Post AVTAofJA5NOcpsEtbU by marius851000@mastodon.mariusdavid.fr
(DIR) More posts by marius851000@mastodon.mariusdavid.fr
(DIR) Post #AVS2aiU7APq3a9ccaG by lnkr_@social.inex.rocks
2023-05-08T16:45:00Z
1 likes, 6 repeats
⚠️ GE: CODE RED⚠️ Attention, citizens of Georgia(country)!Default DNS servers of both Silknet and Magti are now considered hostile.Not sure what exactly is going on, but I now consider the risks of the introduction of full-fledged web censorship mechanisms to be very high.Change your DNS _now_.
(DIR) Post #AVSBwNhC2Xcp43923M by lamp@berserker.town
2023-05-08T18:43:36Z
0 likes, 0 repeats
@lnkr_ wtf
(DIR) Post #AVSPKQY2NxiQGTet8a by lnkr_@social.inex.rocks
2023-05-08T21:12:15Z
0 likes, 2 repeats
Follow-up on 🇬🇪Georgia vs Activitypub 🌐 :I ran tests to see if it was just a local DNS failure in general. It doesn't seem to be.Provider in question is 🇬🇪Silknet.I put together two datasets of domains, one is top 1000 ActivityPub servers (according to fediverse.observer), second is just first 1000 entries from OONI Global list as the control group to represent the "rest of the Internet".Resolved them one by one, alternating on sets, on Silknet nameservers, and Quad9 as "ground truth".Out of 981 control group servers, successfully resolved by Quad9, 30 was not resolved by Silknet. This is roughly 3% and pretty much expected considering the contents of the OONI Global.Out of 954 ActivityPub servers successfully resolved by Quad9, 456 was not resolved by Silknet. About 48% (⁉) of top 1000 most active ActivityPub servers, effectively blocked right now.There is a Python snippet of the tests I ran https://gist.github.com/wafflecomposite/81de26f9fa1fd16f33a7496c55fd637bI don't see any disruption to the rest of the web, aside from the voice channels in discord (Which is also quite a big deal tbh).Can't check the Magti (another main provider in 🇬🇪) right now, but I'm getting somewhat similar reports.This is insane. What's going on?Perhaps you may like to take a look@ooni @Gargron
(DIR) Post #AVTAofJA5NOcpsEtbU by marius851000@mastodon.mariusdavid.fr
2023-05-08T17:33:36Z
0 likes, 0 repeats
@lnkr_ I'll mention @bortzmeyer . He seems to like this kind of stuff.
(DIR) Post #AVTAofsbxZkibopCrI by bortzmeyer@mastodon.gougere.fr
2023-05-09T06:05:29Z
0 likes, 0 repeats
@marius851000 @lnkr_ There are ten RIPE Atlas probes in Georgia and not one of them exhibit this behaviour https://atlas.ripe.net/measurements/53364837/#probes The "censored" names are fine for all.RIPE Atlas probes' DNS resolvers may not be typical resolvers so more information is needed (output from dig, names/ASn of providers, etc).Also, it may have been a temporary network glitch? Or, of course, a test for censorship.#DNS #censorship #freedomOfSpeech
(DIR) Post #AVTB1RmdgHZGee7cVU by lnkr_@social.inex.rocks
2023-05-08T17:42:07Z
0 likes, 0 repeats
@marius851000 @bortzmeyer Thanks, could really use some expertise on that.Very hard to imagine how something like this could happen by accident without breaking the rest of the internet, but maybe there are some explanations after all, I just don't know what else to check.
(DIR) Post #AVTB1WFr3bJYWPp0bI by bortzmeyer@mastodon.gougere.fr
2023-05-09T06:07:55Z
0 likes, 0 repeats
@lnkr_ @marius851000 Two of the tested RIPE Atlas probes are at Silknet, two at Magticomas.Also, when DNS resolvers lie for censorship,they typically return NXDOMAIN or localhost or the IP address of a Web site with warnings. I never saw SERVFAILs being returned.
(DIR) Post #AVTB9JzyVcCEpK7A2q by kantor@mstdn.social
2023-05-08T17:16:25Z
0 likes, 0 repeats
@lnkr_ or, even better, set your authoritative dns. Check out Pi-Hole or Technitium DNS
(DIR) Post #AVTB9Kw71ShVjdJafA by bortzmeyer@mastodon.gougere.fr
2023-05-09T06:09:20Z
0 likes, 0 repeats
@kantor @lnkr_ You mean your own resolver? #DNS
(DIR) Post #AVTBOC2gNACMUiTLGq by markusl@fosstodon.org
2023-05-08T17:11:29Z
0 likes, 0 repeats
@lnkr_ Here's a good DNS server:https://quad9.net/It blocks malware domains. It's not a replacement for a good, up-to-date virus checker on Windows, but it does give some additional protection.Scroll down the page to see how to set it up.
(DIR) Post #AVTBOCi9sxNKZLsSv2 by bortzmeyer@mastodon.gougere.fr
2023-05-09T06:12:01Z
0 likes, 0 repeats
@markusl @lnkr_ And why someone would use an US resolver when they can simply use their own local resolver? (And, if you insist on a public resolver, there are many that are not linked to US corporations.)
(DIR) Post #AVTBTKENM4VBL4OAe8 by bortzmeyer@mastodon.gougere.fr
2023-05-09T06:12:58Z
0 likes, 0 repeats
@lnkr_ Is it still the case now? I cannot reproduce the problem.
(DIR) Post #AVTBgWvvRHNYV13V5s by kantor@mstdn.social
2023-05-09T06:15:19Z
0 likes, 0 repeats
@bortzmeyer @lnkr_ yep, maybe I'm using terminology a bit loosely, but that's what I mean
(DIR) Post #AVTPbSS1DzKUCLhdh2 by lnkr_@social.inex.rocks
2023-05-09T07:16:38Z
0 likes, 0 repeats
@bortzmeyer @marius851000 Genuine question - assuming that I wasn't tripping, and both the test I did yesterday and it's results there https://social.inex.rocks/@lnkr_/110335120875489222 were correct, with pretty much all of the ActivityPub server names resolve attempt fails being SERVFAIL, is there any plausible explanation as to how this could have happened because of some glitch or anything else that wasn't done intentionally?
(DIR) Post #AVTPbWz8MoCAGDE8rg by bortzmeyer@mastodon.gougere.fr
2023-05-09T07:42:01Z
0 likes, 0 repeats
@lnkr_ @marius851000 Did you test, at the same time, other names such as well-known services (facebook.com), reliable but not famous names (ietf.org), small under-the-radar fediverse instances (mastodon.gougere.fr)?
(DIR) Post #AVTPbbDocAJdOu7vIu by lnkr_@social.inex.rocks
2023-05-09T08:41:01Z
0 likes, 0 repeats
@bortzmeyer @marius851000 There was 1000 AP instances, generally anything with more than 100 active users reported, including mastodon.gougere.fr too, versus the first 1000 names from OONI global https://raw.githubusercontent.com/citizenlab/test-lists/master/lists/global.csv which I guess can pass as a sort of a combination of well-known and reliable but not famous names.Unfortunately, I have not saved responses for each of the domains, only overall stats, but now that I scrolled through OONI list I can say with reasonable certainty that those few percents on OONI list resolvance failures was definitely due to the fact that it also contains several ActivityPub instances.I'll put together more representative lists for next time, but I believe it was already a statistically significant difference.
(DIR) Post #AVTThUiQ8S1ZOK1F5M by lnkr_@social.inex.rocks
2023-05-09T06:36:44Z
0 likes, 0 repeats
@bortzmeyer @marius851000 Me neither, that's one of the things that makes it even weirder
(DIR) Post #AVTVWvSIZn0v2xZAsi by markusl@fosstodon.org
2023-05-09T07:04:33Z
0 likes, 0 repeats
@bortzmeyerThat's another advantage of Quad9: it's Swiss, and isn't linked to surveillance advertising.@lnkr_
(DIR) Post #AVTWVU8GmF9DyE4hUG by lnkr_@social.inex.rocks
2023-05-09T06:45:21Z
0 likes, 0 repeats
@bortzmeyer Right now, no, but it has come and gone before, I think it will come back. I'll post when I can do it again and try to bring in more data.So far, the issue has been narrowed down to just one resolver, 91.151.130.117 / maradona.silknet.com.It does not always show this behavior, and it is not always the only resolver provided by the ISP, but it has happened at least several times in the last 4 days and lasted for several hours
(DIR) Post #AVTfTgJbPU0ClMafjM by strizhechenko@lor.sh
2023-05-09T11:49:16Z
0 likes, 0 repeats
@lnkr_ @ooni @Gargron I'd ask about what precisely DNSException you get.It may be the problem is with provider's caching DNS and related with popularity of requested domains and not the activitypub at all.Try to add another control group of really unpopular domains (bottom of OONI?.. not sure)
(DIR) Post #AVTjGSvUHJE9I2GSf2 by lnkr_@social.inex.rocks
2023-05-09T12:31:42Z
0 likes, 0 repeats
@strizhechenko Exact DNSException for ActivityPub domains was dns.resolver.NoNameservers, which is effectively SERVFAIL, and I doublechecked it with WireShark.Next time I'll put together more representative lists, but given how much the popularity of domains in both of those lists supposed to differ across the set (first 1000 of OONI is not most popular websites, they are rather random), such a drastic difference in availability does not make much sense to me.
(DIR) Post #AVTkYp3Ypxu15mMFv6 by strizhechenko@lor.sh
2023-05-09T12:46:15Z
0 likes, 0 repeats
@lnkr_ sorry didn't know what OONI is.Did you try to add retries in.. let's say, 5 seconds after servfail?
(DIR) Post #AVTl6elhauDD1w8cMK by lnkr_@social.inex.rocks
2023-05-09T12:52:20Z
0 likes, 0 repeats
@strizhechenko Over the course of about 7 hours, I tried particular domains I think dozens of times, I have not noticed that any of the ActivityPub domains that once failed to be resolved were successfully resolved later until it all was fixed the next day. SERVFAIL on them was remarkably consistent.
(DIR) Post #AVU4BTFljU2ftUD7XE by bortzmeyer@mastodon.gougere.fr
2023-05-09T16:25:59Z
0 likes, 0 repeats
@lnkr_ @marius851000 My point was: during your test, was there domains with NOERROR? Because , if all the domains you tested returned SERVFAIL, it may be a network error (otherwise, as you said, it is probably voluntary).
(DIR) Post #AVUASssAKj6VzyrBlw by lnkr_@social.inex.rocks
2023-05-09T17:36:24Z
0 likes, 0 repeats
@bortzmeyer @marius851000 And that's exactly the main point - pretty much all of the non-fediverse domains, tested at the exact same time, were NOERROR on the very same resolver. No visible anomalies for any domains other than those related to ActivityPub, I tested them as much as AP-related domains specifically to check that there is a weird and very explicit pattern not really explainable by some casual network error.
(DIR) Post #AVUCM3LPCYdQMCP6qO by bortzmeyer@mastodon.gougere.fr
2023-05-09T17:57:29Z
0 likes, 0 repeats
@lnkr_ @marius851000 I agree. But I don't see why a censor would censor all fediverse domains but nothing else.