wingarmacHi there !02:54
wingarmacI've a question about bind: What's the need of 2 servers exactly (ns1 and ns2) ?02:56
wingarmacIf I understand it, they should backup each other.02:57
wingarmacBut what if both are on a NAT router like mine (with static public IP) ?02:57
=== chris14_ is now known as chris14
wingarmacWould that make sence ?02:58
qmanyou can have as many as you want, the reason for having more is redundancy03:13
qmanif you're on a single internet connection and router anyway, then it doesn't make much sense to have more than one03:13
qman(for internet-facing DNS)03:15
qmanand for internal-facing, again, it depends on the needs of your network03:15
qmanif nothing else on your network is redundant, then you probably don't really need redundant DNS either03:16
wingarmacThanks qman ! So I can setup a single dns to be able to use my domain name isntaed of IP's to call computers on my network. Is that right?03:55
wingarmacI would like to have computer1.mydomain.org compputer2.my03:56
wingarmacAccessible from LAN as from WAN, with these names03:57
wingarmacFor testing different network applications, like tftp, vpn, ... over www instead of testing LAN only. Since I've a fixed IP now.03:58
wingarmacI've a laptop connected with mobile data for testing as an external PC (www)04:00
wingarmacgman I wish you a good day ! cheers !04:01
wingarmacI forgot. What is the difference between nameserver and dns. I can see on easyhost.be I have in my settings a possibility to user their ns1 ns2 ns3, or setup my own. What is the difference?04:04
wingarmacCould you be so kind to explain me the difference qman ? https://ibb.co/Qkcq2kd04:05
wingarmacThis is very confusing to me. I need a DNS server to use my domain name, but it seems I can use theirs. Or do I get it wrong ?04:07
wingarmacThat in case DNS and nameservers mean the same04:08
qmanin order for your DNS names to resolve for everyone on the internet, you need a public-facing DNS server to host your zones04:13
qmanthat's what using a service like theirs does for you04:13
qmanfor you to resolve DNS names internally but with internal IPs, you would set up your own internal DNS server with software like BIND or dnsmasq or tinydns ...04:13
qmanthe internet can't resolve your internal IPs, so you need different content in your zones depending on whether the request is internal or external - when you use the same zone for both, but host it in both spots with different records, this is called split horizon DNS04:14
qmanthe alternative approach is only using one set of records with the external IPs listed, and instead using either NAT hairpinning or ipv6 to allow internal clients to access internal resources by name04:15
wingarmacI've found more detail about the difference: A. Name servers are the physical directory itself.04:23
wingarmacB. Registered DNS are the individual entries in the directory.04:23
wingarmacRef in french: https://kinsta.com/fr/base-de-connaissances/serveur-de-noms/04:23
wingarmacSo if I would like this domain name used by each computers name reference, this is store din the DNS server. while the domain name database is on the nameserver.04:25
wingarmacI'll need a DNS server for sure04:25
JanCqman: you always *must* have at least two different authoritative DNS servers: https://www.iana.org/help/nameserver-requirements05:04
wingarmacJanC This meens also to two fixed public IPs. Am I right? Or could those be beyond the NAT router ?05:05
JanCthey can be everywhere on the internet (e.g. by default they are usually at the company where you registered your domain)05:06
JanCfor internal LAN stuff this doesn't apply, of course, but if you want a (sub)domain to be reachable from the internet, it is mandatory05:13
JanCyou can have your primary at home & the secondary elsewhere, of course05:15
wingarmacCan you elaborate in my case, what this will imply in practice?05:17
wingarmacWhat will it emply for example for WAN computers in my VPN for example ?05:18
wingarmacWill these also have computer$.dromain.org names ?05:19
xibalbai loaded an old VM from Nov 2022, a template, and trying to update everything. when it connects to apt it says, Unable to connect to us.archive.ubuntu.com:http:, but i see the firewall allowing traffic through. I've disabled IPv6 as the box isn't dual stakced on that network16:51
xibalbathe name resolves to a v4 addr16:52
xibalbafrom host us.archive.ubuntu.com16:52
xibalbaus.archive.ubuntu.com has address
xibalbaus.archive.ubuntu.com has IPv6 address 2001:67c:1562::1816:52
alkisgxibalba: I've heard that ubuntu archives have issues today, so it might not be related to the VM at all; check if the issue is still ongoing16:56
Odd_BlokeI believe there's an ongoing iss-- yeah.16:56
xibalbaroger roger16:56
xibalbahttp://archive.ubuntu.com/ <~ returned data16:56
xibalbaoh hey it just started working16:56
xibalbahttps://status.canonical.com/ <~ all green16:57
xibalbai mean it's  68.5 kB/s, but ill take it lol16:57
Odd_BlokeYeah, it hasn't not been green, so that not an indicator.16:57
wingarmacHi there ! I'm testing how I have to setup bind on Ubuntu server behind a NAT router with fixed public IP, so that my omputers listen in the A-records as pc.domain.org pc1.domain.org ... can be reach from the WAN with a responding ping16:57
Odd_BlokeIt's round-robin'd, so if some of the servers are working then you might see occasional success.16:57
xibalbayeh i keep hitting kazooie each time16:57
xibalba0% [Connecting to kazooie.canonical.com (]16:57
wingarmacCan anyone help me understanding its working ??16:57
Odd_BlokeLikely everyone is round-robin'ing onto a single host which is therefore DDoS'd.16:58
xibalbawingarmac spin up an VM external to your network and use `host` or `dig` commands16:58
xibalbaor give me your ip and i'll send 1gbit of udp to you16:58
wingarmacxibalba wingarmac.org can be reached but not the computer behind17:00
wingarmacmyports are opend on the router and I've sysctl -w net.ipv4.conf.enp3s0.route_localnet=117:01
wingarmacsudo iptables -t nat -A OUTPUT -d ${EXTERNAL_IP} -j DNAT --to-destination
xibalbaoh sorry i dont do iptables17:02
wingarmacports opened 80 443 (I made an apache setup in SSL before, and made a clean install since)17:02
effendy[m]Why are you using local routing like that?17:03
effendy[m]how does bind run?17:03
effendy[m]Does the router run Ubuntu also?17:04
wingarmacxibalba I personaly do not I have no habit or predilection for a procedure. A few tips and explanations are enough for me.17:04
wingarmacI am a tester and an apprentice.17:04
wingarmacAs a matter a fact I do not know clearly what I'm doing.17:05
wingarmacI try to reach to setup a WAN VPN Server, the maintain my private network computers over Belgium17:05
wingarmacI've a fixed public IP and a domain name to reach this goal17:06
effendy[m]You need to give more structured info if you want to get help. I asked you a few question already.17:06
wingarmacI would like to be able to reach each computer with it's pc.domain.org name instead of IPS17:06
wingarmacWhy are you using local routing like that? Seen on Askubuntu17:07
wingarmachow does bind run? server pc 17:08
wingarmacneed what specific info about ?17:08
wingarmacISP router is the answer for the last question17:09
wingarmacI manage the server troigh webmin on my desktop on the connected bith to the ISP router17:10
wingarmacA. Ubuntu server 22.04 B. Linux Mint desktop based on Ubuntu server installation17:10
wingarmacOn my server is running nmon, whil i set it up trough Webmin from my Mint desktop and the root terminal17:11
effendy[m]The only place I saw where the output chain of the nat table was used were containers. There are some other cases, of course, but you need to know exactly how it works before using it.17:12
effendy[m]the only context*17:12
effendy[m]I feel that using route_localnet is also unnecessary at first glance.17:13
effendy[m]so on the same server you're running both a vpn server and bind?17:13
wingarmacI've to try, in order to understabd all those explanations, because otherwise I do not understand what I'm reading. Sorry, it may sound stupid.17:14
wingarmacThis is all lots of information to aknowledge and its not my native language. I've not been much I school. But I would like to learn more anout it my way. Is there something wrong with that ?17:16
wingarmacLet's say I'm a 12 year old passionate compuetr user trying to configure his own server. Would there be someone so nice to help? (That's my level even if I'm over 40)17:20
wingarmacFor my English, same thing ;)17:22
effendy[m]"Is there something wrong with that ?" - nothing at all, I wasn't criticising you :)17:22
effendy[m]I was just saying that people need to understand your setup in order to get help at all, otherwise they might give up easily.17:22
wingarmacI can, understand, it's just I do not know where to start  myself17:24
wingarmacI know what I want17:24
patdk-lapI have never in my life used route_localnet and I do all kinds of odd networks17:24
wingarmacBut not how 17:24
wingarmacThis route is only an idea I read on the net I've tried, its not an obligation17:25
patdk-lapoh, it lets yo uuse 127.x.x.x on your network, not a good idea17:25
wingarmacI have 2 PC I would like to use to do mainetance of other installs I made over Belgium, with the use of my domain name and fixed IP as a pinpoint.17:26
patdk-lapbut what does that have to do with using 127.x.x.x on your network?17:27
patdk-lapyou should not use route_localnets ever17:27
wingarmacI rather use domain names to setup new computers to my network as to remind all those IPS17:27
wingarmacHow do I delete this17:27
wingarmacYou meen this iptables -t nat -A OUTPUT -d ${EXTERNAL_IP} -j DNAT --to-destination
wingarmac net.ipv4.conf.enp3s0.route_localnet=117:29
wingarmacOr only the last one?17:29
wingarmacsorry it was on stack exchange : https://serverfault.com/questions/351816/dnat-to-127-0-0-1-with-iptables-destination-access-control-for-transparent-soc17:31
wingarmacserverfault I read this17:31
effendy[m]first of all, do you want your DNS to be available to everyone?17:36
effendy[m]The topic (in your link) refers to an edge case. This probably doesn't apply to you.17:38
wingarmacDo i need it to achieve the WAN VPN Sever with domainname reference to each computer?17:42
effendy[m]Let me put it another way: does the DNS need to be public? reached by anyone outside your network? Or does it need to be exclusively internal?17:44
effendy[m]And do you have two separate geographical locations then?17:45
wingarmacI did understand its needed to link the names to the computers in the NAT. I can set other A-records to public ips but not to a lan ip on WAN. How do I reach to link this computer on the WAN to my private network with my domain name (not the IP) is my question.17:54
wingarmaci want those computers being partof my private network like the others on my LAN with my domain name as reference17:55
wingarmacI do not server I need to setup to achieve this17:56
effendy[m]Yeah, I can't make head nor tail of what you're saying. Maybe someone else can understand it better than me, hopefully.17:56
wingarmacI would like to know.17:56
wingarmaceffendy[m]: How can I achieve this: https://ibb.co/pRRt3Nq ?18:06
wingarmacI Would like to be able to use samba, ipxe, dlna, like I did on my lan over this wan private network18:07
wingarmaci this possible? What do I need to do so ?18:08
wingarmacI have also the FQDN registered18:09
wingarmacat easyhost.be18:09
wingarmaclets not talk about those other samba ipxe, but what do I need to setup the private network first.18:11
wingarmacso another computer on WAN could be added to my private network ones logged on.18:12
samy1028Hello all.  We have an Ubuntu Server VM on Azure that was originally pro-fips-18_04-gen2 but we used apt to upgrade it to FIPS 20.04.  When looking at Azure it still lists the "plan" as 18.04 and seems to have issues with certain automated tools in Azure.  Does anyone know how to make Azure see that this is now an Ubuntu 20.04 VM?18:31
samy1028It lists the operating system as "Linux (Ubuntu 20.04)" correctly at least.18:32
gjolly@samy1028: can you be more specific about those issues? 18:33
samy1028@gjolly, I don't have the full details yet.  One of my techs was looking at the disaster recovery tools available within Azure and it seems they stopped working or being available after the upgrade.18:35
samy1028I haven't yet logged in myself, will do that this afternoon, but wanted to see if anyone had seen that type of description or experienced it before.18:35
gjollyThe only thing I can think about is the IMDS metadata that the ua/pro tool uses to detect whether the VM has access to the FIPS repo. 18:38
gjollyThis will still show the plan/sku as being 18.04 while the VM would be running 20.04.18:41
gjollysamy1028: how did you do the upgrade from 18.04 to 20.04?18:41
samy1028after running apt-get update; apt-get dist-upgrade;  and verifying everything worked, I believe we then did a do-release-upgrade.18:42
samy1028I'm currently logged into Azure now also to see if I can find what my tech was talking about.18:43
gjollysamy1028: seems right 18:44
gjollysamy1028: check the output of "pro status" 18:45
=== xispita_ is now known as xispita
samy1028hmm.. I have "ua" but not "pro" commands on this VM?18:49
samy1028I guess I should add the Ubuntu Pro Client in addition to the Ubuntu Advantage Client?18:50
sarnoldtry an apt update && apt upgrade first ?18:50
samy1028I'll have to see where we are in the schedule for updates on it.  There are some libraries that I think are still being regression tested first for the software we run on the VM.18:52
samy1028first, I'm going to try to find the particular items in Azure to make sure I fully understand and make sure the tech wasn't misinformed from the control panel.18:53
samy1028and get with my developers to see how much longer it will be to verify the regression testing.18:53
TeridonI'm not trying to be snarky here, I'm just relatively new to Ubuntu and I don't understand the process .. and I may be biased since I submitted the bug :) .  Is it typical for a "High" bug to be unassigned for 2 months?  https://bugs.launchpad.net/cloud-init/+bug/1999164 18:57
-ubottu:#ubuntu-server- Launchpad bug 1999164 in cloud-init "when multiple SSH host key certificates are defined, only one HostCertificate is referenced in sshd_config" [High, Confirmed]18:57
Teridonis there a separate internal tracker I just don't see ? 18:58
Odd_BlokeTeridon: You might get a better answer from #cloud-init for that specific bug.19:02
samy1028gjolly, sarnold, I found the issue.  It's the kernel version and Azure only supports certain kernels for its tools and the kernel on this VM is running: linux-image-5.4.0-1022-azure-fips/focal,now 5.4.0-1022.22+fips1 amd64 19:34
samy1028I ran "apt update" and then "apt list --upgradeable" but it doesn't list another version number as available.19:34
sarnoldsamy1028: aha! yeah, we don't get new kernels validated very often19:35
sarnoldsamy1028: validating updates costs a fortune..19:35
samy1028sarnold, there is this which lists the supported kernels.  https://learn.microsoft.com/en-us/azure/site-recovery/azure-to-azure-support-matrix#supported-ubuntu-kernel-versions-for-azure-virtual-machines19:37
samy1028is there a later validated FIPS version then 5.4.0-1022?19:37
sarnoldsamy1028: I see a 5.4.0-1101.107+fips1 package in the FIPS *update* ppa, but the update ppa isn't FIPS certified. Different organizations have different policies. Some want certified and *only* certified. Some want to start from a certified starting point and then install updates along the way, and it's fine that the updates aren't certified. Be sure to check around to find out what your 19:42
sarnoldorganization is19:42
samy1028sarnold, thank you for the information.  I'll pass that along to management so we can come up with a better plan with this.19:45
sarnoldsamy1028: there's not a whole lot here, but this *is* available https://ubuntu.com/security/certifications/docs/fips-updates19:48
samy1028do you have a link to show the list of kernels in the FIPS update ppa?19:50
sarnoldsamy1028: curl -qs https://esm.ubuntu.com/fips-updates/ubuntu/dists/focal-updates/main/binary-amd64/Packages | grep -e 'Package:.*azure.*'19:52
samy1028Hmm, after reviewing that, it seems the latest supported by the Azure tools is "Package: linux-image-5.4.0-1095-azure-fips" or possibly the 1094 version, depending on the Azure client being installed.19:59
samy1028Thank you sarnold for helping me narrow down what's happening here!20:00
Liver_Karraybolt3: Did you do anything yet?20:26
=== bladpope__ is now known as baldpope
arraybolt3Liver_K: Sorry, not yet, but I still have everything up for doing it.20:55
Liver_KCool cool, just ping me a link when you do20:56
arraybolt3(Personal life hasn't been all that cooperative lately. :P)20:56
arraybolt3Liver_K: Do you mind if I paste the whole IRC log you sent me yesterday into the bug report?21:05
Liver_KI don't, but you might want to ask the other person lol21:06
arraybolt3That makes sense.21:06
Liver_KYou also might want that strace logfile, I can reupload it for you21:07
Liver_KIf you want ot include it21:07
arraybolt3Sure, if that's OK.21:07
Liver_KYeah give me a sec21:07
Liver_Karraybolt3: http://0x0.st/oFZD.log21:12
arraybolt3Liver_K: By the way, what is that the strace of?21:18
arraybolt3I think it's clinfo.21:18
=== xispita_ is now known as xispita
=== ivoks_ is now known as ivoks
=== coreycb_ is now known as coreycb
=== tobias-urdin8 is now known as tobias-urdin
=== falcojr_ is now known as falcojr
Liver_Karraybolt3: Yes, as Oblomov said, it's clinfo -l23:31

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!