On Wed, 15 Apr 2020 07:49:28 -0400
Greg Wooledge wrote:
> On Tue, Apr 14, 2020 at 07:12:47PM -0400, Lee wrote:
> > On 4/14/20, Greg Wooledge wrote:
> > > Accessing the mirrors via https makes the packages un-cacheable, which
> > > makes the traffic volume significantly greater -- and the package
On Wed 15 Apr 2020 at 07:49:28 (-0400), Greg Wooledge wrote:
> On Tue, Apr 14, 2020 at 07:12:47PM -0400, Lee wrote:
> > On 4/14/20, Greg Wooledge wrote:
> > > Accessing the mirrors via https makes the packages un-cacheable, which
> > > makes the traffic volume significantly greater -- and the pack
On Tue, Apr 14, 2020 at 07:12:47PM -0400, Lee wrote:
> On 4/14/20, Greg Wooledge wrote:
> > Accessing the mirrors via https makes the packages un-cacheable, which
> > makes the traffic volume significantly greater -- and the package lists
> > are already signed, so there's no gain in trustworthine
Hi.
On Tue, Apr 14, 2020 at 10:26:09PM +0100, Liam O'Toole wrote:
> On Tue, 14 Apr, 2020 at 23:42:48 +0300, Reco wrote:
>
> [...]
>
> > > 2. Having completed a DNS lookup unbeknownst to the ISP, we still have
> > > to make a connection to the resulting IP address through the ISP's
> > >
On Tue, 14 Apr, 2020 at 18:00:41 -0500, John Hasler wrote:
> Liam writes:
> > I think you misunderstand me. I'm talking about making a connection to
> > an IP address that you have already obtained by (encrypted) DNS. For
> > example, your personal bind instance tells you that www.debian.org
> > re
On 4/14/20, Greg Wooledge wrote:
> On Mon, Apr 13, 2020 at 07:03:12PM -0400, Lee wrote:
>> dnssec just adds a cryptographic signature to the data -- everything
>> is still done "in the clear" (like Debian updates. or has buster
>> switched to using https for downloading updates?)
>
> The apt-tran
Liam writes:
> I think you misunderstand me. I'm talking about making a connection to
> an IP address that you have already obtained by (encrypted) DNS. For
> example, your personal bind instance tells you that www.debian.org
> resolves to 130.89.148.77. Assuming you then connect to that IP
> addre
On Tue, 14 Apr 2020 22:26:09 +0100
Liam O'Toole wrote:
> On Tue, 14 Apr, 2020 at 23:42:48 +0300, Reco wrote:
>
> [...]
>
> > > 2. Having completed a DNS lookup unbeknownst to the ISP, we still have
> > > to make a connection to the resulting IP address through the ISP's
> > > gateway. The ISP c
On Tue, 14 Apr 2020 12:13:11 -0500
John Hasler wrote:
> Celejar writes:
> > why would they be limited by whatever the OS supports? Surely their
> > malware can easily include an internal DoH implementation,
>
> They needn't use DNS at all. Hard coded IPs work fine for reaching
> their own serve
On Tue, 14 Apr, 2020 at 23:42:48 +0300, Reco wrote:
[...]
> > 2. Having completed a DNS lookup unbeknownst to the ISP, we still have
> > to make a connection to the resulting IP address through the ISP's
> > gateway. The ISP can perform a reverse DNS lookup of the IP address if
> > they are deter
Hi.
On Tue, Apr 14, 2020 at 06:25:24PM +0100, Liam O'Toole wrote:
> I have two reservations about the approach advocated by Reco above.
> Maybe I'm not seeing some part of the big picture.
>
> 1. The risk of DNS snooping is merely shifted from the ISP to the VPS
> provider.
Usually you
On Mon, 13 Apr 2020 at 16:37, John Hasler wrote:
>
> Liam writes:
> > I'm not familiar with bind. Does it work by consulting root name
> > servers directly?
>
> It starts with the root servers and builds a database in exactly the
> same way your ISP's DNS server does. In fact, it is probably what
Celejar writes:
> why would they be limited by whatever the OS supports? Surely their
> malware can easily include an internal DoH implementation,
They needn't use DNS at all. Hard coded IPs work fine for reaching
their own servers. They are also not limited to the usual ports and
protocols when
On Tue, 14 Apr 2020 05:45:45 -0400
Lee wrote:
> On 4/13/20, Celejar wrote:
> > On Mon, 13 Apr 2020 08:47:22 +0300
> > Reco wrote:
> >
> >>Hi.
> >>
> >> On Sun, Apr 12, 2020 at 07:46:38PM -0400, Lee wrote:
> >
> > ...
> >
> >> > I just did a quick search and couldn't find anything for smart T
Lee wrote:
> Maybe I'm being naive, but I'm taking the clause "except as may be
> required by law" to mean they can't just give the data to LE; there
> has to be some kind of court order compelling them to hand it over.
Reco writes:
> Probably. But I fail to see how a court order will prevent such
On Ma, 14 apr 20, 07:32:58, Greg Wooledge wrote:
> On Mon, Apr 13, 2020 at 07:03:12PM -0400, Lee wrote:
> > dnssec just adds a cryptographic signature to the data -- everything
> > is still done "in the clear" (like Debian updates. or has buster
> > switched to using https for downloading updates?
On Tue, Apr 14, 2020 at 07:06:05AM -0400, Lee wrote:
> >> Right. The ISP can't see what names the user is looking up but
> >> Cloudflare sees every single one. On the other hand, take a look at
> >> https://wiki.mozilla.org/Security/DOH-resolver-policy
> >
> > An interesting declaration. For in
On Tue, Apr 14, 2020 at 01:48:24PM +0200, n...@dismail.de wrote:
> On Tue, Apr 14, 2020 at 07:06:05 -0400, Lee wrote:
> > Is there some other DNS provider that has a published privacy policy?
> > That's anywhere near as good as CloudFlare's?
> >
> > To be clear - I'm not saying you should trust
On Tue, Apr 14, 2020 at 07:06:05 -0400, Lee wrote:
> Is there some other DNS provider that has a published privacy policy?
> That's anywhere near as good as CloudFlare's?
>
> To be clear - I'm not saying you should trust CloudFlare. It's just
> that I don't see a whole lot of options & quite po
On Mon, Apr 13, 2020 at 07:03:12PM -0400, Lee wrote:
> dnssec just adds a cryptographic signature to the data -- everything
> is still done "in the clear" (like Debian updates. or has buster
> switched to using https for downloading updates?)
The apt-transport-https package is available, but is n
On 4/14/20, Reco wrote:
> Hi.
Hi
> On Mon, Apr 13, 2020 at 06:42:10PM -0400, Lee wrote:
>> On 4/13/20, Reco wrote:
>> > On Sun, Apr 12, 2020 at 07:46:38PM -0400, Lee wrote:
>> >> > The questionable idea behind DOH is that the browser makers do not
>> >> > trust
>> >> > your local resolver.
On 4/13/20, Celejar wrote:
> On Mon, 13 Apr 2020 08:47:22 +0300
> Reco wrote:
>
>> Hi.
>>
>> On Sun, Apr 12, 2020 at 07:46:38PM -0400, Lee wrote:
>
> ...
>
>> > I just did a quick search and couldn't find anything for smart TVs
>> > using DOH.
>>
>> Probably because they aren't there yet. A t
On Mon, Apr 13, 2020 at 07:03:12PM -0400, Lee wrote:
> On 4/13/20, tomas wrote:
> > On Sun, Apr 12, 2020 at 07:46:38PM -0400, Lee wrote:
[...]
> Agreed. But how many home users have a local sys admin? That knows
> how to configure the local resolver?
>
> OK .. on this list, probably most. But
Hi.
On Mon, Apr 13, 2020 at 06:42:10PM -0400, Lee wrote:
> On 4/13/20, Reco wrote:
> > On Sun, Apr 12, 2020 at 07:46:38PM -0400, Lee wrote:
> >> > The questionable idea behind DOH is that the browser makers do not
> >> > trust
> >> > your local resolver.
> >>
> >> Mozilla claims it's a pr
On Mon, 13 Apr 2020 08:47:22 +0300
Reco wrote:
> Hi.
>
> On Sun, Apr 12, 2020 at 07:46:38PM -0400, Lee wrote:
...
> > I just did a quick search and couldn't find anything for smart TVs
> > using DOH.
>
> Probably because they aren't there yet. A typical smart TV is based on
> the Androi
On 4/13/20, tomas wrote:
> On Sun, Apr 12, 2020 at 07:46:38PM -0400, Lee wrote:
>
> [...]
>
>> Mozilla claims it's a privacy issue:
>> https://support.mozilla.org/en-US/kb/firefox-dns-over-https
>> Benefits
>
> Yes, sure [1], but *not in each and every friggin' application*.
I prefer apps that d
On 4/13/20, Reco wrote:
> Hi.
Hi
> On Sun, Apr 12, 2020 at 07:46:38PM -0400, Lee wrote:
>> > The questionable idea behind DOH is that the browser makers do not
>> > trust
>> > your local resolver.
>>
>> Mozilla claims it's a privacy issue:
>> https://support.mozilla.org/en-US/kb/firefox-dn
Liam writes:
> I'm not familiar with bind. Does it work by consulting root name
> servers directly?
It starts with the root servers and builds a database in exactly the
same way your ISP's DNS server does. In fact, it is probably what your
ISP uses.
--
John Hasler
jhas...@newsguy.com
Elmwood,
Andrei writes:
> Whether DoH or DNS-over-TLS, you have to trust the DNS server.
You have to trust the root zone but you needn't trust any single server
other than your own with every single query.
--
John Hasler
jhas...@newsguy.com
Elmwood, WI USA
tomás writes:
> But letting an app bypass that, to some Mozilla-blessed DOH service is
> *not nice*.
I assume that Mozilla is only considering Windows users who are going to
use whatever DNS their ISP configured into their router.
--
John Hasler
jhas...@newsguy.com
Elmwood, WI USA
On Mon, 13 Apr, 2020 at 16:19:55 +0300, Reco wrote:
> On Mon, Apr 13, 2020 at 12:14:44PM +0100, Liam O'Toole wrote:
> > On Mon, 13 Apr, 2020 at 12:57:54 +0300, Reco wrote:
> > > Hi.
> > >
> > > On Mon, Apr 13, 2020 at 11:16:02AM +0300, Andrei POPESCU wrote:
> >
> > [...]
> >
> > > > Whether Do
On Mon, Apr 13, 2020 at 12:14:44PM +0100, Liam O'Toole wrote:
> On Mon, 13 Apr, 2020 at 12:57:54 +0300, Reco wrote:
> > Hi.
> >
> > On Mon, Apr 13, 2020 at 11:16:02AM +0300, Andrei POPESCU wrote:
>
> [...]
>
> > > Whether DoH or DNS-over-TLS, you have to trust the DNS server.
> >
> > Yup. T
On Mon, 13 Apr, 2020 at 12:57:54 +0300, Reco wrote:
> Hi.
>
> On Mon, Apr 13, 2020 at 11:16:02AM +0300, Andrei POPESCU wrote:
[...]
> > Whether DoH or DNS-over-TLS, you have to trust the DNS server.
>
> Yup. That's why I have my own, and every Debian user can have their own
> too, using o
On Mon, Apr 13, 2020 at 12:57:54PM +0300, Reco wrote:
> Hi.
>
> On Mon, Apr 13, 2020 at 11:16:02AM +0300, Andrei POPESCU wrote:
[...]
> Yup. That's why I have my own, and every Debian user can have their own
> too, using only free software.
...and that is why I want the apps on my box to
Hi.
On Mon, Apr 13, 2020 at 11:16:02AM +0300, Andrei POPESCU wrote:
> On Lu, 13 apr 20, 08:47:22, Reco wrote:
> > On Sun, Apr 12, 2020 at 07:46:38PM -0400, Lee wrote:
> >
> > > How many people use a dnssec validating resolver?
> >
> > See above. Besides, DNSSEC is for integrity of zones,
On Lu, 13 apr 20, 08:47:22, Reco wrote:
> On Sun, Apr 12, 2020 at 07:46:38PM -0400, Lee wrote:
>
> > How many people use a dnssec validating resolver?
>
> See above. Besides, DNSSEC is for integrity of zones, not privacy.
> You need DNS-over-TLS if you need last one.
>
>
> > At least Cloudflare
On Sun, Apr 12, 2020 at 07:46:38PM -0400, Lee wrote:
[...]
> Mozilla claims it's a privacy issue:
> https://support.mozilla.org/en-US/kb/firefox-dns-over-https
> Benefits
Yes, sure [1], but *not in each and every friggin' application*.
It'd be OK for the local DNS caching resolver to forward
Hi.
On Sun, Apr 12, 2020 at 07:46:38PM -0400, Lee wrote:
> > The questionable idea behind DOH is that the browser makers do not trust
> > your local resolver.
>
> Mozilla claims it's a privacy issue:
> https://support.mozilla.org/en-US/kb/firefox-dns-over-https
It's a privacy issue along
On 4/12/20, Reco wrote:
> On Sun, Apr 12, 2020 at 12:35:44PM +0200, to...@tuxteam.de wrote:
>> On Sun, Apr 12, 2020 at 01:21:08PM +0300, Reco wrote:
>> > On Sun, Apr 12, 2020 at 12:10:45PM +0200, to...@tuxteam.de wrote:
>> > > That's why I cringe at the idea that browsers want to start doing
>> >
On Sunday 12 April 2020 09:39:09 to...@tuxteam.de wrote:
> On Sun, Apr 12, 2020 at 07:33:51AM -0400, Gene Heskett wrote:
>
> [...]
>
> > I don't either, but at some point in an https environment, it seems
> > to me that a dns lookup is going to have to be translated into a
> > plain dns lookup.
>
On 12/04/2020 14:39, to...@tuxteam.de wrote:
On Sun, Apr 12, 2020 at 07:33:51AM -0400, Gene Heskett wrote:
[...]
I don't either, but at some point in an https environment, it seems to me
that a dns lookup is going to have to be translated into a plain dns
lookup.
No, that's not how it works.
On Sun, Apr 12, 2020 at 01:34:07PM +0100, Tixy wrote:
> On Sun, 2020-04-12 at 13:21 +0300, Reco wrote:
> > On Sun, Apr 12, 2020 at 12:10:45PM +0200, to...@tuxteam.de wrote:
> > > That's why I cringe at the idea that browsers want to start doing
> > > name resolution over HTTPS.
> >
> > This simple
On Sun, Apr 12, 2020 at 07:33:51AM -0400, Gene Heskett wrote:
[...]
> I don't either, but at some point in an https environment, it seems to me
> that a dns lookup is going to have to be translated into a plain dns
> lookup.
No, that's not how it works. When the browser wants to resolve a
name
On Sun, Apr 12, 2020 at 02:03:55PM +0300, Reco wrote:
> On Sun, Apr 12, 2020 at 12:35:44PM +0200, to...@tuxteam.de wrote:
[...]
> > [1] That's not a rhethorical flourish, it's genuine. I know too
> >little about DNS-over-HTTP to be of any use at this point.
>
> The questionable idea behind D
On Sun, 2020-04-12 at 13:21 +0300, Reco wrote:
> On Sun, Apr 12, 2020 at 12:10:45PM +0200, to...@tuxteam.de wrote:
> > That's why I cringe at the idea that browsers want to start doing
> > name resolution over HTTPS.
>
> This simple one line of dnsmasq configuration will disable this
> problematic
On Sunday 12 April 2020 06:35:44 to...@tuxteam.de wrote:
> On Sun, Apr 12, 2020 at 01:21:08PM +0300, Reco wrote:
> > On Sun, Apr 12, 2020 at 12:10:45PM +0200, to...@tuxteam.de wrote:
> > > That's why I cringe at the idea that browsers want to start doing
> > > name resolution over HTTPS.
> >
> > T
On Sun, Apr 12, 2020 at 12:35:44PM +0200, to...@tuxteam.de wrote:
> On Sun, Apr 12, 2020 at 01:21:08PM +0300, Reco wrote:
> > On Sun, Apr 12, 2020 at 12:10:45PM +0200, to...@tuxteam.de wrote:
> > > That's why I cringe at the idea that browsers want to start doing
> > > name resolution over HTTPS.
>
On Sun, Apr 12, 2020 at 01:21:08PM +0300, Reco wrote:
> On Sun, Apr 12, 2020 at 12:10:45PM +0200, to...@tuxteam.de wrote:
> > That's why I cringe at the idea that browsers want to start doing
> > name resolution over HTTPS.
>
> This simple one line of dnsmasq configuration will disable this
> prob
On Sun, Apr 12, 2020 at 12:10:45PM +0200, to...@tuxteam.de wrote:
> That's why I cringe at the idea that browsers want to start doing
> name resolution over HTTPS.
This simple one line of dnsmasq configuration will disable this
problematic feature for good for Firefox (basically it creates a bogus
On Wed, May 09, 2007 at 12:13:08AM +0200, pizzapie_linuxanchovies wrote:
>
> DOH!!--I meant to ask this: Anyone who can do a make-kpkg under a non-root
> account--what permissions do you see when you say ls -l
> /usr/bin/[b]dpkg[/b]?
>
Are you using fakeroot? That is the recommended way to ru
On Thu, 8 Apr 1999, Andreas Persenius wrote:
> Actually, the ljet4m-filter _does_ assume that your printer handles
> Postscript. Use the ljet4-filter instead to get 600 DPI and Postscript
> conversion.
>
Aha! Yeah, that certainly fixes things. If only I knew my LaserJet
models better ;-) Thank
Firstly, do you know what netscape uses to print. Eg, when I press
print in NS, the dialogue box says:
Print Command: lpr
Also, what are you using to filter? I use magicfilter, 'cos it does
everything for you. If you use this, make sure you have run
magicfilterconfig
and this sets up a go
52 matches
Mail list logo
