Implement Split-Brain DNS Policies in Active Directory

Implement Split-Brain DNS Policies in Active Directory

Implement Split-Brain DNS Policies in Active Directory In this detailed guide, we will look at how to implement DNS split-brain policies in an Active Directory environment. Creating a split-brain DNS setup is crucial for managing different DNS responses based on whether the request is internal or external. This can help streamline network traffic, improve security, and ensure that internal and…

got my pfsense running again only to find out it would be much better to use routeros as i have a mikrotik router/switch

now i've gotta learn to seperate these things out....

Technitium DNS Server in Docker: Is this the Best Home Server DNS?

Technitium DNS Server in Docker: Is this the Best Home Server DNS? @vexpert #homelab #TechnitiumDNSServer #HomeLabDNS #DNSPrivacyandSecurity #DNSServerComparison #PiHolevsTechnitium #AdGuardHomevsTechnitium #CustomDNSConfiguration #BlockAdsandMalwareDNS

When many enthusiasts or home labbers start to look at services they want to run at home after purchasing some server gear, DNS server is one of the first services that you can benefit from. DNS provides the core name resolution for your home lab and server environment. Hosting your own DNS server provides many benefits over using the configured ISP’s DNS server settings. Table of contentsWhat…

View On WordPress

Blocking Ads on Mobile Devices

Blocking ads on our phones is way harder than it should be so I figured I'd make some recommendations. These are not the only options out there, just the ones that I know and have used.

Please note that browser-level and system-level adblocking are complementary; you'll have the best experience if you use both of them together as they each block different things in different places. If you want a basic idea of how effective your combined adblocking setup is, you can visit this website in your mobile browser.

Lastly, there is some additional advice/info under the readmore if you're curious (EDIT: updated March 2025 to add more adblocking options for iOS and to add info about sideloading altered versions of social media apps that don't contain ads on Android and iOS).

Android

Browser-Level

uBlock Origin (for Firefox)

System-Level (works in all apps, not just browsers)

AdGuard

Blokada 5 (completely free version) OR Blokada 6 (has some newer features but they require a subscription)

iPhone/iPad

Browser-Level

AdGuard (Safari extension; free for basic browser-level blocking, requires a subscription or one time purchase of “lifetime” license for custom filters)

1Blocker (Safari extension from an indie developer; can enable one built-in or custom filter list for free, requires a subscription or one time purchase of “lifetime” license for enabling multiple filter lists and updating filter lists to the latest version automatically)

Wipr 2 (one time purchase from indie developer; simplest option to use, but also the least configurable. Best if you are looking for one time set and forget and don’t need any custom filters. Note that it does not have a system-level blocking option)

System-Level (works in all apps, not just browsers)

AdGuard (requires subscription or one time purchase of “lifetime” license for system-level blocking)

1Blocker (can activate without a subscription, but requires subscription or one time purchase of “lifetime” license to enable system-level blocking AND browser-level blocking simultaneously)

AdGuard DNS only (this is free and does not require the AdGuard app, BUT I would only recommend it for advanced users, as you can't easily turn it off like you can with the app. Credit to this Reddit thread for the DNS profile)

Some additional info: browser-level blocking is a browser addon or extension, like you might be used to from a desktop computer. This inspects the HTML code returned by websites and searches for patterns that identify the presence of an ad or other annoyance (popup videos, cookie agreements, etc.). System-level blocking is almost always DNS-based. Basically whenever an app asks your phone's OS to make a connection to a website that is known for serving ads, the system-level blocker replies "sorry, I don't know her 🤷‍♂️💅" and the ad doesn't get downloaded. This works in most places, not just a browser, but be warned that it might make your battery drain a little faster depending on the app/setup.

Each of those types of blocking has strengths and weaknesses. System-level DNS blocking blocks ads in all apps, but companies that own advertising networks AND the websites those ads are served on can combine their services into the same domain to render DNS blocking useless; you can’t block ads served by Facebook/Meta domains without also blocking all of Facebook and Instagram as well because they made sure their ads are served from the same domain as all the user posts you actually want to see. Similarly, browser-level blocking can recognize ads by appearance and content, regardless of what domain they’re served from, so it can block them on Instagram and Facebook. However, it needs to be able to inspect the content being loaded in order to look for ads, and there’s no way to do that in non-browser apps. That’s why using both together will get you the best results.

These limitations do mean that you can’t block ads in the Facebook or Instagram apps, unfortunately, only in the website versions of them visited in your browser. It also means ads served by meta’s/facebook’s ad network in other apps can’t be blocked either (unless you're one of the rare beasts who doesn't use facebook or instagram or threads, in which case feel free to blacklist all Meta/FB domains and watch your ads disappear 😍; I'm jealous and in awe of you lol).

One note: some apps may behave unpredictably when they can't download ads. For example, the Tumblr app has big black spaces where the ads are, and sometimes those spaces collapse as you scroll past them and it messes up scrolling for a few seconds (UPDATE: looks like the scrolling issue may have actually been a Tumblr bug that they have now fixed, at least on iOS). Still way less annoying than getting ads for Draco Malfoy seduction roleplay AI chatbots imo though. And honestly *most* apps handle this fairly gracefully, like a mobile game I play just throws error messages like "ad is not ready" and then continues like normal.

One final note: on Android, you may actually be able to find hacked versions of Meta’s apps that have the ad frameworks removed. In some cases they are a little janky (unsurprisingly, apps don’t always take kindly to having some of their innards ripped out by a third-party), and they are often out of date. BUT in return you get an Instagram app with no ads whatsoever, and some of them even add additional features like buttons for saving IG videos and photos to your phone. However, use these apps at your own risk, as there is functionally no way to validate the code that the third-parties have added or removed from the app. Example altered IG app (I have not vetted this altered app, it's just a popular option): link.

It is technically possible to install altered apps on iOS as well, but Apple makes it much, much harder to do (unless you are jailbroken, which is a whole different ballgame). I'm not going to cover sideloading or jailbreaking here because even I as a very techy person eventually grew tired of messing with it or having to pay for it. If you're interested you can read more about the different ways to do sideloading on iOS here.

okay I've managed to get out of bed cleaned myself up. I'm going to sit at the dining table and work until it's done. It's 11:17am the deadline is midnight tonight I'd like to be finished by 8pm. Pray for me!

to do list:

- recreate topology

- route configuration

- add DNS server and configure that

- VLANS

- dynamic routing protocols

- ACL

- Wireless devices

- write description

oh my god i found out that my DNS record wasn't properly configured so all the emails I sent from my work email address using ProtonMail were usually being rejected and weren't going through. which is a profoundly horrible thing to realise because suddenly all those prospective clients and job applications I sent in the last few months that I thought had ghosted me....... had maybe not ghosted me at all.

I've started sending followup emails to explain the situation and make sure nobody thinks I just rudely ignored them. please let my email find you my emails have been lost and wandering scared and lonely in The Void for months

I finally figured out the whole DNS bullshit.

Turns out it actually was a problem with my router.

I hadn't configured DNS rebind protection, so my router blocked all DNS answers which answered with an IP that's inside the network. And since I was pretty much always testing it from within the network I never got an answer. I hadn't heard about it before and the setting was somewhere I didn't look.

I'll probably still keep most of my stuff behind a proxy, just to ensure I can always access it, but at least I can now be confident that people can join my Minecraft server and all that.

So now I'm pretty much just waiting until ipv6 gets more support and I'll be good

How we prevent conflicts in authoritative DNS configuration using formal verification

Source: https://blog.cloudflare.com/topaz-policy-engine-design/

Paper: https://files.research.cloudflare.com/publication/Larisch2024.pdf

Synology NAS Domain Join: The Importance of DNS Configuration

In this article, we shall discuss the issues you could face when performing a Synology NAS Domain Join: The Importance of DNS Configuration. DNS configuration ensures that devices on a network can communicate with each other and access external resources on the internet. This enables devices to locate servers and services by their domain names, facilitating seamless connectivity. Please see DSM…

View On WordPress

If you're experiencing "Error Code 102630: This video file cannot be played" on Firefox

i've been scratching my head about it for weeks and just solved the issue today - it might not work for you, but i'm posting it here in case it helps someone else.

things i tried that didn't work (but might help you):

updating/restarting firefox

updating/restarting windows (or your operative system of choice)

manually updating the video drivers

deleting the DNS cache

deleting the browser cache

running Firefox in troubleshooting mode (no extensions or add-ons) to make sure it wasn't some extension that broke in an update

what actually worked for me:

go to about:config (open a new tab and use that in place of the URL)

look up "media.mediasource.enabled"

if it's set to "false", set it back to "true" by double-clicking it

i had this configuration set to false in order to get videos to buffer completely instead of just loading a couple minutes at a time and then stopping, but unfortunately this does not seem to play well with most streaming sites/servers. pretty sure it worked well before, but an update must have broken it.

ah, well.

I’m sorry but I’m still losing my fucking MIND over elons incomprehensible Linux own the libs tweet like

Like it’s incredibly obvious he heard about a traceroute, and then googled “how to delete file in Linux” and then didn’t even read the results

Like… woke_mind_virus isn’t a fully qualified domain name, meaning it relies on a custom DNS resolution specific to his machine, or if utilizing a vpn, that specific vpn’s custom host file. Or that the American government would have a host entry for a woke mind virus, which if you’ve ever had to use a government website, is laughable. Also DNS is global for the most part, but honestly we can move on at this point.

So sure, we’ll say that the government has forced all public internet in America to resolve woke_mind_virus. Where does it resolve to? YOUR OWN COMPUTER, you silly billy! Obviously! This is *almost* comprehensible. Sure, we are all infected with the woke mind virus, why not. It must be destroyed within ourselves. Yeah man, whatever. Why not? So how do we destroy it?

Duh! Just delete it! How do we do that in our L337 uber hax0r terminal on our fresh kali live usb (because partitions are scary)? We’ll save that for last.

Because while deleting one file could make a website inoperable, it does not remove every trace of it! It first needs a configuration file in the web server, usually Apache or nginx. This is at LEAST one file, but cmon, if you’re gonna psychologically program the masses and keep it out of public view, you gotta encrypt that shit! So naturally, an SSL is in order! That’s easily 1-3 more files. woke_mind_virus can get a pass on not being fully qualified in this specific case because certs can theoretically be self signed and trusted on local networks, but he wouldn’t be able to tell you that. If you stood up a little one page html site on a web server on your own computer, and navigated to it on port 443 (https://) you would get an SSL error, even though it’s on your own machine. I feel like I’ve beaten this into the ground enough, but just understand it’s stupid.

What’s important to note here is that these BARE MINIMUM files are what routes the request from your machine to the destination site, even if it’s your own computer. If you delete the contents of the site (also called the docroot), the site still exists, and can receive and route requests to and from it, it’s just empty. You’ll probably get a 404 because there’s no actual content to serve. This woke mind princess is in another castle.

It’s also imprudent to delete these configuration files first, because that’s how you determine where the site content actually is! These files dictate what directory (folder for you windows losers) is called upon to actually serve you the content you see displayed when you open a webpage. So you need this information if you don’t want to destroy the entire file system and only want to remove the woke_mind_virus site. Cmon Elon, this is baby shit.

So of course, the strat with the most Efficiency and preserving the rest of the system (which seems to be the point of the tweet) is to find the docroot, delete the docroot, and then delete the web server config files. So how do we delete them?

And here we have it: rm -rf

The syntax is as follows:

rm -rf </path/to/file>

Even if you don’t know shit about Linux, you can probably see the problem here. It’s just so blatantly incorrect, it’s almost as if he’s never done it before.

For those that want to see a real world example, here is me creating a file called woke_mind_virus in my home directory and then trying to delete it the Elon Way:

my got dam media server is acting up again. I need to buy new drives for it soon but they're just expensive enough to be annoying. I think the problem is with DNS configuration but I don't know.

TARI.EXE (Puzzlevision Corruption)

I'm not even kidding, I had a dream where that TV guy and Tari have some sort of connection and kidnapped her so she becomes his property again, forcing the SMG4 gang to go through endless unwanted simulations to entertain him. I've been thinking about that dream repeatedly, and ever since Western Spaghetti I did want there to be some sort of connection. Can't wait to see more of TV Guy (or Puzzlevision as it says on his face). Also, the background text are just command prompt text, or rather Tari's programming. I've been finding so many examples of how to do program writing.... or coding? Idk lol. At some point my brain just stopped working. Anyways, i'll put below what the text says, and if you pay attention to the numbers in the written sequence, you'll see some hidden detail (Hint: The numbers are episode dates).

Background Text:

TASCORP Windows [Version 17.6.02023]

(c) 2023 TASCORP Corporation. All rights reserved.

C: \Users\TARI>ipconfig/flushDNS

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

C: \>taskkill /f /im TARI.exe

SUCCESS : The process "TARI.exe" with PID 250818 has been terminated.

C: \>winge install "Puzzlevision SIM"

Found Puzzlevision SIM [TASCORP.Puzzlevision SIM] Version 28.10.23

This application is licensed to you by its owner.

TASCORP is not responsible for, nor does it grant any licenses to, third-party packages.

Downloading https://puzzlevisionsiminstall.net.com/stable/smg4/Setup-v28.10.23.exe

90.0 MB / 90.0 MB

Successfully verified installer hash

Starting Package install . . .

Successfully installed

X: \windows\system23>cd C: \Windows\system23

C: \windows\system23>systemreset

PUZZLEVISION SIMUL. Windows

Copyright (C) Puzzlevision Corporation. All rights reserved.

C: \WINDOWS\system23>sfc /scannow

Beginning system scan. This process will take some time.

Beginning verification phase of system scan.

Verification 100% complete.

Puzzlevision Resource Protection found corrupt files and successfully repaired them.

Puzzlevision Resource Protection did not find any integrity violations.

Gshade Preset: Mellow`Heart

Sul sul! Indulge yourself with this soft matte Gshade preset. Happy simming!

Little Knowledge

Most preset comes with SMAA & FXAA. Both exist in one preset and so as this preset of mine. It is not recommended to use this because these two functions the same, smoothing the edges. The key difference depends on the hardware you are using. FXAA is a smart anti-aliasing recommended for average pc. On the other hand, SMAA is a smarter anti-aliasing recommended for High-end GPU pc. I have both enabled SMAA and FXAA in this preset. You should disable one of them. Martysmods_smaa is twice the performance of the original SMAA. YOU can switch to this from the default SMAA.

Let's talk about MXAO. This is a shadow and depth fx. The default configuration is Very high which I don't recommend for average PC. Adjust to medium to reduce the lag. Or the best alternative to this, which I am using with this preset is the qMXAO(quint). This is better for gameplay. You can switch to MXAO if you have a powerful pc if you want.

NOTE:

TURN OFF performance mode on gshade (darken the preset if turned on)

TURN OFF edgesmoothing in graphics settings

Be happy

Recommendations: For a better graphics, use the following overrides/mods.

Sunblind

Nobluv2 & Noglov2.1 (you can use both)

even better in-game lighting (you can't use this if you installed Noglo)

Pastel world (conflict with sunblind) - if you don't like the hassle of sunblind installation, use this.

fluffy clouds - overrides the clouds

map replacement mods

Dag dag!

Download:

Patreon

Mellow`Heart~[kazzaeo] SFS - Updated 10/20/24 

(use CloudFlare DNS 1.1.1.1 if you cannot download files from SFS)

For my Hallow'Heart preset, click here

Pi-Hole debug log

I'm thinking about writing up a nice guide so let me know if that would be useful to anyone but in the meantime, some notes about difficulties I ran into setting up a pi-hole

First off, I do want to say that this is actually pretty technically complicated? Like it's been floating around tumblr for a while, lots of people have done it, you can too, but when OP on that viral post said they took 2 hours and don't know anything, I think they mean they don't know anything in the same way I do (I have a whole degree in computers I have used a terminal before, but I hadn't used a raspberry pi before)

Rest below the cut

Gathering Materials Good news: there's lots of viable options for a raspberry pi that works with pihole! The minimal requirements are really very minimal. You need some computer that you're willing to devote to blocking your internet. (Theoretically you could do this on a computer also used for different stuff but that would suck and make you have no ram.) In practice, unless you've got a spare working laptop floating around for some reason, you are going to want that to be a raspberry pi. Bad news: now you have to make decisions. The "official" pihole kit has been sold out for ages, so that's not an option. I said fuck it and bought kit for the raspberry pi 4 off of one of the licensed distributors linked from raspberrypi.com (because it had all the requirements) but that was ~$100 with shipping and there ARE cheaper options. It looks like the raspberry pi zero barely hits the RAM requirements and is $15 at a licensed distributor so that's likely as low as you can go. And if you're not just buying a kit you'll need at a minimum a power supply, a microsd card (the pihole requirement is 4GB but everything I was seeing was way bigger anyways), and a way to read a microsd card (either a USB microsd reader or if your laptop already has an sd card reader you'll need one of those microsd to normal sd card converters which idk where you get but a USB microsd reader is very cheap). You don't need but may want an hdmi cable that will connect to the pi

Setting Up and Using a Raspberry Pi You may notice for notes that aren't a guide (yet) this is going into Great Detail about the early parts of the setup. As someone who hadn't used a raspberry pi before, I found all the pihole guides I was looking at skipped the basics I needed and most of my setup time was trying to figure out what was going on with my raspberry pi, not actually doing the pi-hole thing. The raspberry pi getting started page actually had all the information I needed in conjunction with their pihole setup guide if I'd read it thoroughly enough but since I didn't a general overview: first you plug the sd card into your personal computer to image it; then once it's imaged you take it out and put it in your raspberry pi; then after it's blinked at you a bit you ssh to your raspberry pi while on the same wifi network you just set up in the imaging step. This is running your raspberry pi "headless" which means you don't need a monitor/hdmi cable but does make it harder to debug if you can't ssh. Also if you're on windows apparently you NEED to download a different terminal because windows command prompt for all that it's gotten better over time cannot connect to unix operating systems (which raspbian is).

AT&T hates internet configuration Now we're getting to the part that's specific to me. My internet is on AT&T, which has overall been pretty okay (and they've had great technicians for setup and repair), but AT&T fiber does not let you set your own DNS. The non-annoying backup is to make the pi-hole your DHCP server instead of your DNS server, which IS in every setup guide but is NOT very detailed. (Possibly if I wasn't on AT&T this whole paragraph would be complaining about the level of detail of guides about making your pi-hole your DNS.) To get DHCP working, I found a different, slightly outdated guide from someone else on AT&T fiber which was pretty useful but had some pitfalls because it is a bit out of date: https://otter-security.com/how-to/ht_post/28/

Key points for setting up a pihole as DHCP server:

Set up your pihole normally/following the raspberry pi guide for the prompts

You still need to allocate a static IP for your pihole. For AT&T, this is on the IP allocation of the Home Network tab of the advanced settings page. That static IP should be the same as whatever the IP the IPv4 one the pihole install configured.

Disable DHCP on the subnets & DHCP tab. THIS IS THE STEP THAT BREAKS YOUR INTERNET: without DHCP available only some sites will work. This will be fixed by enabling DHCP on the pi-hole

Disable IPv6 (more about this later)

Enable DHCP on the pi-hole admin page: this is just a checkbox under settings->DHCP. The router ip address should be the one listed on the back of your router/the one used to get to the advanced settings (probably already correct)

Let all devices connect to the pi-hole under Settings->DNS on the pi-hole admin page (this is the step that was outdated or possibly just different because it was wired on the guide)

Don't You Forget About Mesh More details about my particular internet setup: we extend our internet with a mesh network. This kept getting in my way as I was doing the setup because I treat them largely interchangeably but it's important to put the raspberry pi and your computer on the SAME internet to do a local ssh, where the mesh vs the router are different here. I wanted to put the raspberry pi ssh on the router not the mesh because my initial setup attempt did break the mesh, but I'm not sure that that matters? Also I don't think anything connected to the mesh is getting the pihole filtering right now? Possible fixes required are either changing the mesh DNS to the pi-hole IP or seeing if the mesh has DHCP enabled.

IPv6: Still Broken So in the DHCP setup step I disabled IPv6. I couldn't get my DHCP to be forced to the pi-hole on IPv6 and I'm not sure why. I did set up my pi-hole to be IPv6 enabled and try disabling just IPv6 DHCP on my router, but it didn't seem to be hitting the pihole. Reading a help thread on this has convinced me that my best option is to leave it disabled until such a time as I want to learn things about networking again (a class I liked but also worked very hard to get a B in)

Why is my computer sad?? So I've declared pihole "working" in that our internet isn't broken and it's blocking at least some ads from some computers... but my mac is now giving ominous no internet connection warnings.

This would be a Big Problem except that I definitely can in fact reach the internet just fine. I'm on the internet right now! I don't know why my mac is sad and I am struggling to google it because it's specifically a false warning and I'm only getting results about the real problem. My hazy guess is it's ipv6 related? I could test this by disabling pihole/re-enabling DHCP on my router while keeping ipv6 off... but not in the middle of the day on a Friday

Adguard vs Pi-Hole: A Mystery Pi-Hole is no longer new technology and in the ~12 hours that it's been set up here hasn't made a dramatic difference in my life, mostly because I already had adblockers on my laptop. You can add more blocked sites and I've been looking at finding more adlists, but one alternate option is instead of running pi-hole on your raspberry pi, you run a commercial network level adblocker called AdGuard Home. I haven't tried the AdGuard option but it might do more comprehensive blocking? On the downside, it's commercial, not open source, so I do worry about them switching to break your internet if you don't give them money...