[02:54] <wingarmac> Hi there !
[02:56] <wingarmac> I've a question about bind: What's the need of 2 servers exactly (ns1 and ns2) ?
[02:57] <wingarmac> If I understand it, they should backup each other.
[02:57] <wingarmac> But what if both are on a NAT router like mine (with static public IP) ?
=== chris14_ is now known as chris14
[02:58] <wingarmac> Would that make sence ?
[03:11] <Liver_K> *sense
[03:13] <qman> you can have as many as you want, the reason for having more is redundancy
[03:13] <qman> if you're on a single internet connection and router anyway, then it doesn't make much sense to have more than one
[03:15] <qman> (for internet-facing DNS)
[03:15] <qman> and for internal-facing, again, it depends on the needs of your network
[03:16] <qman> if nothing else on your network is redundant, then you probably don't really need redundant DNS either
[03:55] <wingarmac> Thanks qman ! So I can setup a single dns to be able to use my domain name isntaed of IP's to call computers on my network. Is that right?
[03:55] <qman> yes
[03:56] <wingarmac> I would like to have computer1.mydomain.org compputer2.my
[03:57] <wingarmac> Accessible from LAN as from WAN, with these names
[03:58] <wingarmac> For testing different network applications, like tftp, vpn, ... over www instead of testing LAN only. Since I've a fixed IP now.
[04:00] <wingarmac> I've a laptop connected with mobile data for testing as an external PC (www)
[04:01] <wingarmac> gman I wish you a good day ! cheers !
[04:04] <wingarmac> I forgot. What is the difference between nameserver and dns. I can see on easyhost.be I have in my settings a possibility to user their ns1 ns2 ns3, or setup my own. What is the difference?
[04:05] <wingarmac> Could you be so kind to explain me the difference qman ? https://ibb.co/Qkcq2kd
[04:07] <wingarmac> This is very confusing to me. I need a DNS server to use my domain name, but it seems I can use theirs. Or do I get it wrong ?
[04:08] <wingarmac> That in case DNS and nameservers mean the same
[04:13] <qman> in order for your DNS names to resolve for everyone on the internet, you need a public-facing DNS server to host your zones
[04:13] <qman> that's what using a service like theirs does for you
[04:13] <qman> for you to resolve DNS names internally but with internal IPs, you would set up your own internal DNS server with software like BIND or dnsmasq or tinydns ...
[04:14] <qman> the internet can't resolve your internal IPs, so you need different content in your zones depending on whether the request is internal or external - when you use the same zone for both, but host it in both spots with different records, this is called split horizon DNS
[04:15] <qman> the alternative approach is only using one set of records with the external IPs listed, and instead using either NAT hairpinning or ipv6 to allow internal clients to access internal resources by name
[04:23] <wingarmac> I've found more detail about the difference: A. Name servers are the physical directory itself.
[04:23] <wingarmac> B. Registered DNS are the individual entries in the directory.
[04:23] <wingarmac> Ref in french: https://kinsta.com/fr/base-de-connaissances/serveur-de-noms/
[04:25] <wingarmac> So if I would like this domain name used by each computers name reference, this is store din the DNS server. while the domain name database is on the nameserver.
[04:25] <wingarmac> I'll need a DNS server for sure
[05:04] <JanC> qman: you always *must* have at least two different authoritative DNS servers: https://www.iana.org/help/nameserver-requirements
[05:05] <wingarmac> JanC This meens also to two fixed public IPs. Am I right? Or could those be beyond the NAT router ?
[05:06] <JanC> they can be everywhere on the internet (e.g. by default they are usually at the company where you registered your domain)
[05:13] <JanC> for internal LAN stuff this doesn't apply, of course, but if you want a (sub)domain to be reachable from the internet, it is mandatory
[05:15] <JanC> you can have your primary at home & the secondary elsewhere, of course
[05:17] <wingarmac> Can you elaborate in my case, what this will imply in practice?
[05:18] <wingarmac> What will it emply for example for WAN computers in my VPN for example ?
[05:19] <wingarmac> Will these also have computer$.dromain.org names ?
[16:51] <xibalba> i loaded an old VM from Nov 2022, a template, and trying to update everything. when it connects to apt it says, Unable to connect to us.archive.ubuntu.com:http:, but i see the firewall allowing traffic through. I've disabled IPv6 as the box isn't dual stakced on that network
[16:52] <xibalba> the name resolves to a v4 addr
[16:52] <xibalba> from host us.archive.ubuntu.com
[16:52] <xibalba> us.archive.ubuntu.com has address 91.189.91.39
[16:52] <xibalba> us.archive.ubuntu.com has IPv6 address 2001:67c:1562::18
[16:56] <alkisg> xibalba: I've heard that ubuntu archives have issues today, so it might not be related to the VM at all; check if the issue is still ongoing
[16:56] <Odd_Bloke> I believe there's an ongoing iss-- yeah.
[16:56] <xibalba> roger roger
[16:56] <xibalba> http://archive.ubuntu.com/ <~ returned data
[16:56] <xibalba> oh hey it just started working
[16:57] <xibalba> https://status.canonical.com/ <~ all green
[16:57] <xibalba> i mean it's  68.5 kB/s, but ill take it lol
[16:57] <Odd_Bloke> Yeah, it hasn't not been green, so that not an indicator.
[16:57] <xibalba> lol
[16:57] <wingarmac> Hi there ! I'm testing how I have to setup bind on Ubuntu server behind a NAT router with fixed public IP, so that my omputers listen in the A-records as pc.domain.org pc1.domain.org ... can be reach from the WAN with a responding ping
[16:57] <Odd_Bloke> It's round-robin'd, so if some of the servers are working then you might see occasional success.
[16:57] <xibalba> yeh i keep hitting kazooie each time
[16:57] <xibalba> 0% [Connecting to kazooie.canonical.com (91.189.91.39)]
[16:57] <wingarmac> Can anyone help me understanding its working ??
[16:58] <Odd_Bloke> Likely everyone is round-robin'ing onto a single host which is therefore DDoS'd.
[16:58] <xibalba> wingarmac spin up an VM external to your network and use `host` or `dig` commands
[16:58] <xibalba> or give me your ip and i'll send 1gbit of udp to you
[17:00] <wingarmac> xibalba wingarmac.org can be reached but not the computer behind
[17:01] <wingarmac> myports are opend on the router and I've sysctl -w net.ipv4.conf.enp3s0.route_localnet=1
[17:01] <wingarmac> EXTERNAL_IP=
[17:01] <wingarmac> sudo iptables -t nat -A OUTPUT -d ${EXTERNAL_IP} -j DNAT --to-destination 127.0.0.1
[17:02] <xibalba> oh sorry i dont do iptables
[17:02] <wingarmac> ports opened 80 443 (I made an apache setup in SSL before, and made a clean install since)
[17:03] <effendy[m]> Why are you using local routing like that?
[17:03] <effendy[m]> how does bind run?
[17:04] <effendy[m]> Does the router run Ubuntu also?
[17:04] <wingarmac> xibalba I personaly do not I have no habit or predilection for a procedure. A few tips and explanations are enough for me.
[17:04] <wingarmac> I am a tester and an apprentice.
[17:05] <wingarmac> As a matter a fact I do not know clearly what I'm doing.
[17:05] <wingarmac> I try to reach to setup a WAN VPN Server, the maintain my private network computers over Belgium
[17:06] <wingarmac> I've a fixed public IP and a domain name to reach this goal
[17:06] <effendy[m]> You need to give more structured info if you want to get help. I asked you a few question already.
[17:06] <wingarmac> I would like to be able to reach each computer with it's pc.domain.org name instead of IPS
[17:07] <wingarmac> Why are you using local routing like that? Seen on Askubuntu
[17:08] <wingarmac> how does bind run? server pc 192.168.1.9 
[17:08] <wingarmac> need what specific info about ?
[17:09] <wingarmac> ISP router is the answer for the last question
[17:10] <wingarmac> I manage the server troigh webmin on my desktop on the connected bith to the ISP router
[17:10] <wingarmac> A. Ubuntu server 22.04 B. Linux Mint desktop based on Ubuntu server installation
[17:11] <wingarmac> On my server is running nmon, whil i set it up trough Webmin from my Mint desktop and the root terminal
[17:12] <effendy[m]> The only place I saw where the output chain of the nat table was used were containers. There are some other cases, of course, but you need to know exactly how it works before using it.
[17:12] <effendy[m]> the only context*
[17:13] <effendy[m]> I feel that using route_localnet is also unnecessary at first glance.
[17:13] <effendy[m]> so on the same server you're running both a vpn server and bind?
[17:14] <wingarmac> I've to try, in order to understabd all those explanations, because otherwise I do not understand what I'm reading. Sorry, it may sound stupid.
[17:16] <wingarmac> This is all lots of information to aknowledge and its not my native language. I've not been much I school. But I would like to learn more anout it my way. Is there something wrong with that ?
[17:20] <wingarmac> Let's say I'm a 12 year old passionate compuetr user trying to configure his own server. Would there be someone so nice to help? (That's my level even if I'm over 40)
[17:22] <wingarmac> For my English, same thing ;)
[17:22] <effendy[m]> "Is there something wrong with that ?" - nothing at all, I wasn't criticising you :)
[17:22] <effendy[m]> I was just saying that people need to understand your setup in order to get help at all, otherwise they might give up easily.
[17:24] <wingarmac> I can, understand, it's just I do not know where to start  myself
[17:24] <wingarmac> I know what I want
[17:24] <patdk-lap> I have never in my life used route_localnet and I do all kinds of odd networks
[17:24] <wingarmac> But not how 
[17:25] <wingarmac> This route is only an idea I read on the net I've tried, its not an obligation
[17:25] <patdk-lap> oh, it lets yo uuse 127.x.x.x on your network, not a good idea
[17:26] <wingarmac> I have 2 PC I would like to use to do mainetance of other installs I made over Belgium, with the use of my domain name and fixed IP as a pinpoint.
[17:27] <patdk-lap> but what does that have to do with using 127.x.x.x on your network?
[17:27] <patdk-lap> you should not use route_localnets ever
[17:27] <wingarmac> I rather use domain names to setup new computers to my network as to remind all those IPS
[17:27] <wingarmac> How do I delete this
[17:28] <wingarmac> You meen this iptables -t nat -A OUTPUT -d ${EXTERNAL_IP} -j DNAT --to-destination 127.0.0.1
[17:29] <wingarmac>  net.ipv4.conf.enp3s0.route_localnet=1
[17:29] <wingarmac> Or only the last one?
[17:31] <wingarmac> sorry it was on stack exchange : https://serverfault.com/questions/351816/dnat-to-127-0-0-1-with-iptables-destination-access-control-for-transparent-soc
[17:31] <wingarmac> serverfault I read this
[17:36] <effendy[m]> first of all, do you want your DNS to be available to everyone?
[17:38] <effendy[m]> The topic (in your link) refers to an edge case. This probably doesn't apply to you.
[17:42] <wingarmac> Do i need it to achieve the WAN VPN Sever with domainname reference to each computer?
[17:44] <effendy[m]> Let me put it another way: does the DNS need to be public? reached by anyone outside your network? Or does it need to be exclusively internal?
[17:45] <effendy[m]> And do you have two separate geographical locations then?
[17:54] <wingarmac> I did understand its needed to link the names to the computers in the NAT. I can set other A-records to public ips but not to a lan ip on WAN. How do I reach to link this computer on the WAN to my private network with my domain name (not the IP) is my question.
[17:55] <wingarmac> i want those computers being partof my private network like the others on my LAN with my domain name as reference
[17:56] <wingarmac> I do not server I need to setup to achieve this
[17:56] <effendy[m]> Yeah, I can't make head nor tail of what you're saying. Maybe someone else can understand it better than me, hopefully.
[17:56] <wingarmac> I would like to know.
[18:06] <wingarmac> effendy[m]: How can I achieve this: https://ibb.co/pRRt3Nq ?
[18:07] <wingarmac> I Would like to be able to use samba, ipxe, dlna, like I did on my lan over this wan private network
[18:08] <wingarmac> i this possible? What do I need to do so ?
[18:09] <wingarmac> I have also the FQDN registered
[18:09] <wingarmac> at easyhost.be
[18:11] <wingarmac> lets not talk about those other samba ipxe, but what do I need to setup the private network first.
[18:12] <wingarmac> so another computer on WAN could be added to my private network ones logged on.
[18:31] <samy1028> Hello all.  We have an Ubuntu Server VM on Azure that was originally pro-fips-18_04-gen2 but we used apt to upgrade it to FIPS 20.04.  When looking at Azure it still lists the "plan" as 18.04 and seems to have issues with certain automated tools in Azure.  Does anyone know how to make Azure see that this is now an Ubuntu 20.04 VM?
[18:32] <samy1028> It lists the operating system as "Linux (Ubuntu 20.04)" correctly at least.
[18:33] <gjolly> @samy1028: can you be more specific about those issues? 
[18:35] <samy1028> @gjolly, I don't have the full details yet.  One of my techs was looking at the disaster recovery tools available within Azure and it seems they stopped working or being available after the upgrade.
[18:35] <samy1028> I haven't yet logged in myself, will do that this afternoon, but wanted to see if anyone had seen that type of description or experienced it before.
[18:38] <gjolly> The only thing I can think about is the IMDS metadata that the ua/pro tool uses to detect whether the VM has access to the FIPS repo. 
[18:41] <gjolly> This will still show the plan/sku as being 18.04 while the VM would be running 20.04.
[18:41] <gjolly> samy1028: how did you do the upgrade from 18.04 to 20.04?
[18:42] <samy1028> after running apt-get update; apt-get dist-upgrade;  and verifying everything worked, I believe we then did a do-release-upgrade.
[18:43] <samy1028> I'm currently logged into Azure now also to see if I can find what my tech was talking about.
[18:44] <gjolly> samy1028: seems right 
[18:45] <gjolly> samy1028: check the output of "pro status" 
=== xispita_ is now known as xispita
[18:49] <samy1028> hmm.. I have "ua" but not "pro" commands on this VM?
[18:50] <samy1028> I guess I should add the Ubuntu Pro Client in addition to the Ubuntu Advantage Client?
[18:50] <sarnold> try an apt update && apt upgrade first ?
[18:52] <samy1028> I'll have to see where we are in the schedule for updates on it.  There are some libraries that I think are still being regression tested first for the software we run on the VM.
[18:53] <samy1028> first, I'm going to try to find the particular items in Azure to make sure I fully understand and make sure the tech wasn't misinformed from the control panel.
[18:53] <samy1028> and get with my developers to see how much longer it will be to verify the regression testing.
[18:57] <Teridon> I'm not trying to be snarky here, I'm just relatively new to Ubuntu and I don't understand the process .. and I may be biased since I submitted the bug :) .  Is it typical for a "High" bug to be unassigned for 2 months?  https://bugs.launchpad.net/cloud-init/+bug/1999164 
[18:57] -ubottu:#ubuntu-server- Launchpad bug 1999164 in cloud-init "when multiple SSH host key certificates are defined, only one HostCertificate is referenced in sshd_config" [High, Confirmed]
[18:58] <Teridon> is there a separate internal tracker I just don't see ? 
[19:02] <Odd_Bloke> Teridon: You might get a better answer from #cloud-init for that specific bug.
[19:34] <samy1028> gjolly, sarnold, I found the issue.  It's the kernel version and Azure only supports certain kernels for its tools and the kernel on this VM is running: linux-image-5.4.0-1022-azure-fips/focal,now 5.4.0-1022.22+fips1 amd64 
[19:34] <samy1028> I ran "apt update" and then "apt list --upgradeable" but it doesn't list another version number as available.
[19:35] <sarnold> samy1028: aha! yeah, we don't get new kernels validated very often
[19:35] <sarnold> samy1028: validating updates costs a fortune..
[19:37] <samy1028> sarnold, there is this which lists the supported kernels.  https://learn.microsoft.com/en-us/azure/site-recovery/azure-to-azure-support-matrix#supported-ubuntu-kernel-versions-for-azure-virtual-machines
[19:37] <samy1028> is there a later validated FIPS version then 5.4.0-1022?
[19:42] <sarnold> samy1028: I see a 5.4.0-1101.107+fips1 package in the FIPS *update* ppa, but the update ppa isn't FIPS certified. Different organizations have different policies. Some want certified and *only* certified. Some want to start from a certified starting point and then install updates along the way, and it's fine that the updates aren't certified. Be sure to check around to find out what your 
[19:42] <sarnold> organization is
[19:45] <samy1028> sarnold, thank you for the information.  I'll pass that along to management so we can come up with a better plan with this.
[19:48] <sarnold> samy1028: there's not a whole lot here, but this *is* available https://ubuntu.com/security/certifications/docs/fips-updates
[19:50] <samy1028> do you have a link to show the list of kernels in the FIPS update ppa?
[19:52] <sarnold> samy1028: curl -qs https://esm.ubuntu.com/fips-updates/ubuntu/dists/focal-updates/main/binary-amd64/Packages | grep -e 'Package:.*azure.*'
[19:59] <samy1028> Hmm, after reviewing that, it seems the latest supported by the Azure tools is "Package: linux-image-5.4.0-1095-azure-fips" or possibly the 1094 version, depending on the Azure client being installed.
[20:00] <samy1028> Thank you sarnold for helping me narrow down what's happening here!
[20:26] <Liver_K> arraybolt3: Did you do anything yet?
=== bladpope__ is now known as baldpope
[20:55] <arraybolt3> Liver_K: Sorry, not yet, but I still have everything up for doing it.
[20:56] <Liver_K> Cool cool, just ping me a link when you do
[20:56] <arraybolt3> (Personal life hasn't been all that cooperative lately. :P)
[21:05] <arraybolt3> Liver_K: Do you mind if I paste the whole IRC log you sent me yesterday into the bug report?
[21:06] <Liver_K> I don't, but you might want to ask the other person lol
[21:06] <arraybolt3> That makes sense.
[21:07] <Liver_K> You also might want that strace logfile, I can reupload it for you
[21:07] <Liver_K> If you want ot include it
[21:07] <Liver_K> *to
[21:07] <arraybolt3> Sure, if that's OK.
[21:07] <Liver_K> Yeah give me a sec
[21:12] <Liver_K> arraybolt3: http://0x0.st/oFZD.log
[21:18] <arraybolt3> Liver_K: By the way, what is that the strace of?
[21:18] <arraybolt3> I think it's clinfo.
=== xispita_ is now known as xispita
=== ivoks_ is now known as ivoks
=== coreycb_ is now known as coreycb
=== tobias-urdin8 is now known as tobias-urdin
=== falcojr_ is now known as falcojr
[23:31] <Liver_K> arraybolt3: Yes, as Oblomov said, it's clinfo -l