serverfault.com

It has now been approximately 48 days since external internet access in Iran has been shutdowned. A primary technical consequence is DNS fragmentation: Global resolvers cannot reach authoritative DNS servers hosted inside Iran. DNS resolvers within Iran can't reach authoritative servers outside the country. I’ve tested multiple mitigation approaches without success. I’m now evaluating a policy-based routing solution at the DNS layer and need guidance on feasibility and implementation. Current setup / constraints: I maintain a dataset of ~2k subnets (~11M IPs) that are currently reachable within Iran. Some resolvers in the environment have no internet access at all! Some resolvers can forward queries externally to some special servers (e.g., to 1.1.1.1, 4.2.2.4). Target behavior: For each DNS query, inspect the authoritative nameserver (NS)

I have OpenStack (devstack) on Ubuntu 22.04. I can create a test instance with Cirros images & log in at the console. Until this point, it looks good. When creating an instance with a higher disk size of 100 GB, the Ubuntu host OS is crashing with a core dump. To restore the OS, I have to do a force restart of the OS. The underlying server has 1 TB disk & 64 GB memory. Any suggestions on debugging this? systemctl list-units "devstack@*" UNIT LOAD ACTIVE SUB DESCRIPTION [email protected] loaded active running Devstack [email protected] [email protected] loaded active running Devstack [email protected] [email protected] loaded active running Devstack [email protected] [email protected] loaded activ

I am trying to update resource records on a primary DNS bind9 server from a client using nsupdate. There is no issue when using the default 53 port. An issue appears when using DoT (DNS over TLS) over the port 853. The primary DNS bind9 server configuration includes: # named.conf.options tls tls-configuration { cert-file "/path/to/full_chain_cert_file"; cipher-suites "list_of_cipher_suites"; key-file "/path/to/key_file"; prefer-server-ciphers yes; protocols { TLSv1.3; }; session-tickets no; }; options { ... listen-on port 853 tls tls-configuration { !172.16.0.0/12; any; }; listen-on-v6 port 853 tls tls-configuration { !fe80::/10; any; }; ... }; Verifying the DNS server certificate from the client: $ openssl s_client -conne

We have a domain controller being fixed and is having caused some down time due to hardware failure. Because of this accessing A/D and Group Policy can take up to 30 minutes to load. Is there a way to tell the domain that the DC is offline and not take so long to time out so we can get work done? I can't seem to find a support link from Microsoft on this. UPDATE: DNS is showing errors for DNS_EVENT_DS_INTERFACE_ERROR and DNS_EVENT_DS_OPEN_WAIT. This is most likely due to the fact that it can't reach the DC since it is offline. UPDATE 2: Domain has 3 domain controllers with 1 site. The PDC is up and running. These are all writeable DCs. Not down DC is not the PDC. UPDATE 3: Yes. The DCs are all GCs and DNSs. Not all the computers are configured to use that DC as the primary and they are configured to use a secondary DNS. We had this same issue before when we had th

I'm losing my mind. I swear I'm following the examples correctly and I have all relevant APIs enabled on my project. I am trying to configure OTel for my application and I can't use a collector so I need to submit directly to telemetry.googleapis.com. I am getting a 502 every time I try to POST to https://telemetry.googleapis.com/v1/logs. I checked the status page and GCP reports that monitoring and logging services are fine. I can also send logs normally to https://logging.googleapis.com with the access token I have been using. As a simple test I ran: curl -i -X POST "https://telemetry.googleapis.com/v1/metrics # 502 curl -i -X POST "https://telemetry.googleapis.com/v1/logs # 502 curl -i -X POST "https://telemetry.googleapis.com/v1/traces # 403

I have a domain with a Subordinate CA. I acquired the SubCA from our CA which is offline. The SubCA authenticates 802.1X communications. Every week we have an issue with our 802.1X where it cannot reach the revocation list of the Sub CA. We turn off 802.1x on those ports and check the revocation list URL and we can get to it without a problem. We turn 802.1X back on and a week later the problem reoccurs. Can it be looking for the revocation list from the offline CA? What are we missing? It is similar to this thread --> The revocation function was unable to check revocation because the revocation server was offline If it is trying to talk to the original CA, wouldn't that be outside of standard practice to have the Root CA online?

I'm trying deploy openstack on cluster of VMs running Debian 12.13 bookworm. My globals.yml file configuration is: # under kolla options title: config_strategy: "COPY_ALWAYS" kolla_base_distro: "debian" kolla_base_distro_version: "bookworm" openstack_release: "antelope" # for High Availability purposes, the internal VIP address # belong to same subnet of Management Network, # but not used by any VM or service in kolla_internal_vip_address: "192.168.100.254" # external VIP address belong to same subnet as Router and Server, but not used kolla_external_vip_address: "192.168.1.100" # under: Neutron - Networking Options title: network_interface: "enp2s0" neutron_external_interface: "enp1s0" # use OVN (Open Virtual Network) for modern Routing/Switching in openstack neutron_plugin_agent: "ovn" The issue, Kolla-Ansible fail to pull Docker imag

We have a Windows Server 2022 Active Directory domain MY.DOMAIN, no Azure AD. Problem: I have a security group called RDP. When I attempt to add it to the built-in Remote Desktop Users group, the following error occurs: "You do not have permission to modify the group MY.DOMAIN/Builtin/Remote Desktop Users." What I tried: Adding the group using AD Users and Computers Running PowerShell with Add-ADGroupMember Logging on using user principal name Questions: What is the minimum permission required to modify a Builtin group in Active Directory? Is Domain Admins membership required, or can this be delegated? Is there an alternative approach such as Group Policy to grant RDP access through a custom security group without modifying Builtin\Remote Desktop Users?

I need some help with ModSecurity logs in our Kubernetes environment. We have an ingress controller in place, and all traffic flows through it. I have enabled ModSecurity/Owasp using config maps, and the configuration is working as expected. I am receiving logs with 200 and 403 status codes where applicable. Currently, I have set ModSecurity in DetectionOnly mode. However, I am trying to figure out how to determine which requests will be blocked once I switch the SecRuleEngine to On (Enforce mode). After reviewing the logs, I am having difficulty identifying the difference. For example, suppose a request to https://abc.myhost.com/xyz is flagged as something that should be blocked when SecRuleEngine is turned On, but it is not blocked due to DetectionOnly mode. How can I differentiate this using the logs? I have given a sample below for DetectionOnly. The only difference i see when DetectionOnly is chang

Not sure if this is best suited to SO or here. I have an Apache 2.4 server running on Windows Server 2019 OS. I have installed PHP 8.1.29 from the Apache on Windows site and everything else about PHP seems to work OK. I cannot get cURL to work. If I tried to use any PHP cURL functions, I get messages suggesting the function does not exist, implying the cURL has not been loaded. If I do a PHPinfo test to bring up the php info web page, I can see if has no cURL heading, so I know it's not getting loaded. If I look in the php.ini file in C:\php\php.ini I can see that php_curl extension is listed here and not commented out. I can see on the PHPinfo page that this is the correct php.ini file that is being used by Apache. If I look in the error logs, I can see the following line that is of interest: PHP Warning: PHP Startup: Unable to load dynamic library 'C:\\php\\ext\\php_curl' (tried: C:\\php\\ext\\php_curl (The specified procedure could not