Post · bonfire.cafe

@stefano@mastodon.bsd.cafe · 3 months ago

On 14h July (though it was already the 15th here), some of my monitoring jails started throwing errors. Not all of them, though. On the same host, an Uptime Kuma instance was showing a ton of servers down, while LibreNMS wasn't displaying any issues. After investigating, I discovered why. The jail running LibreNMS was using local_unbound (integrated into FreeBSD), while the other, perhaps for speed, was using Cloudflare's DNS.

DNS is like email, the Fediverse, and other similar services: they work better and make us freer when they're decentralized.

Let's go back to decentralizing the internet. Its very existence, as we've known it, depends on it.

#BeFree #Decentralization #SysAdmin #IT #Technology #Internet #Networking

subnetspider

@subnetspider@mastodon.bsd.cafe replied · 3 months ago

@stefano That's why I always use multiple DNS providers. Since I used Quad9 and Cloudflare, there were no outages on my hosts. Relying on monoculture is almost always a bad idea. :)

Stefano Marinelli

@stefano@mastodon.bsd.cafe replied · 3 months ago

@subnetspider When I'm in a hurry, I often put 1.1.1.1 and 9.9.9.9 - but it seems that, sometimes, it continues to try to use 1.1.1.1 (the first).

TomAoki

@TomAoki@mastodon.bsd.cafe replied · 3 months ago

@stefano @subnetspider
IIRC and IIUC, resolvers use unprioritized DNS only when prioritized DNS timeouts. So if the primary DNS is poisoned, no way to know the fact unless manually querying to other DNS with drill or nslookup.

okapi

@okapi@fosstodon.org replied · 3 months ago

@stefano @subnetspider If you do that, you're part of the problem. I was actively blocking them at my firewall but it has got so bad with, especially Android, software that I changed it to NAT requests to my own DNS server - which just does its own recursive resolution.

Stefano Marinelli

@stefano@mastodon.bsd.cafe replied · 3 months ago

@okapi @subnetspider I'm usually doing that only if, then, I'm going to configure my own local unbound. Sometimes, I forget to modify it. Still, it's only and always on secondary services

subnetspider

@subnetspider@mastodon.bsd.cafe replied · 3 months ago

@stefano True, I guess I was just lucky with the devices that do DNS resolution. Some only seem to have multiple DNS server fields for the sake of load balancing, not failover. In the latter case, hosts just tend to wait indefinitely fof the first resolver to reply...

bonfire.cafe

A space for Bonfire maintainers and contributors to communicate

bonfire.cafe: About · Code of conduct · Privacy · Users · Instances

Bonfire social · 1.0.0-rc.3.21 no JS en

Automatic federation enabled