@Dashrender said in Move dns hosting to Cloudflare?:

@JaredBusch said in Move dns hosting to Cloudflare?:

@JokkeM said in Move dns hosting to Cloudflare?:

@JaredBusch

You have public DNS servers that are the authoritative source for your domains? - Yes
These servers are in our datacenter and they have like ~300 zones

By doing the "move dns hosting to CF" i would get rid of those 3 servers totally.

Do this today. I would hate to have to run public, authoritative DNS servers.
Just for DNS, I cannot imagine how CloudFlare would not be cheaper than running this yourself. Unless you are doing more than just DNS, CloudFlare is free.

They have a great API for managing things at scale.

I'm thinking the same thing - in fact, unless you've been running these servers since the mid 90's I can't see any reason why you could do that. Most registrars offered the DNS hosting as part of the cost of the domain registration. Sure they might not have had simple APIs for managing them... but damn, self hosted just seems - odd.

It actually simplifies some things (and makes others harder.) It's not common and there are good reasons to not do it, but there are good reasons to want it, too.

@huzefa22 said in Same subdomain name internal and external i have an issue with the DNS, specifically emails:

@Dashrender when i ping mail.abc.xyz.com i don't get a reply, the SOA is the primary and the secondary domain on the local domain. i don't know if this is what you were asking.

Regards,
Huzefa

Never test DNS with ping. Test with nslookup. Whether you can ping or not is a factor of many things, DNS just one of them and only sometimes. nslookup tests DNS and nothing else.

@mroth911 said in locking down network:

so basically I am helping with my church/School , they need to connect to apple/android store. youtube. but social media sites locked down and p2p networks and anything inappropriate for k-12.

So OpenDNS is doing the trick for now., However there is no cherry picking, and certain users need the ability to connect to facebook as well. Posting via webpage what is going on in school etc.

Thats the situation at hand.

They received a letter that someone on the network was downloading from BitTorrent. and it broke digital media anti-piracy law. etc. So they are naturally freaking out.

This is something I want to setup and walk away.. I am just doing this to help them.

Blocking Bittorrent without an application level firewall isn't that easy. Talking to the tracker happens via DNS, but talking to the other clients normally is just via IP address.

You could block all non needed outbound ports - but again, I think Bittorrent can work over port 80 and 443, so not really that helpful.

@Donahue said in Where do I start with replacing the whole MS AD stack:

sing reservations.

I think your knowledge of FG is not allowing you to do this, just create a new interface with the desired subnet and leave or tick DHCP option. And they you can do it what you want with it. Create an IPv4 policy to give access to internet to the new interface.

@aboka said in Setup LetsEncrypt Certbot with CLoudFlare DNS authentication (Ubuntu):

hi, thanks for sharing this guide, would like to ask, what port does ppa:certbot use? im running nginx and its already using 80 & 443. i need to find a way to renew the cert when using Cloudflare as the common way(certbot renew) will not work. thank you.

There are certbot options to use the running server (Nginx in this case.) But I agree with Jared, better to use DNS.

@JaredBusch said in DNS Update Issue:

@scottalanmiller the issue with nslookup being useless is stupid though.

Agreed, that's really messed up.

@obsolesce said in Handling DNS in a Single Active Directory Domain Controller Environment:

@scottalanmiller said in Handling DNS in a Single Active Directory Domain Controller Environment:

@obsolesce said in Handling DNS in a Single Active Directory Domain Controller Environment:

@stuartjordan said in Handling DNS in a Single Active Directory Domain Controller Environment:

I believe the forest level with Samba can only be 2008R2 though.

If you're not using Windows AD, what's it matter?

If he's merging in DFS, it might. It's rare to do, but could matter.

Oh I see, so Windows AD and other services were involved at some point.

Depending on what you want to do, sometimes AD has to support it.

The settings are
network.trr, network.trr.mode and network.trr.uri

Also what's in /etc/resolve.conf?

@jaredbusch said in DNS-over-HTTPS with Fedora based PiHole and Cloudflare:

The entire concept is just stupid.
You cannot hide from your provider.

I'd agree with you, at least for now. This is just one small step in the right direction. It won't really make much difference until it's supported by all endpoints.

@momurda said in Public DNS Provider Comparison:

Unlike FB, CloudFare actually makes products and sells them to customers.

An example: MangoLassi is a commercial CloudFlare customer. Without CF, we'd never be able to push the 200 million hits a month we sometimes take here!

@gap579137 said in Add porn blocking to your Pi-hole:

We have a very good list at [site redacted] if you would like to at it to you lists.

Interesting concept..
491adb7c-e991-4b5a-bb1c-0ff38aee2d06-image.png

Maybe they were using 1.1.1.1 as a null route?

@jimmy_k said in Urgent: How to fix this FreePBX Repo Access Issue?:

@jimmy_k Well, I just fixed it
I modified etc/resolv.conf by putting this

nameserver same as DNS1
nameserver same as DNS2

That's what that script is supposed to do. If you did this, it means either you never activated the script or it is broken and will stop working again.

@scottalanmiller said in What does Quad9 do the Pihole does not:

@thwr said in What does Quad9 do the Pihole does not:

@jaredbusch said in What does Quad9 do the Pihole does not:

@thwr said in What does Quad9 do the Pihole does not:

Just from reading I would say he's using Quad9 as upstream DNS for his PiHole (which is used by clients)

I know that. I mean, what is the service Quad9 doing.

It's another "privacy" friendly DNS driven by IBM, Packet Clearing House (PCH) and Global Cyber Alliance (GCA). Placed as an alternative to Google's DNS

"Privacy friendly" is what we are worried about. It's from the US gov't so we really don't trust it.

I'm sure you've noticed the quotes around "privacy".

@tim_g said in Quad9 DNS Malicious Domain Blocking Service:

I stopped testing Quad9 on my computer. I've been having some weird issues with GitLab errors on the website. As soon as I plugged in Google's DNS, it worked.

But then again, a refresh or two got it working again while I was still using Quad9.

I'll update later to report if any issue like that returns now that I'm using Google on my computer.

Nope, was not Quad9 related.

I think it's some kind of timeout I never noticed before or GitLab is having issues.

@scottalanmiller said in Home Network Setup:

@jmoore said in Home Network Setup:

@scottalanmiller said in Home Network Setup:

@dashrender said in Home Network Setup:

The whole crux of my ask was - the desire to buy as few Windows Server CALs as possible.

This is unrelated to the question asked, though.

you know i have noticed you and dash really communicate differently. not good or bad, just different. then you both have trouble understanding the other. from the many threads i have read with you two, that is the common theme i have seen.

I'd assume part of it is that I am highly literal. That tends to be a root of many communications issues for me in general.

yeah i think your right you are literal. i had to adjust my communication with you. that was my fault though, i am used to having to be so unliteral with my users because i would lose them that i got into that bad habit lol. i know for me, i was not explaining my thoughts in a well laid out way and that made me harder to understand and threw you off. did i do better that time?

@nerdydad said in How to choose public DNS provider for an ISP:

or should I give them something that is more privacy focused but might also restrict their access to the internet.

But OpenDNS does nothing of the sort. It is a pubic open DNS service available for anyone to use.

EchoDot came back hard.

I disabled the pi-hole for 5 minutes (setting in the menu on the left) and poof. it is happy again.

0_1523583914500_7ec4ae68-6fbc-466c-b499-3cad488459ef-image.png

0_1523583888016_b5fd7e49-7c6a-4d40-9498-e7362394b34e-image.png