Hi,
Obviously I don't understand the internet and don't know what I'm doing.
The other day changed the ISP's (Sky) router to have fibre connection.
I have a PC with apache2 presenting an index.html which is a page of
links to various documents and websites.
The link to e.g. the BBC works fine but the link to my roundcube install
on the same PC shows gstatic.com in the address bar and a blank page.
This seems to be something to do with the ISP using google to cache
external websites.
It seems Sky wants me to login to their network.
Once I've clicked on some ISP's page vivaldi presented then the
roundcube link works.
I have the local network going through pfsense which should be
firewalling and separating the wireless from the local network.
This arrangement has worked for years until changing the router.
The way I'm doing things is a bodge as I don't have a proper internet
facing domain for these local things.
Perhaps it is something about using the ISP's DNS for resolving things? regards
mick
Hi,
Obviously I don't understand the internet and don't know what I'm doing.
The other day changed the ISP's (Sky) router to have fibre connection.
I have a PC with apache2 presenting an index.html which is a page of links
to various documents and websites.
The link to e.g. the BBC works fine but the link to my roundcube install on the same PC shows gstatic.com in the address bar and a blank page. This
seems to be something to do with the ISP using google to cache external websites.
The way I'm doing things is a bodge as I don't have a proper internet facing domain for these local things.
Perhaps it is something about using the ISP's DNS for resolving things? regards
On 2025-01-19 12:01, tomas@tuxteam.de wrote:
OK. I can ping the PC with roundcube on it by name but "host <name-of-pc-with-roundcube-on-it>" fails to resolve.
I need to go through everything for the 4th time ( -> home -> local -> home
) and change the domain to .home.arpa .
I'll do that before anything else.
mick
On Sun, Jan 19, 2025, 7:58 AM <tomas@tuxteam.de> wrote:
....
[0] This is part of the libc and (roughly) translates host names to
IP addresses for the programs running in your box. Eventually,
it goes out to ask some DNS servers.
Along the way it's (probably) consulting /etc/resolv.conf which is where
the "resolver" gets most of its own config information. Such as how to "assume" the network name given only a hostname, and the order in which DNS servers should be queried and their names or network addresses.
Then there's /etc/nsswitch.conf as already described below, that stands for "name-service switch". Originally a sort-of meta-config for name
resolution, later other random configuration gunk got included there :-)
Hi,
Obviously I don't understand the internet and don't know what I'm doing.
The other day changed the ISP's (Sky) router to have fibre connection.
I have a PC with apache2 presenting an index.html which is a page of
links to various documents and websites.
The link to e.g. the BBC works fine but the link to my roundcube install
on the same PC shows gstatic.com in the address bar and a blank page.
This seems to be something to do with the ISP using google to cache
external websites.
It seems Sky wants me to login to their network.
Once I've clicked on some ISP's page vivaldi presented then the
roundcube link works.
I have the local network going through pfsense which should be
firewalling and separating the wireless from the local network.
This arrangement has worked for years until changing the router.
The way I'm doing things is a bodge as I don't have a proper internet
facing domain for these local things.
Perhaps it is something about using the ISP's DNS for resolving things? regards
mick
I had forgotten to mention about "DNS over HTTPS", which besides
encrypting DNS traffic, usually use a trusted Internet based DNS
service, instead of local DNS settings.
https://support.mozilla.org/en-US/kb/dns-over-https
This maybe why your web browser does not know about local domain
names.
I had to disable this feature to get systems to discover my local web
based servers. It would be nice if this feature would also allow you
to define specific exceptions for local web servers/services.
George.
I had forgotten to mention about "DNS over HTTPS", which besides encrypting DNS traffic, usually use a trusted Internet based DNS service, instead of local DNS settings.
I just use IP addresses for local web services, so I can use DOH in my browser.
On Mon, Jan 20, 2025 at 12:13:09PM +0000, debian-user@howorth.org.uk
wrote:
[...]
I just use IP addresses for local web services, so I can use DOH in
my browser.
I'm at a loss why somebody would want to do that (although I pretty
well know why Google wants everyone to).
But to each their own :-)
Cheers
<tomas@tuxteam.de> wrote:
On Mon, Jan 20, 2025 at 12:13:09PM +0000, debian-user@howorth.org.uk
wrote:
[...]
I just use IP addresses for local web services, so I can use DOH in
my browser.
I'm at a loss why somebody would want to do that (although I pretty
well know why Google wants everyone to).
What does google have to do with anything?
On Mon, Jan 20, 2025 at 05:04:16PM +0000, debian-user@howorth.org.uk
wrote:
<tomas@tuxteam.de> wrote:
On Mon, Jan 20, 2025 at 12:13:09PM +0000,
debian-user@howorth.org.uk wrote:
[...]
I just use IP addresses for local web services, so I can use
DOH in my browser.
I'm at a loss why somebody would want to do that (although I
pretty well know why Google wants everyone to).
What does google have to do with anything?
If you are doing DoH on Chrome... guess where the DNS requests are
going? (FF goes, AFAIK, to Cloudflare, which ain't much better).
More behavioral surplus to The Google. Me says "no, thanks".
Cheers
On 2025-01-19 13:58, tomas@tuxteam.de wrote:
On Sun, Jan 19, 2025 at 12:53:20PM +0000, mick.crane wrote:
On 2025-01-19 12:01, tomas@tuxteam.de wrote:
[...]
OK. I can ping the PC with roundcube on it by name but "host <name-of-pc-with-roundcube-on-it>" fails to resolve.
Aha. This means that your roundcube (whatever name it has, you
didn't tell us yet :)
I haven't tried to access it directly as yet.
It is a <a href> link to a soft link to the roundcube install.
I did it like that to test other installations.
On 2025-01-21 08:41, tomas@tuxteam.de wrote:
If the ping complains that it can't resolve the name, the problem
is in your resolver setup. If it can, I'd look for the DoH (DNS-
over-http) settings of your browser.
mick@courgette:~$ ping rapunzel.home
PING rapunzel.home (10.0.0.2) 56(84) bytes of data.
64 bytes from rapunzel.home (10.0.0.2): icmp_seq=1 ttl=64 time=0.130 ms
On 2025-01-21 08:41, tomas@tuxteam.de wrote:
Not quite sure what is meant by that. The link is http://rapunzel.home/roundcubemail
Are you supposed to be able to ping a service?
mick@courgette:~$ ping http://rapunzel.home/roundcubemail
ping: http://rapunzel.home/roundcubemail: Name or service not known mick@courgette:~$ ping http://rapunzel.home
ping: http://rapunzel.home: Name or service not known
mick@courgette:~$ ping rapunzel.home
PING rapunzel.home (10.0.0.2) 56(84) bytes of data.
64 bytes from rapunzel.home (10.0.0.2): icmp_seq=1 ttl=64 time=0.130 ms
E.g. <https://www.google.com/search?q=vivaldi+dns+configuration>
On 2025-01-21 08:41, tomas@tuxteam.de wrote:
<snipped>
- is the host name you use internally for your Roundcube in
that URL? Or something else? I guess it's the first
- if yes: what happens if you ping that host name from exactly
the same box your browser runs in?
If the ping complains that it can't resolve the name, the problem
is in your resolver setup. If it can, I'd look for the DoH (DNS-
over-http) settings of your browser.
Cheers
Not quite sure what is meant by that. The link is http://rapunzel.home/roundcubemail
Are you supposed to be able to ping a service?
mick@courgette:~$ ping http://rapunzel.home/roundcubemail
ping: http://rapunzel.home/roundcubemail: Name or service not known mick@courgette:~$ ping http://rapunzel.home
ping: http://rapunzel.home: Name or service not known
mick@courgette:~$ ping rapunzel.home
PING rapunzel.home (10.0.0.2) 56(84) bytes of data.
64 bytes from rapunzel.home (10.0.0.2): icmp_seq=1 ttl=64 time=0.130 ms
I know it's probably a mess. I stopped reading when it worked.
mick
On 19/01/2025 17:21, mick.crane wrote:
The other day changed the ISP's (Sky) router to have fibre connection.
Maybe the previous router was configured to serve .home DNS zone.
If vivaldi uses the same settings page as chromium than you may try to disable "secure DNS"
chrome://settings/security?search=dns
On Tue, Jan 21, 2025 at 07:17:53AM -0500, Greg Wooledge wrote:
[...]
E.g. <https://www.google.com/search?q=vivaldi+dns+configuration>
Ah, oh -- I overlooked (or forgot) that OP's brower is Vivaldi.
Cheers
--
t
On 21/01/2025 23:31, tomas@tuxteam.de wrote:
On Tue, Jan 21, 2025 at 10:38:51PM +0700, Max Nikulin wrote:
On 19/01/2025 17:21, mick.crane wrote:Judging by the other symptoms (ping working, browser not) the resolver
The other day changed the ISP's (Sky) router to have fibre connection.Maybe the previous router was configured to serve .home DNS zone.
in the box is OK (the .home names are resolved in /etc/hosts).
I have read somewhere that chromium may read /etc/resolv.conf and send requests to the specified servers directly bypassing /etc/nsswitch.conf.
(The statement needs verification.)
At least cloudflare and google do not resolve the host name (other DoH provider may behave in a different way)
[-- text/plain, encoding quoted-printable, charset: utf-8, 29 lines --]
On Wed, Jan 22, 2025 at 09:48:30AM +0700, Max Nikulin wrote:
On 21/01/2025 23:31, tomas@tuxteam.de wrote:
On Tue, Jan 21, 2025 at 10:38:51PM +0700, Max Nikulin wrote:
On 19/01/2025 17:21, mick.crane wrote:Judging by the other symptoms (ping working, browser not) the resolver
The other day changed the ISP's (Sky) router to have fibre connection.Maybe the previous router was configured to serve .home DNS zone.
in the box is OK (the .home names are resolved in /etc/hosts).
I have read somewhere that chromium may read /etc/resolv.conf and send requests to the specified servers directly bypassing /etc/nsswitch.conf. (The statement needs verification.)
Oh, goody.
[interesting stuff snipped]
At least cloudflare and google do not resolve the host name (other DoH provider may behave in a different way)
But most probably not in the way the OP expects, since they can't read
(?) their local /etc/hosts...
[-- text/plain, encoding quoted-printable, charset: utf-8, 34 lines --]
On Wed, Jan 22, 2025 at 09:45:55AM +0000, Chris Green wrote:
tomas@tuxteam.de wrote:
[-- text/plain, encoding quoted-printable, charset: utf-8, 29 lines --]
On Wed, Jan 22, 2025 at 09:48:30AM +0700, Max Nikulin wrote:
[...]
At least cloudflare and google do not resolve the host name (other DoH provider may behave in a different way)
But most probably not in the way the OP expects, since they can't read (?) their local /etc/hosts...
Surely in many cases DNS gets farmed out to a router to which the web browser (whether Chromium based or not) doesn't have any sort of
direct access so it can't really dig around in the configuration.
I have removed nearly all the 'extra' DNS configuration (i.e. anything
like systemd's resolver and local DNS caching) in my main Linux
systems. I run dnsmasq on my router with a blacklist configuration so ad-blocking works for every system on the LAN (it confuses visitors sometimes when they don't see the usual adverts on their 'phones).
I run Vivaldi and it seems to behave fairly as one would expect in
this environment.
I somehow have got the feeling that we are talking about completely
different things. DoH has absolutely nothing to do with your router's
(or any other local network's, or your provider's) DNS. It bypasses
it. That's its job.
tomas@tuxteam.de wrote:
[-- text/plain, encoding quoted-printable, charset: utf-8, 29 lines --]
On Wed, Jan 22, 2025 at 09:48:30AM +0700, Max Nikulin wrote:
At least cloudflare and google do not resolve the host name (other DoH provider may behave in a different way)
But most probably not in the way the OP expects, since they can't read
(?) their local /etc/hosts...
Surely in many cases DNS gets farmed out to a router to which the web
browser (whether Chromium based or not) doesn't have any sort of
direct access so it can't really dig around in the configuration.
I have removed nearly all the 'extra' DNS configuration (i.e. anything
like systemd's resolver and local DNS caching) in my main Linux
systems. I run dnsmasq on my router with a blacklist configuration so ad-blocking works for every system on the LAN (it confuses visitors
sometimes when they don't see the usual adverts on their 'phones).
I run Vivaldi and it seems to behave fairly as one would expect in
this environment.
How can it do that in reality? It's connecting to the outside world
via the router. It would have to 'tunnel' through the router somehow wouldn't it as otherwise the router will 'see' any attempts to do DNS
type things.
Are you saying that Chromium/Vivaldi have some fixed IP addresses that
they use for DNS servers out on the internet?
Yes, the protocol used here is DoH or ``DNS over HTTPS''[1] which is specified in RFC 8484[2]. This is a bypass for local network settings
which might not allow to ask external DNS servers as in the example
above. Since local dial-up connections usually depend on the ISPs DNS
server, DoH can circumvent manipulation by the ISP as quite common in
Germany and the EU. However, IANAL and I don't know in which cases it
might be not legal to circumvent lawful censorship.
tomas@tuxteam.de wrote:
I somehow have got the feeling that we are talking about completely different things. DoH has absolutely nothing to do with your router's
(or any other local network's, or your provider's) DNS. It bypasses
it. That's its job.
How can it do that in reality? It's connecting to the outside world
via the router. It would have to 'tunnel' through the router somehow wouldn't it as otherwise the router will 'see' any attempts to do DNS
type things.
I guess the browser can talk to numeric addresses just using the
router as the default route but that's still assuming the router
doesn't have its own internal 'investigation' of what's being passed
through it.
Are you saying that Chromium/Vivaldi have some fixed IP addresses that
they use for DNS servers out on the internet?
On Wed, Jan 22, 2025 at 6:35 AM Frank Guthausen <fg.debian@shimps.de> wrote:
On Wed, 22 Jan 2025 10:46:16 +0000
Chris Green <cl@isbd.net> wrote:
How can it do that in reality? It's connecting to the outside
world via the router. It would have to 'tunnel' through the
router somehow wouldn't it as otherwise the router will 'see' any attempts to do DNS type things.
You can ask Google's DNS server directly:
dig @8.8.8.8 -t A www.google.com
Or you can use your local DNS server:
dig -t A www.google.com
Both methods are ordinary DNS requests.
Are you saying that Chromium/Vivaldi have some fixed IP addresses
that they use for DNS servers out on the internet?
Yes, the protocol used here is DoH or ``DNS over HTTPS''[1] which is specified in RFC 8484[2]. This is a bypass for local network
settings which might not allow to ask external DNS servers as in
the example above. Since local dial-up connections usually depend
on the ISPs DNS server, DoH can circumvent manipulation by the ISP
as quite common in Germany and the EU. However, IANAL and I don't
know in which cases it might be not legal to circumvent lawful
censorship.
[1] https://en.wikipedia.org/wiki/DNS_over_HTTPS
[2] https://datatracker.ietf.org/doc/html/rfc8484
In the US, manipulating DNS was (is?) a problem with some ISPs like
Verizon. Verizon would provide incorrect answers for non-existent
domains. Instead of returning NXDOMAIN in response to a query, Verizon
would provide a response that effectively redirected folks to a page
to register or purchase the non-existent domain, or to a search page
with lots of ads. Obviously, Verizon's actions broke the behavior
specified by the RFCs. See <https://arstechnica.com/uncategorized/2008/02/404-might-be-found-the-curious-case-of-dns-redirects/>
and <https://freedom-to-tinker.com/2007/11/12/verizon-violates-net-neutrality-dns-deviations/>.
For a while the BSD folks' network startup scripts issued a query to a
known non-existent domain to see if DNS queries were being tampered
with or DNS was broken. I don't know if they are still doing it.
When Verizon started doing that, I switched to OpenDNS. I also use
Google's DNS on occasion.
[-- text/plain, encoding quoted-printable, charset: utf-8, 37 lines --]
On Wed, Jan 22, 2025 at 10:46:16AM +0000, Chris Green wrote:
tomas@tuxteam.de wrote:
[...]
I somehow have got the feeling that we are talking about completely different things. DoH has absolutely nothing to do with your router's
(or any other local network's, or your provider's) DNS. It bypasses
it. That's its job.
How can it do that in reality? It's connecting to the outside world
via the router. It would have to 'tunnel' through the router somehow wouldn't it as otherwise the router will 'see' any attempts to do DNS
type things.
The tunnel is called HTTPS. The browser sends its DNS requests inside
of HTTPS requests, which your router can't look into, unless it is
playing MITM games:
https://en.wikipedia.org/wiki/DoH
I guess the browser can talk to numeric addresses just using the
router as the default route but that's still assuming the router
doesn't have its own internal 'investigation' of what's being passed through it.
How could it, being an encrypted stream it hasn't the keys to?
Are you saying that Chromium/Vivaldi have some fixed IP addresses that
they use for DNS servers out on the internet?
Basically this, yes.
On Wed, Jan 22, 2025 at 12:34:20PM +0100, Frank Guthausen wrote:
[...] DoH can circumvent manipulation by the ISP [...]
It just replaces one bully by another bully. I won't bet on Google not manipulating its DoH lookups once that starts improving their bottom
line.
On 2025-01-22 13:08, Joe wrote:
When Verizon started doing that, I switched to OpenDNS. I also use Google's DNS on occasion.
An example:
https://uk.linkedin.com/company/barefruit
When I selected cloudflair as DNS provider in chrome:settings/security
Going to https://chat.openai.com cloudflair was in the address bar and was presented with a Captcha
Changed to "use OS default( when available) and haven't done any further testing.
Would traceroute show any DNS queries?
On Wed, 22 Jan 2025 12:42:20 +0100
<tomas@tuxteam.de> wrote:
On Wed, Jan 22, 2025 at 12:34:20PM +0100, Frank Guthausen wrote:
[...] DoH can circumvent manipulation by the ISP [...]
It just replaces one bully by another bully. I won't bet on Google not manipulating its DoH lookups once that starts improving their bottom
line.
At least in principle we could recompile Chromium or Firefox with the
IP of a trusted nameserver. A configuration option for the IP address
would be even better (I don't know whether this is implemented yet).
You do not need to recompile Firefox. You can even set IP of your DoH provider to avoid querying local DNS to resolve provider's hostname: <https://wiki.mozilla.org/Trusted_Recursive_Resolver>
Things seem to be working normally. This started as I wondered why I got a captcha page with cloudflare in the browser address bar the first time after changing the ISP router.
I think I see what this Doh is about and will fiddle about with the options. https://docs.netgate.com/pfsense/en/latest/recipes/dns-over-tls.html
| Sysop: | Keyop |
|---|---|
| Location: | Huddersfield, West Yorkshire, UK |
| Users: | 546 |
| Nodes: | 16 (2 / 14) |
| Uptime: | 153:25:11 |
| Calls: | 10,383 |
| Files: | 14,054 |
| Messages: | 6,417,839 |