Major DNS Bug 23.01 with Quad9 on SSL
-
@jimp Ok, I'm back in my box.
๏ธ
-
If you want to keep discussing various ways to optimize the resolver, feel free to do so, just in a new thread where others can join in who maybe were not even hitting this original issue but might have other relevant observations.
-
@jimp That's ok, I'll just drop the subject so no need for another thread.
๏ธ
-
@johnpoz
So. Even though I understand and agree with your opinion, how do you explain that many users , including me, are still sticking with a DoT configuration? Aren't you, then, preaching in the desert?
If you could convice me to drop this setting, it would be remarkable. Othewise, your opinion is like the saying: "everybody has an opinion, and it's like an ass****, everybody has one and it stinks". Please enlighten us further? -
@marchand-guy said in Major DNS Bug 23.01 with Quad9 on SSL:
DoT configuration? Aren't you, then, preaching in the desert?
I could care if preaching to nothing - you go ahead and send all your info to whoever you want, I have no desire ever to forward.. I will resolve thank you very much ;)
I see no point forwarding - it sure isn't hiding anything from anyone, it has its own complications.. If you had some isp that was intercepting your your dns ok.. I would then run my own vps, and then resolve from there and forward to my vps.
If you like the filtering they do - hey you more than welcome to trust them.. but you sure are not hiding where your going from your isp like you think you are. Until such time ech is everywhere, since esni is dead. (ie the sni is encrypted) your not hiding anything from your isp if the want to see it.
Each their own.. These guys are good sales folks and love to scare monger, etc.. If you think sending all your dns to company X is in your best interest.. Have at it.. I don't really care where you send your dns, I know where I am not going to send it ;) I will just talk to the owning NSs for the domains and tlds I want to look up..
If my isp was messing with my dns, I would for starters be looking for another isp. if I was in some country where they all did it, then I would use a vpn, and that vpn wouldn't be any of these services it would be my own vps that I run a vpn too.
-
If you want to discuss the merits/worth of DoT that should also be moved to a new thread. It's not relevant to solving this problem. Let's keep this on topic.
-
@jimp Yessir! I'm done though.
-
-
There seems to be some good news:
"Jaap Akkerhuis 2023-06-01 12:41:18 UTC
A fix is developed by upstairs. There will be a new release within weeks with this fix. For the inpatients among us, a prerelease is made available https://github.com/NLnetLabs/unbound/issues/887#issuecomment-1570136710." -
-
A potential upstream 'fix' or improvement for ASLR:
https://www.freebsd.org/security/advisories/FreeBSD-EN-23:15.sanitizer.asc
II. Problem Description Some of the Sanitizers cannot work correctly when ASLR is enabled. Therefore, at the initialization of such Sanitizers, ASLR is detected via procctl(2). If ASLR is enabled, it is first disabled, and then the main executable containing the Sanitizer is re-executed, after printing an appropriate message. However, the Sanitizers work by intercepting various function calls, and by mistake the already-intercepted procctl(2) function was used. This causes an internal error, which usually results in a segfault.
VI. Correction details This issue is corrected as of the corresponding Git commit hash or Subversion revision number in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/14/ 1e4798e9677f stable/14-n265803 releng/14.0/ 78b4c762b20b releng/14.0-n265381 stable/13/ 7c25a53a2cb9 stable/13-n256726 - -------------------------------------------------------------------------
๏ธ
-
While we are likely to include the patch from that EN in future builds it isn't relevant to Unbound.
They only use those sanitizers for debug/test builds and not for normal/production builds.