XMPP Service Operators - 2023-07-17

>> As others have already said, you shouldn't run a public recursive DNS server, it will end up being abused for amplification attacks. And again, this has nothing to do with XMPP. > how does google and cloudflare get away with doing that? Thank you! :D

But a recursor's job is merely to take query from an identity and return the records to it.

If I don't have control over the network, it's the ISP's and government's problem, not mine

sagaracharya: again you don't understand... Running a public recursive DNS resolver on UDP means bad people can use your server to attack other networks, the attacks will come from your server

that's a bit like saying you don't run the garbage company so you can just dump your junk down the river. ✏

sagaracharya: https://www.cloudflare.com/learning/ddos/dns-amplification-ddos-attack/

How you all run xmpp server? In docker? In a VM? Bare metal? Configured by hand or ansible?

Yes to all of those :)

Most of them are Prosody installed via apt and manually configured

*that I run, I mean

I have one or two managed via ansible, and the rest are Snikket (docker)

Do you prefer any over the other? Granted xmpp seems pretty set and forget

> How you all run xmpp server? In docker? In a VM? Bare metal? Configured by hand or ansible? I use chroot, though I do not like the fact that multiple directories are expected in the chrooted folder. I think that permissions of user should manage it all. I am learning more on untrusted execution of code

> If I don't have control over the network, it's the ISP's and government's problem, not mine I do not follow, are you implying that if you publically annouce a recursive resolver, you are in control of some network? ↺

> Most of them are Prosody installed via apt and manually configured Same here. Most of the ones I manage are just RPis setup with Debian and Prosody's repository

>> If I don't have control over the network, it's the ISP's and government's problem, not mine > I do not follow, are you implying that if you publically annouce a recursive resolver, you are in control of some network? Not me. But for the kind of security, a DNS resolver must be in control of some network, yes.

Say for example Jio, my ISP provides DNS resolution and I too. Since Jio owns quite some network infrastructure level nodes, they will be way more secure than me.

Because they can sniff all packets potentially if they want to and track all nodes.

When I start pdns, it starts correctly but nothing is listening on port 53

local-port=53 Has been set

sagaracharya, sorry could you kindly shut up about DNS please. This is really not the place.

yep ^

sagaracharya, alright, last warning: running recursive DNS is off-topic for this room. You've been monopolizing the room in the past days with your off-topic topics and it's not gonna be tolerated any more from here on out.

should you not stay on topic starting now, or attempt to detract from this with meta-discussion, you'll be muted (but you're free to stay and read, at least if my understanding of how the mute works is correct [which notably includes that PMs are blocked, too]).

Aah jonas, right. Good that you took this opportunity to press me.

Trung: Are you the moderator?

Are you implying that the moderators cannot do their job?

please ban this sagaracharya

thank god

For the record: the off-topic discussion in an otherwise empty room didn't bother me as much (although I recognize that this room's guidelines ask you not to), as the constant lashing out to anyone trying to raise that, or a similar concern. Thanks for stepping in - I believe the silent majority appreciates the moderation action.

👍

👍

> Do you prefer any over the other? > Granted xmpp seems pretty set and forget it is very stable, but u need to keep OS and software stack updated ... I run ejabberd on a rpi3, compiled from sources. ↺