Mastodawn

hey so here's a cool fun new thing to add to your threat model

something that polls your UPS to measure voltage, is somehow, inadvertently causing the network management card in it to puke, and when that thing reboots or crashes, it takes the UPS down with it (it reboots also) - and everything hung off that ups .. loses power. which includes your dns server.

so fucktardian windows machines and android devices that think the network is down if they cant resolve dns all disconnect from the lan

if i ever meet the person responsible for the logic of "if a windows machine cant resolve dns it disconnects itself from the wireless network" its gonna be quite a spectacle

@Viss 🍿

Cassander 7h ago

@Viss "I've never had to clean blood off the ceiling on the floor above a crime scene..."

Paul_IPv6 7h ago

apple had some test if the internet was "up" based on a DNS query and ping of one single FQDN and IP.

someone else to be slapped repeatedly until they find a new career field...

J.P. Stewart 6h ago

@paul_ipv6 @Viss ncsi uses anycast + cdn behind a well known fqdn. Never relies on any baked in ip (except for telemetry).

Quixoticgeek 6h ago

@jpsays @paul_ipv6 @Viss android does it via a URL and expects a 203 from the server else it assumes you're in a captive portal. Which is really infuriating.

Paul_IPv6 6h ago

@quixoticgeek @jpsays @Viss

don't *even* get me started on captive portals, hotel networks, etc.

Quixoticgeek 6h ago

@paul_ipv6 @jpsays @Viss agreed. But also argh at os code that assumes that the only reason the connect to a network is internet access. So many alerts need to be cleared before android will stay connected to my cameras WiFi...

Paul_IPv6 6h ago

@quixoticgeek @jpsays @Viss

never claimed that was the reason for the test, just that they made internet reachability as a gating test for things that shouldn't need to have external connectivity to work.

kajer :notverified:6h ago

@Viss or whomever did the android dialog box of "stay connected" about .25 seconds before dropping wifi.

@kajer i am sick to death of the "expert-proof" consumer devices, that have "only idiot mode available" and no manual config, and assume the person who owns it is too stupid to do even the most basic shit, and has to have their hand held through everything

J.P. Stewart 6h ago

@Viss I can introduce you if you want. In reality this logic came from dozens over 20yr of development.

Also. A. It’s only after 30s of repeated failed attempts right? And B. It sends an immediate reconnect, right?

Anything else is unexpected.
The reason at the time was bad state machines in third party WiFi drivers which hang at times.

(Diagnostic Data Viewer in the store filtered to *ncsi* I think should show the relevant events.)

*now retired, but I wrote those telemetry events*

Paul_IPv6 7h ago

crap like this was why, when i was the architect for a large ISPs DNS, i mandated that all DNS servers were clusters, were anycasted internally, all had dual power supplies, the power supplies were on different, UPS backed power A/B feeds per machine.

so many things shit the bed when they couldn't resolve something in DNS. it was easier just to grossly overbuild the DNS infra than try to get that many vendors to fix that many broken things.

@paul_ipv6 @Viss the architect in our ISP did this too, as well as having an air raid siren in the office when DNS resolution was flakey in the network

It didn't help that we were still updating the bind.conf manually with vi over ssh. We also had a small enough fleet that we know the IP blocks by heart

@webhat @paul_ipv6 so my problem was that the firewall wasnt setup correctly here. it was SUPPOSED to be acting as a caching/forwarding setup (fuckin unbound on pfsense) - but it wasnt. the idea was that if the main dns server (adguard) went offline for a reboot (or the ups shit itself) the firewall would have a cache for a while and dns wouldnt go offline

but nooooo

Paul_IPv6 6h ago

most FWs still use dnsmasq as their DNS and don't really let you fully configure it. they expose a small subset to the GUI.

what you want is a DNS server with a small set of hard coded zones for local stuff so that you don't ever actually go to root and down the tree to resolve things inside the firewall.

it's stunningly hard to find any commercial kit that just does that.

Scott VE3QBZ 6h ago

@paul_ipv6 @Viss anycast with BFD is the way.

kajer :notverified:6h ago

@Viss rofl... *Cries in non-apc serial cable in 1999