On Thu 25 Apr 2019 at 12:28:37 (-0400), Lee wrote: > On 4/25/19, David Wright <deb...@lionunicorn.co.uk> wrote: > > On Wed 24 Apr 2019 at 14:29:00 (-0400), Lee wrote: > >> On 4/24/19, David Wright <deb...@lionunicorn.co.uk> wrote: > >> > On Tue 23 Apr 2019 at 10:38:41 (-0400), Lee wrote: > >> >> On 4/22/19, David Wright <deb...@lionunicorn.co.uk> wrote: > >> >> > On Sun 21 Apr 2019 at 20:30:53 (-0700), pe...@easthope.ca wrote: > >> >> >> From: David Wright <deb...@lionunicorn.co.uk> > >> >> >> Date: Sun, 21 Apr 2019 16:13:11 -0500 > >> >> >> > Does the behaviour reported in your OP cause you *great* concern? > >> >> >> > >> >> >> No. Just wastes time. Opening a simple local HTML home page > >> >> >> requires > >> >> >> roughly a minute rather than roughly a second. > >> >> > > >> >> > I tend to forget that, because my /etc/hosts file has ~14000 lines, > >> >> > pages appear a lot faster here. > >> >> > >> >> Have you looked at bind's dns rpz? > >> > > >> > Just now. > >> > > >> >> http://zytrax.com/books/dns/ch7/rpz.html > >> >> It lets you do things like > >> >> *.2o7.net CNAME . > >> >> *.doubleclick.net CNAME . > >> >> > >> >> to block entire domains instead of having to list each and every > >> >> hostname in the domain. > >> >> > >> >> And you can log what is blocked/allowed to make troubleshooting easier > >> > > >> > It might be a good *mechanism* for the diversion itself, but AFAICT > >> > it's aimed at the *policy* implementers rather than the end-user. > >> > >> Just out of curiosity - do you think pi-hole is aimed at policy > >> implementers or end users? > > > > I don't know about their policies, or whether they have any. I've not > > found any description of how you would configure it, only how you > > install it. Do they provide blacklists? > > It looks like they give you a default list of lists that you can modify: > https://github.com/pi-hole/pi-hole/blob/master/automated%20install/basic-install.sh#L1181
Yes, and taking one of the sites mentioned, I see they explain their policy at https://hosts-file.net/?s=policy and that's what I want done for me. > > It's also not clear to me where I should install it to. My router > > uses the Google nameservers, and all my machines have the router > > as their nameserver. The router is the only part of the network > > that's always up and running. > > I have a server that I leave running all the time; … and I don't. > reconfigure your > router to use your dns server … which doesn't exist … > instead of google, add a firewall rule > to block all outgoing tcp/udp traffic to port 53 except from the > server & you're done. > > > But let me explain what I mean by those terms I used earlier: > > > > Mechanism: Any method of modifying the result of trying to resolve > > foo.bar to an IP address, irrespective of the specific domainnames > > which somebody has to give to it. My mechanism is resolving to > > localhost. > > > > Policy implementers: The people who make the decisions about which > > domainnames should have their resolution modified. If you look > > through the reference I gave for the source of my /etc/hosts, you > > can see their policies listed as comments bracketing the sections, > > and they are: > > [snipped] > > > > End-users: The people whose browsing experience are improved by > > the policies selected, and implemented using the chosen mechanism. > > > >> > The value I get from Dan Pollock is the list of sites rather than the > >> > most elegant mechanism for handling that list. Looking at the comments > >> > in the list, and by comparing evolving versions, it does appear that > >> > Dan actively "opens holes" where people report interference or > >> > difficulties using certain legitimate sites. > > But the holes get opened only after someone reports a problem. If > you're using a host file, how do you figure out which host name(s) > being blocked are causing the problem? I guess the people who report the problem figure that out. Looking at the comments, they're not services that I use. > I never figured out an easy way to troubleshoot hostfiles & switched > to something that logged what all was blocked and allowed. That would be easy to check. I build /etc/hosts with a commandline: # cat /root/hosts-[0-9]-*[^~] | sed -e "/^[[:space:]]*192.168.1.[0-9]\+[[:sp ace:]]\+$HOSTNAME.corp[[:space:]]\+$HOSTNAME\$/s/[[:space:]]*\([0-9.]\+\)[[:sp ace:]]\+\(.*\)\$/127.0.1.1\t\2\t# \1/" > /etc/hosts so I would hide Dan's file (whose final destination is a file that matches /root/hosts-[0-9]-*[^~]) before rerunning that command. > >> > Finally, I wouldn't know where to start to compile a list of sites > >> > like that. > >> > >> https://dnsrpz.info/ > >> If you're a business, you can buy access to an rpz feed. > > > > I'm not, but I take it that different feeds have different policies on > > which sites to include, and come at different prices. > > > >> If you're a [home?] network admin it's simple enough to enable logging > >> & see what all is allowed that you'd rather have blocked. And/or grab > >> things like Dan Pollock's list and turn them into an rpz file. > > > > Frankly, I don't want to be bothered with processing the list. > > That makes it easy then, stay with what you've got :) Sure. I like to publicise it when I'm reminded that its use might help someone else fix any sort of problem. Cheers, David.
