Email or username:

Password:

Forgot your password?
All posts lnkr_'s posts Post Back to profile
lnkr_

⚠️ GE: CODE RED⚠️

Attention, citizens of Georgia(country)!
Default DNS servers of both Silknet and Magti are now considered hostile.

Not sure what exactly is going on, but I now consider the risks of the introduction of full-fledged web censorship mechanisms to be very high.

Change your DNS _now_.
8 May 2023 at 16:45 | Open on social.inex.rocks
26 comments
MarkusL

@lnkr_ Here's a good DNS server:

quad9.net/

It blocks malware domains. It's not a replacement for a good, up-to-date virus checker on Windows, but it does give some additional protection.

Scroll down the page to see how to set it up.

8 May 2023 at 17:11 | Open on fosstodon.org
lnkr_

@markusl Good call!
There is a jpeg-guides on the DNS setup for Windows and Android I just made for my friends.
8 May 2023 at 17:33 | Open on social.inex.rocks
Stéphane Bortzmeyer

@markusl @lnkr_ And why someone would use an US resolver when they can simply use their own local resolver? (And, if you insist on a public resolver, there are many that are not linked to US corporations.)

9 May 2023 at 6:12 | Open on mastodon.gougere.fr
MarkusL

@bortzmeyer

That's another advantage of Quad9: it's Swiss, and isn't linked to surveillance advertising.

@lnkr_

9 May 2023 at 7:04 | Open on fosstodon.org
kantor

@lnkr_ or, even better, set your authoritative dns. Check out Pi-Hole or Technitium DNS

8 May 2023 at 17:16 | Open on mstdn.social
Stéphane Bortzmeyer
kantor

@bortzmeyer @lnkr_ yep, maybe I'm using terminology a bit loosely, but that's what I mean

9 May 2023 at 6:15 | Open on mstdn.social
Marius DAVID

@lnkr_ I'll mention @bortzmeyer . He seems to like this kind of stuff.

8 May 2023 at 17:33 | Open on mastodon.mariusdavid.fr
lnkr_

@marius851000 @bortzmeyer Thanks, could really use some expertise on that.

Very hard to imagine how something like this could happen by accident without breaking the rest of the internet, but maybe there are some explanations after all, I just don't know what else to check.

8 May 2023 at 17:42 | Open on social.inex.rocks
Stéphane Bortzmeyer

@lnkr_ @marius851000 Two of the tested RIPE Atlas probes are at Silknet, two at Magticomas.
Also, when DNS resolvers lie for censorship,they typically return NXDOMAIN or localhost or the IP address of a Web site with warnings. I never saw SERVFAILs being returned.

9 May 2023 at 6:07 | Open on mastodon.gougere.fr
lnkr_

@bortzmeyer @marius851000

Me neither, that's one of the things that makes it even weirder

9 May 2023 at 6:36 | Open on social.inex.rocks
Stéphane Bortzmeyer

@marius851000 @lnkr_ There are ten RIPE Atlas probes in Georgia and not one of them exhibit this behaviour atlas.ripe.net/measurements/53 The "censored" names are fine for all.
RIPE Atlas probes' DNS resolvers may not be typical resolvers so more information is needed (output from dig, names/ASn of providers, etc).
Also, it may have been a temporary network glitch? Or, of course, a test for censorship.

#DNS #censorship #freedomOfSpeech

@marius851000 @lnkr_ There are ten RIPE Atlas probes in Georgia and not one of them exhibit this behaviour atlas.ripe.net/measurements/53 The "censored" names are fine for all.
RIPE Atlas probes' DNS resolvers may not be typical resolvers so more information is needed (output from dig, names/ASn of providers, etc).
Also, it may have been a temporary network glitch? Or, of course, a test for censorship.

9 May 2023 at 6:05 | Open on mastodon.gougere.fr
lnkr_

@bortzmeyer @marius851000

Genuine question - assuming that I wasn't tripping, and both the test I did yesterday and it's results there social.inex.rocks/@lnkr_/11033 were correct, with pretty much all of the ActivityPub server names resolve attempt fails being SERVFAIL, is there any plausible explanation as to how this could have happened because of some glitch or anything else that wasn't done intentionally?

9 May 2023 at 7:16 | Open on social.inex.rocks
Stéphane Bortzmeyer

@lnkr_ @marius851000 Did you test, at the same time, other names such as well-known services (facebook.com), reliable but not famous names (ietf.org), small under-the-radar fediverse instances (mastodon.gougere.fr)?

9 May 2023 at 7:42 | Open on mastodon.gougere.fr
lnkr_

@bortzmeyer @marius851000

There was 1000 AP instances, generally anything with more than 100 active users reported, including mastodon.gougere.fr too, versus the first 1000 names from OONI global raw.githubusercontent.com/citi which I guess can pass as a sort of a combination of well-known and reliable but not famous names.

Unfortunately, I have not saved responses for each of the domains, only overall stats, but now that I scrolled through OONI list I can say with reasonable certainty that those few percents on OONI list resolvance failures was definitely due to the fact that it also contains several ActivityPub instances.

I'll put together more representative lists for next time, but I believe it was already a statistically significant difference.

@bortzmeyer @marius851000

There was 1000 AP instances, generally anything with more than 100 active users reported, including mastodon.gougere.fr too, versus the first 1000 names from OONI global raw.githubusercontent.com/citi which I guess can pass as a sort of a combination of well-known and reliable but not famous names.

9 May 2023 at 8:41 | Open on social.inex.rocks
DELETED

@lnkr_ could this not just be a issue with the DNS server itself?

8 May 2023 at 17:43 | Open on mstdn.plus.st
lnkr_

@itzzenxx I'm actively surfing the most derelict corners of the Internet right now.

Apart from discord voice servers it all works. How ON EARTH can you accidentally fail to resolve most of the servers of a distributed social network without breaking the rest of the web?

8 May 2023 at 17:53 | Open on social.inex.rocks
DELETED
lnkr_

Follow-up on 🇬🇪Georgia vs Activitypub 🌐 :

I ran tests to see if it was just a local DNS failure in general. It doesn't seem to be.

Provider in question is 🇬🇪Silknet.

I put together two datasets of domains, one is top 1000 ActivityPub servers (according to fediverse.observer), second is just first 1000 entries from OONI Global list as the control group to represent the "rest of the Internet".

Resolved them one by one, alternating on sets, on Silknet nameservers, and Quad9 as "ground truth".

Out of 981 control group servers, successfully resolved by Quad9, 30 was not resolved by Silknet. This is roughly 3% and pretty much expected considering the contents of the OONI Global.

Out of 954 ActivityPub servers successfully resolved by Quad9, 456 was not resolved by Silknet.

About 48% (⁉) of top 1000 most active ActivityPub servers, effectively blocked right now.

There is a Python snippet of the tests I ran gist.github.com/wafflecomposit

I don't see any disruption to the rest of the web, aside from the voice channels in discord (Which is also quite a big deal tbh).
Can't check the Magti (another main provider in 🇬🇪) right now, but I'm getting somewhat similar reports.

This is insane. What's going on?

Perhaps you may like to take a look
@ooni @Gargron

Follow-up on 🇬🇪Georgia vs Activitypub 🌐 :

I ran tests to see if it was just a local DNS failure in general. It doesn't seem to be.

Provider in question is 🇬🇪Silknet.

I put together two datasets of domains, one is top 1000 ActivityPub servers (according to fediverse.observer), second is just first 1000 entries from OONI Global list as the control group to represent the "rest of the Internet".

8 May 2023 at 21:12 | Open on social.inex.rocks
lnkr_

figured out a decent related OONI measure

explorer.ooni.org/chart/mat?pr

Ain't much, but it shows a few Activitypub servers being reachable at 04.05.2023 and DNS-failing either 05.05.2023 or 09.05.2023

And you know what also apparently went dark?
ntc.party/ , anti-censorship forum.
Just checked it, and sure enough, SilknetDNS doesn't resolves it.

figured out a decent related OONI measure

explorer.ooni.org/chart/mat?pr

Ain't much, but it shows a few Activitypub servers being reachable at 04.05.2023 and DNS-failing either 05.05.2023 or 09.05.2023

8 May 2023 at 22:38 | Open on social.inex.rocks
lnkr_

🇬🇪Silknet ISP - It's getting worse right before my eyes.

Same test reports 6% failure rate on 'OONI Global list first 1000', 59% failure rate on 'ActivityPub top 1000'.

If it's really just a random DNS problem... how??

8 May 2023 at 23:36 | Open on social.inex.rocks
lnkr_

Right now the problem is not reproducing, I will continue to monitor.

9 May 2023 at 7:27 | Open on social.inex.rocks
[DATA EXPUNGED]
lnkr_

@strizhechenko
Exact DNSException for ActivityPub domains was dns.resolver.NoNameservers, which is effectively SERVFAIL, and I doublechecked it with WireShark.

Next time I'll put together more representative lists, but given how much the popularity of domains in both of those lists supposed to differ across the set (first 1000 of OONI is not most popular websites, they are rather random), such a drastic difference in availability does not make much sense to me.

9 May 2023 at 12:31 | Open on social.inex.rocks
[DATA EXPUNGED]
lnkr_

@strizhechenko Over the course of about 7 hours, I tried particular domains I think dozens of times, I have not noticed that any of the ActivityPub domains that once failed to be resolved were successfully resolved later until it all was fixed the next day. SERVFAIL on them was remarkably consistent.

9 May 2023 at 12:52 | Open on social.inex.rocks
Stéphane Bortzmeyer

@lnkr_ Is it still the case now? I cannot reproduce the problem.

9 May 2023 at 6:12 | Open on mastodon.gougere.fr
lnkr_

@bortzmeyer
Right now, no, but it has come and gone before, I think it will come back. I'll post when I can do it again and try to bring in more data.
So far, the issue has been narrowed down to just one resolver, 91.151.130.117 / maradona.silknet.com.
It does not always show this behavior, and it is not always the only resolver provided by the ISP, but it has happened at least several times in the last 4 days and lasted for several hours

9 May 2023 at 6:45 | Open on social.inex.rocks
Go Up