• 1 Post
  • 25 Comments
Joined 1 year ago
cake
Cake day: July 9th, 2023

help-circle






  • As a professional software dev, I worked with pretty much every OS daily. My personal computer was a Windows, my work laptop was a Mac, and I ran my code on Linux so I was familiar with the things I liked and disliked about each. I also ran my own set of server with my websites, mail servers, and various research projects to learn and grow.

    Then I decided it was time to order a new laptop and I didn’t want to go to Windows 11 because I felt Microsoft was going too much into features I didn’t want like Ads, more tracking, pushing AI. Don’t get me wrong, I like AI, but it was too much about forcing me to use it to justify their stock valuations.

    I also was working on reducing my usage of big tech, setting up self hosted services like pi-hole, Home Assistant, starting to work my own Mint alternative. It just felt natural to get a Framework laptop and try running Linux on it.

    I still have a Windows desktop for games and other things, I still use Mac at work. I still like the Mac for it’s power efficiency and it doesn’t get as hot. Linux has some annoyances here and there, like dbus locking up, or weird GNOME issues, or for a while my screen would artifact until set some kernel params, or the fact that my wifi card would crash and I had to replace it with an Intel card, but I’ll stick with it.



  • There’s two main ways of doing geo-based load balancing:

    1. IP Any-casting - In this case, an IP address is “homed” in multiple spots and through the magic of IP routing, it arrives at the nearest location. This is exactly how 1.1.1.1 and 8.8.8.8 work. It works fine for stateless packets like DNS, however it has some risks for stateful traffic like HTTP.
    2. DNS based load balancing. A server receives a request for “google.com”, looks at the IP of the DNS server and/or the EDNS Client IP in the DNS query packet and returns an IP that’s near. The problem is that when you’re doing Wireguard, it goes phone -> pi-hole (source IP is some internal IP) -> the next hop (e.g. 1.1.1.1 or 8.8.8.8), which sees the packet is coming from your home/pi-hole’s public IP. Thus it gets confused and thinks you’re in a different location than you really are. Neither of these hops really knows your true location of your phone/mobile device.

    Of course, this doesn’t matter for companies that only have one data center.


  • Sorry, what do you mean route it directly? Maybe I didn’t clarify well enough.

    My DNS is routed over the VPN but Internet traffic is routed directly. The problem is the load balancing is done based on where the DNS server is so say Google even though the traffic egresses directly to the internet bypassing the VPN it still goes to a Google DC near my home. Not all websites do this so its not always an issue.



  • I have Wireguard and I forward DNS and my internal traffic from my phone over the VPN to my pi-hole at home. All other traffic goes directly over the Internet, not the VPN. So that means only DNS encounters higher latency.

    However, because a lot of companies do DNS based geo load balancing that means even if I’m on the east coast all my traffic gets sent to the West Coast because my DNS server is located there. That right there has the biggest impact on latency.

    It’s tolerable on the same continent, but once I start getting into other continents then it gets a bit slow.


  • I think this a problem with applications with a privacy focused user basis. It becomes very black and white where any type of information being sent somewhere is bad. I respect that some people have that opinion and more power to them, but being pragmatic about this is important. I personally disabled this flag, and I recognize how this is edging into a risky area, but I also recognize that the Mozilla CTO is somewhat correct and if we have the option between a browser that blocks everything and one that is privacy-preserving (where users can still opt for the former), businesses are more likely to adopt the privacy-preserving standards and that benefits the vast majority of users.

    Privacy is a scale. I’m all onboard with Firefox, I block tons of trackers and ads, I’m even somebody who uses NoScript and suffers the ramifications to due to ideology reasons, but I also enable telemetry in Firefox because I trust that usage metrics will benefit the product.


  • Why is telemetry useful or why is it needed to use pi-hole to block telemetry?

    Telemetry is useful to know what features your customers use. While it’s great in theory to have product managers who dogfood and can act on everyone’s behalf, the reality is telemetry ensures your favorite feature keeps being maintained. It helps ensure the bugs you see get triaged and root caused.

    Unfortunately telemetry has grown to mean too many things for different people. Telemetry can refer to feature usage, bug tracking, advertising, behavior tracking.

    Is there evidence that even when you disable telemetry in Firefox it still reports telemetry? That seems like a strong claim for Firefox.







  • Will I still need to consider multicast DNS if my DNS server is on-prem (Pi-Hole + Unbound)

    Multicast DNS is separate from DNS, so even if you have Pi-Hole, you’d still have devices using mDNS. It’s possible to route mDNS across separate IP networks seeing as how there’s mDNS relays across VLANs which would suggest Wireguard could support Multicast. Other things use Broadcast (e.g. WoL) which is a bit more challenging to forward across IP networks.

    I’m not familiar with GRE so I couldn’t comment on whether it’s possible or not. I guess it all depends on how confident you are with your networking skills. If you get it working, you should definitely document it and share with others.

    I didn’t quite do what you did, but I ran HA in a Kubernetes cluster which was logically a separate IP network. I had to setup the container with multiple network interfaces and specially craft the route table to forward broadcasts + multicast traffic to the correct network.