Hi All,
Fedora 37 bind-9.18.12-1.fc37.x86_64
I am running a caching DNS server on my computer.
I have the /etc/named.conf set to
# the following forwarders is Family Friendly Open # DNS (no porn sites): forwarders { 208.67.222.123; 208.67.220.123; };
Problem. Open DNS is specifically blocking tor.bravesoftware.com, screwing up my Brave Browser Private Windows with TOR.
The workaround is to temporarily switch to google as my forwarder, and let Brave Browser download the required Tor daemon, then switch back.
So, next time I need a new daemon, I thought of just hard coding tor.bravesoftware.com into /etc/hosts, but I do not have such a critter in my system
Q1. that on purpose? Did Fedroa drop /etc/hosts?
Q2. If I created my own hosts, would it be read first or after named?
Q3. Is there a way to hard code tor.bravesoftware.com into named?
Many thanks, -T
I checked those DNS resolvers out of curiosity. Indeed porn is blocked. Cool. I don't have any kids or anyone I want to limit in mapping from getting to porn sites, so I trust myself. :) Nice though.
B
On 3/15/2023 9:58 PM, ToddAndMargo via users wrote:
Hi All,
Fedora 37 bind-9.18.12-1.fc37.x86_64
I am running a caching DNS server on my computer.
I have the /etc/named.conf set to
# the following forwarders is Family Friendly Open # DNS (no porn sites): forwarders { 208.67.222.123; 208.67.220.123; };
Problem. Open DNS is specifically blocking tor.bravesoftware.com, screwing up my Brave Browser Private Windows with TOR.
The workaround is to temporarily switch to google as my forwarder, and let Brave Browser download the required Tor daemon, then switch back.
So, next time I need a new daemon, I thought of just hard coding tor.bravesoftware.com into /etc/hosts, but I do not have such a critter in my system
Q1. that on purpose? Did Fedroa drop /etc/hosts?
Q2. If I created my own hosts, would it be read first or after named?
Q3. Is there a way to hard code tor.bravesoftware.com into named?
Many thanks, -T
users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
On 3/15/2023 9:58 PM, ToddAndMargo via users wrote:
Hi All,
Fedora 37 bind-9.18.12-1.fc37.x86_64
I am running a caching DNS server on my computer.
I have the /etc/named.conf set to
# the following forwarders is Family Friendly Open # DNS (no porn sites): forwarders { 208.67.222.123; 208.67.220.123; };
Problem. Open DNS is specifically blocking tor.bravesoftware.com, screwing up my Brave Browser Private Windows with TOR.
The workaround is to temporarily switch to google as my forwarder, and let Brave Browser download the required Tor daemon, then switch back.
So, next time I need a new daemon, I thought of just hard coding tor.bravesoftware.com into /etc/hosts, but I do not have such a critter in my system
Q1. that on purpose? Did Fedroa drop /etc/hosts?
Q2. If I created my own hosts, would it be read first or after named?
Q3. Is there a way to hard code tor.bravesoftware.com into named?
Many thanks, -T
On 3/15/23 19:16, Bill Cunningham wrote:
I checked those DNS resolvers out of curiosity. Indeed porn is blocked. Cool. I don't have any kids or anyone I want to limit in mapping from getting to porn sites, so I trust myself. :) Nice though.
B
I don't trust myself to not klutz click on something that sends me to a porn site seething with viruses.
I can see why Open DNS would block tor.bravesoftware.com as it would be a method of bypassing the porn blocks.
When I am on Tor looking up things that are nobody else's business, I reply on the onion to keep reverse logging from getting back to me.
On Wed, 2023-03-15 at 18:58 -0700, ToddAndMargo via users wrote:
Problem. Open DNS is specifically blocking tor.bravesoftware.com, screwing up my Brave Browser Private Windows with TOR.
And therein lay a problem with censorship, where someone else has set the boundary. I can see why they made that decision, though. And I'll bet that you're going to see far more things blocked than just this.
Q1. that on purpose? Did Fedroa drop /etc/hosts?
As far as I was aware, if you create one it can be used. And it might be your simplest solution to this problem.
Before I ran a DNS server I became aware that my ISPs DNS server was terribly slow, and often didn't return results for their own services. I had to put the IP record for their own usenet server in my hosts file. That solved that problem. But it was also terrible at resolving names for everything, so I ended up learning how to use BIND, and have been running it ever since.
Q2. If I created my own hosts, would it be read first or after named?
Traditionally hosts was consulted before other measures (making it useful as an override). The priority of what is consulted to resolve names is set in /etc/nsswitch.com (name server switch config file). Scroll down to you find the hosts line. There's often a hashed-out example, followed by what's actually used. The left-most entry is used first, and it walks across the line until it finds an answer.
Mine's quite bare:
#hosts: db files nisplus nis dns hosts: files dns
Q3. Is there a way to hard code tor.bravesoftware.com into named?
It's possible, though can be unwise (you mightn't know all the info about the domain you ought to put in, if they change their info you'd need to change your local version, and it could take some time before you worked out that had happened).
In /etc/named.conf you'd specify a zone file for the records. I'm showing an example from something else on my BIND server:
zone "testbed.lan" { type master; file "static/testbed.lan.zone"; };
That filepath would be /var/named/static/testbed.lan.zone on a non- chrooted system. And on a chrooted system, it's probably: /var/named/chroot/static/testbed.lan.zone
And in that zone file, you need some basic data, plus the actual domain name's IPs.
$ORIGIN . $TTL 86400 ; 1 day testbed.lan IN SOA ns.testbed.lan hostmaster.testbed.lan ( 42 ; serial 300 ; refresh (5 minutes) 900 ; retry (15 minutes) 3600 ; expire (1 hour) 1800 ; minimum (30 minutes) ) NS ns.testbed.lan. A 192.168.1.1 MX 1 mail.testbed.lan. $ORIGIN testbed.lan. mail A 192.168.1.1 ns A 192.168.1.1 web CNAME www www A 192.168.1.1
Looking at the data in it, the pertinent bits to a domain, starting at the third line, there's the domain name, its nameserver address, the contact address for the record (the first dot is where the @ sign normally goes). Further down is the NS record, the A record for the whole domain, the MS record for its mail server. Then some A records and a CNAME record. You'd have to customise all of that.
If I do a dig request on tor.bravesoftware.com, I get this:
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.13 <<>> tor.bravesoftware.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50941 ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 4, ADDITIONAL: 1
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;tor.bravesoftware.com. IN A
;; ANSWER SECTION: tor.bravesoftware.com. 300 IN CNAME d2dy5tljjyhryf.cloudfront.net. d2dy5tljjyhryf.cloudfront.net. 60 IN A 18.67.111.68 d2dy5tljjyhryf.cloudfront.net. 60 IN A 18.67.111.71 d2dy5tljjyhryf.cloudfront.net. 60 IN A 18.67.111.87 d2dy5tljjyhryf.cloudfront.net. 60 IN A 18.67.111.9
;; AUTHORITY SECTION: d2dy5tljjyhryf.cloudfront.net. 1830 IN NS ns-1729.awsdns-24.co.uk. d2dy5tljjyhryf.cloudfront.net. 1830 IN NS ns-831.awsdns-39.net. d2dy5tljjyhryf.cloudfront.net. 1830 IN NS ns-1165.awsdns-17.org. d2dy5tljjyhryf.cloudfront.net. 1830 IN NS ns-288.awsdns-36.com.
;; Query time: 1933 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu Mar 16 13:23:57 ACDT 2023 ;; MSG SIZE rcvd: 291
Which gives you a CNAME and A records you could make use of, as well as several NS records. Looking at the info, and the nature of tor, I'd hazard a guess that from one time to another, the CNAME is going to change, and you'd need all the A records for the new host.
On 3/15/23 20:09, Tim via users wrote:
On Wed, 2023-03-15 at 18:58 -0700, ToddAndMargo via users wrote:
Problem. Open DNS is specifically blocking tor.bravesoftware.com, screwing up my Brave Browser Private Windows with TOR.
And therein lay a problem with censorship, where someone else has set the boundary. I can see why they made that decision, though. And I'll bet that you're going to see far more things blocked than just this.
Q1. that on purpose? Did Fedroa drop /etc/hosts?
As far as I was aware, if you create one it can be used. And it might be your simplest solution to this problem.
Before I ran a DNS server I became aware that my ISPs DNS server was terribly slow, and often didn't return results for their own services. I had to put the IP record for their own usenet server in my hosts file. That solved that problem. But it was also terrible at resolving names for everything, so I ended up learning how to use BIND, and have been running it ever since.
Q2. If I created my own hosts, would it be read first or after named?
Traditionally hosts was consulted before other measures (making it useful as an override). The priority of what is consulted to resolve names is set in /etc/nsswitch.com (name server switch config file). Scroll down to you find the hosts line. There's often a hashed-out example, followed by what's actually used. The left-most entry is used first, and it walks across the line until it finds an answer.
Mine's quite bare:
#hosts: db files nisplus nis dns hosts: files dns
Q3. Is there a way to hard code tor.bravesoftware.com into named?
It's possible, though can be unwise (you mightn't know all the info about the domain you ought to put in, if they change their info you'd need to change your local version, and it could take some time before you worked out that had happened).
In /etc/named.conf you'd specify a zone file for the records. I'm showing an example from something else on my BIND server:
zone "testbed.lan" { type master; file "static/testbed.lan.zone"; };
That filepath would be /var/named/static/testbed.lan.zone on a non- chrooted system. And on a chrooted system, it's probably: /var/named/chroot/static/testbed.lan.zone
And in that zone file, you need some basic data, plus the actual domain name's IPs.
$ORIGIN . $TTL 86400 ; 1 day testbed.lan IN SOA ns.testbed.lan hostmaster.testbed.lan ( 42 ; serial 300 ; refresh (5 minutes) 900 ; retry (15 minutes) 3600 ; expire (1 hour) 1800 ; minimum (30 minutes) ) NS ns.testbed.lan. A 192.168.1.1 MX 1 mail.testbed.lan. $ORIGIN testbed.lan. mail A 192.168.1.1 ns A 192.168.1.1 web CNAME www www A 192.168.1.1
Looking at the data in it, the pertinent bits to a domain, starting at the third line, there's the domain name, its nameserver address, the contact address for the record (the first dot is where the @ sign normally goes). Further down is the NS record, the A record for the whole domain, the MS record for its mail server. Then some A records and a CNAME record. You'd have to customise all of that.
If I do a dig request on tor.bravesoftware.com, I get this:
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.13 <<>> tor.bravesoftware.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50941 ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 4, ADDITIONAL: 1
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;tor.bravesoftware.com. IN A
;; ANSWER SECTION: tor.bravesoftware.com. 300 IN CNAME d2dy5tljjyhryf.cloudfront.net. d2dy5tljjyhryf.cloudfront.net. 60 IN A 18.67.111.68 d2dy5tljjyhryf.cloudfront.net. 60 IN A 18.67.111.71 d2dy5tljjyhryf.cloudfront.net. 60 IN A 18.67.111.87 d2dy5tljjyhryf.cloudfront.net. 60 IN A 18.67.111.9
;; AUTHORITY SECTION: d2dy5tljjyhryf.cloudfront.net. 1830 IN NS ns-1729.awsdns-24.co.uk. d2dy5tljjyhryf.cloudfront.net. 1830 IN NS ns-831.awsdns-39.net. d2dy5tljjyhryf.cloudfront.net. 1830 IN NS ns-1165.awsdns-17.org. d2dy5tljjyhryf.cloudfront.net. 1830 IN NS ns-288.awsdns-36.com.
;; Query time: 1933 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu Mar 16 13:23:57 ACDT 2023 ;; MSG SIZE rcvd: 291
Which gives you a CNAME and A records you could make use of, as well as several NS records. Looking at the info, and the nature of tor, I'd hazard a guess that from one time to another, the CNAME is going to change, and you'd need all the A records for the new host.
Thank you!
I will go the hosts route.
If I get bumped on something by OpenDNS, I can always add to hots or just use Tor.
On 3/15/23 20:19, ToddAndMargo via users wrote:
I will go the hosts route.
I actually have an /etc/hosts. I was in the wrong directory. :'(
After adding tor to my /etc/hosts,
# override OpenDNS's block of tor.bravesoftware.com 146.112.61.106 tor.bravesoftware.com
host lights up like a Christmas tree:
# host tor.bravesoftware.com tor.bravesoftware.com is an alias for d2dy5tljjyhryf.cloudfront.net. d2dy5tljjyhryf.cloudfront.net has address 13.227.74.94 d2dy5tljjyhryf.cloudfront.net has address 13.227.74.111 d2dy5tljjyhryf.cloudfront.net has address 13.227.74.127 d2dy5tljjyhryf.cloudfront.net has address 13.227.74.67 d2dy5tljjyhryf.cloudfront.net has IPv6 address 2600:9000:2202:6400:1d:3229:71c0:93a1 d2dy5tljjyhryf.cloudfront.net has IPv6 address 2600:9000:2202:4a00:1d:3229:71c0:93a1 d2dy5tljjyhryf.cloudfront.net has IPv6 address 2600:9000:2202:c000:1d:3229:71c0:93a1 d2dy5tljjyhryf.cloudfront.net has IPv6 address 2600:9000:2202:ce00:1d:3229:71c0:93a1 d2dy5tljjyhryf.cloudfront.net has IPv6 address 2600:9000:2202:ea00:1d:3229:71c0:93a1 d2dy5tljjyhryf.cloudfront.net has IPv6 address 2600:9000:2202:400:1d:3229:71c0:93a1 d2dy5tljjyhryf.cloudfront.net has IPv6 address 2600:9000:2202:8a00:1d:3229:71c0:93a1 d2dy5tljjyhryf.cloudfront.net has IPv6 address 2600:9000:2202:c600:1d:3229:71c0:93a1
On Thu, 2023-03-16 at 13:39 +1030, Tim via users wrote:
Traditionally hosts was consulted before other measures (making it useful as an override). The priority of what is consulted to resolve names is set in /etc/nsswitch.com (name server switch config file). Scroll down to you find the hosts line. There's often a hashed-out example, followed by what's actually used. The left-most entry is used first, and it walks across the line until it finds an answer.
Mine's quite bare:
#hosts: db files nisplus nis dns hosts: files dns
I probably should have pointed out that, in this example, the "files" option means to refer to the /etc/hosts file.
Elsewhere in nsswitch.conf, a files options refers to some other file, pertinent to that part of the configuration.
ToddAndMargo via users wrote:
I actually have an /etc/hosts. I was in the wrong directory. :'(
Joe Zeff:
Oh, good. If you look at what's in there by default, you'll see how much your system depends on it being there.
I was of the impression that the localhost lines were presumed, anyway. I'll have to do some tests on few different installations, removing it.
On Wed, 2023-03-15 at 20:41 -0700, ToddAndMargo via users wrote:
I actually have an /etc/hosts. I was in the wrong directory. :'(
After adding tor to my /etc/hosts,
# override OpenDNS's block of tor.bravesoftware.com 146.112.61.106 tor.bravesoftware.com
host lights up like a Christmas tree:
# host tor.bravesoftware.com tor.bravesoftware.com is an alias for d2dy5tljjyhryf.cloudfront.net. d2dy5tljjyhryf.cloudfront.net has address 13.227.74.94 d2dy5tljjyhryf.cloudfront.net has address 13.227.74.111
...[snip]...
I thought that would probably work. The alias bits would be dynamic, and you're better off not having to manage that yourself.
Any censoring server/software would cause serious breakage blocking cloudfront, so much of the WWW is served from it, so I thought they'd leave that half of the equation alone. For smaller hosts, they may block them, thinking that the host would ditch any bad clients to get themselves unblocked. After all, that's been a common approach at reigning in spam sources, over the years.
On 3/16/23 04:09, Tim via users wrote:
In /etc/named.conf you'd specify a zone file for the records. I'm showing an example from something else on my BIND server:
Good advice, you can just create a zone in your named.conf. Then in that zone you have two options:
1. just declare that forward should be done through specific DNS servers
For example:
zone "bravesoftware.com" IN { type forward; forward only; forwarders {8.8.8.8; 8.8.4.4; }; };
or
2. define the zone yourself, like in the "testbed.lan.zone" example below.
What many people ignore is that you are not forced to describe an entire zone; since DNS is a hierarchy, there is no difference between a zone and a host. So you can override a single host. For example, to point www.google.com to 101.102.103.104 you can add:
zone "www.google.com" { type master; file "named.www.google.com"; };
and then a file called "/var/named/named.www.google.com" which contains:
$TTL 86400 @ IN SOA ns.www.google.com. root.ns.www.google.com. ( 2023030101 ; Serial 8H ; Refresh 2H ; Retry 50W ; Expire 1D ) ; Minimum ; NS ns IN NS ns.www.google.com. IN A 101.102.103.104 ns IN A 127.0.0.1
where, you can see, the important part is that for the zone "www.google.com" we decide there are two entries, of which the first is (note the empty string) "www.google.com" at 101.102.103.104, and the second is (note "ns") "ns.www.google.com" at 127.0.0.1.
(All the "ns" parts are not important, but DNS zones are usually defined in this way; I've never tried to trim the file further)
zone "testbed.lan" { type master; file "static/testbed.lan.zone"; };
That filepath would be /var/named/static/testbed.lan.zone on a non- chrooted system. And on a chrooted system, it's probably: /var/named/chroot/static/testbed.lan.zone
And in that zone file, you need some basic data, plus the actual domain name's IPs.
$ORIGIN . $TTL 86400 ; 1 day testbed.lan IN SOA ns.testbed.lan hostmaster.testbed.lan ( 42 ; serial 300 ; refresh (5 minutes) 900 ; retry (15 minutes) 3600 ; expire (1 hour) 1800 ; minimum (30 minutes) ) NS ns.testbed.lan. A 192.168.1.1 MX 1 mail.testbed.lan. $ORIGIN testbed.lan. mail A 192.168.1.1 ns A 192.168.1.1 web CNAME www www A 192.168.1.1
-
Bill Cunningham -
Joe Zeff -
Roberto Ragusa -
Tim -
ToddAndMargo