in the output file for api_json 17:55:21 gitlab-rails ..? 17:56:34 I don't have such thing .. it's gitlab-ce compiled from poudriere 17:56:47 mage: is a component of it 17:57:00 gitlab.rb should have the logging subsystem configuration 17:57:22 should be in /usr/local/www/gitlab-ce/... 17:58:18 each "rail" is the logging channel iirc 17:59:00 I have https://gist.github.com/silenius/0fa74ff60c7531fb35bde625ab4a9f53 18:00:11 I'm wondering why it is simply not configurable in the config/gitlab.yml file 18:02:01 gitlab is complex, i would choose cgit/gitea/forgejo if im managing a git service for small-medium organization 18:09:39 gitlab is a hog, i switched to gitea and haven't been happier 18:11:02 yep but switching is currently not an option .. maybe on the mid/long term .. 18:21:25 mage: is gitlab-ce in ports the omnibus? does it run their ansible scripts when you do stuff? 18:22:03 no 18:22:49 is the api_log from rails or from nginx? 18:23:15 rails ofc 18:23:31 (also how is this a problem?) 18:23:56 xD, maybe is running out of space in the logs partition 18:24:12 so logrotate the shit out of it, with minimal retention 18:24:17 the problem is that it grows to multiple gigabytes in some days 18:24:24 same for sidekiq.log 18:24:37 logrotate, check gitlab community edition docs 18:25:24 er, sorry, 18:25:48 yeah.. I could manage it with newsyslog 18:26:25 yes, i meant newsyslog.. working the wrong OS for too long 18:26:42 but it's crazy that you can't configure that in config/gitlab.yml or config/another.yml file 18:27:16 you can, doesnt seem like you want to read the docs 18:27:23 so.. rftm :) 18:27:29 the number of times i've had to grep the source to understand how to set something in the config file is nonzero 18:27:42 I'd like to be happy to see where in the doc 18:28:03 the gitlab docs website? lol 18:28:38 apparenlty it doesn't apply to the "version" which is in the ports 18:29:04 it does, the files are layered a bit different, thats all 18:29:08 that was the other thing that tested my patience with gitlab, the six or so versions from free to enterprise 18:29:12 and varying features in each 18:29:21 i managed gitlab over freebsd for years 18:29:36 everything is there, you should not bother with ruby code 18:29:50 just learn where is everything and how to use rake 18:30:46 i also got tired that every rake operation took a nontrivial amount of time 18:31:06 likewise for mastodon, how does `tootctl help` take 20 seconds to run 18:31:13 :P 18:31:28 I have to use rake to configure logging? 18:31:45 no, i mean is part of the administrator must-know 18:32:33 my last bit of sand to help you, google: log rotation gitlab community docs 18:32:47 get into the website, read. 18:34:02 badkat: I'm FreeBSD admin for years.. I don't need doc to configure newsyslog 18:35:02 I have read the doc several times, nothing works (their GITLAB_LOG_LEVEL, etc) 18:36:52 I'm on https://docs.gitlab.com/administration/logs/ 18:40:27 have you asked in a gitlab channel? 18:41:24 i had explained you about the gitlab rails first, is gitlab.rb inexistent? 18:42:07