On Wed, 2023-04-12 at 13:36 -0700, ToddAndMargo via users wrote: > $ dig gbis.com > ... > ;; Query time: 71 msec > ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP) > > > Not real helpful. I think I will just ping a > porn site and see what happens. You've truncated that far too much for us to tell whether you've assessed that correctly. All that tells us that whatever the query, and whatever answers, or lack of answers, dig probed 127.0.0.1 for it, and it responded in some way. *Your* query was internal, but what it did with your query, we don't know. > $ ping xxx.com > PING xxx.com (146.112.61.106) 56(84) bytes of data. > 64 bytes from hit-adult.opendns.com (146.112.61.106): icmp_seq=1 ttl=58 > time=12.1 ms > > > And that answered my question. Since you got an IP to ping for that domain name, something did *not* block the DNS query. It was resolved. But that looks like their substitute for the blocked site. If I try that address in a web browser I get an unhelpful error message, with a bit of info about trying to resolve the problem. If I ran a censoring site, my error page would have said "blocked page, reason porn" (or other reasons). If I try pinging a non-existent domain name, I get this response: $ ping bulldust.lan ping: bulldust.lan: Name or service not known That can be because the domain name doesn't exist, or my DNS server didn't get an IP for it (it could pretend it doesn't exist). If I had a censoring DNS server, it could provide an IP that's actually for someone else. That could be a server that simply throws up a "page is blocked" message to any of the blocked domain names, so you know what happened. In that case, I'd could get a ping response akin to: $ ping nastysite.lan PING safeblocker.lan (93.184.216.34) 56(84) bytes of data. 64 bytes from safeblocker.lan (93.184.216.34): icmp_seq=1 ttl=50 time=161 ms 64 bytes from safeblocker.lan (93.184.216.34): icmp_seq=2 ttl=50 time=161 ms Where I *might* see that the response came from somewhere else, and I *might* get some ping responses. I tried pinging nastysite, the server gave me their safe IP instead, and that IP resolved to safeblocker. The kind of thing you got. Though, a ping test is not a browsing test. If I try pinging an existing domainname, one that isn't responding to pings, I get this response. $ ping nastyserver.lan PING nastyserver.lan (192.168.1.44) 56(84) bytes of data. From rocky.lan (192.168.1.1) icmp_seq=1 Destination Host Unreachable (the from line is the machine I'm typing the command into) However, I can't tell from that whether it's switched off, or not responding to pings. It could be fully functional, but ignoring pings. Ping only proves that some network hardware answered its pings. A lack of a response doesn't mean a site isn't there, it doesn't prove that a web server isn't running. Conversely, if you do get a ping response, it also doesn't prove that a web server is running. It's not a web server that responds to pings. It's a bit like looking for the power light on my PC. It only shows that it's switched on. It doesn't tell me anything about what may, or may not, be running on it. Ping tests a network end-to-end, provides some timing information about those pings and their responses. Beyond that it tells you virtually nothing (some people may look at the nature of the ping responses, and decide because it's so-many bytes, etc, it's possibly some particular OS). But still, it's only testing pings. If you want to test something else, like the presence of a website, you need to try browsing to it. For what it's worth, mangling DNS to block a website will only be partially successful. Only the big sites might have consistent IPs, new crap pops up every minute and a censoring DNS server will always be out-of-date (same with anti-virus), and browsers can use other means than traditional DNS queries to connect (so places like schools would need to use more effective blocking techniques). e.g. https://en.wikipedia.org/wiki/DNS_over_HTTPS can bypass your network's configured DNS server(s). It will use another technique to directly query something over the internet. At this stage, I don't think you get to pick what it uses. You only have a choice whether your web browser has DoH enabled. So you want want to check it's off. And DoT is another alternative: https://en.wikipedia.org/wiki/DNS_over_TLS And HTTP proxies are another (the proxy can do the resolving). > > options { > forwarders { 208.67.222.123; 208.67.220.123; }; > > > is not being bypassed by > > > zone "bravesoftware.com" IN { > type forward; > forward only; > forwarders {8.8.8.8; 8.8.4.4; }; > }; > I can't really tell that from what you've posted. I can tell that from that snippet of the named.conf file, that if you make any DNS queries of your DNS server regarding "bravesoftware.com" it will ask either 8.8.8.8 or 8.8.4.4 for the answers. Every other DNS query, made through your DNS server, will be answered by 208.67.222.123 or 208.67.220.123 (FamilyShield DNS servers). But if a browser doesn't query your DNS server, it won't be censored. -- uname -rsvp Linux 3.10.0-1160.88.1.el7.x86_64 #1 SMP Tue Mar 7 15:41:52 UTC 2023 x86_64 Boilerplate: All unexpected mail to my mailbox is automatically deleted. I will only get to see the messages that are posted to the mailing list. _______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
