| ▲ | zaptheimpaler 8 hours ago |
| Oh god this sucks, i've been setting up lots of services on my NAS pointing to my own domains recently. Can't even name the domains on my own damn server with an expectation of privacy now. |
|
| ▲ | jeroenhd 7 hours ago | parent | next [-] |
| The (somewhat affordable) productized NASes all suffer from big tech diseases. I think a lot of people underestimate how easy a "NAS" can be made if you take a standard PC, install some form of desktop Linux, and hit "share" on a folder. Something like TrueNAS or one of its forks may also be an option if you're into that kind of stuff. If you want the fancy docker management web UI stuff with as little maintenance as possible, you may still be in the NAS market, but for a lot of people NAS just means "a big hard drive all of my devices can access". From what I can tell the best middle point between "what the box from the store offers" and "how do build one yourself" is a (paid-for) NAS OS like HexOS where analytics, tracking, and data sales are not used to cover for race-to-the-bottom pricing. |
| |
| ▲ | prmoustache 4 hours ago | parent | next [-] | | I don't even understand what kind of webui one would want. All you really need is a bunch of disk and an operating system with an ssh server. Even the likes of samba and nfs aren't even useful anymore. | | |
| ▲ | jeroenhd 3 hours ago | parent [-] | | A bunch of out-of-the-box NAS manufacturers provide a web-based OS-like shell with file managers, document editors, as well as an "app store" for containers and services. I see the traditional "RAID with a SMB share" NAS devices less and less in stores. If only storage target mode[1] had some form of authentication, it'd make setting up a barebones NAS an absolute breeze. [1]: https://www.freedesktop.org/software/systemd/man/257/systemd... |
| |
| ▲ | zaptheimpaler 7 hours ago | parent | prev | next [-] | | Actually I host everything on a linux PC/server, but a different box runs PFSense and a local DNS resolver so I was talking about setting up a split-brain DNS there. So I don't have to manually edit the hosts file on every machine and keep it up to date with IP changes. Personally I really like docker compose, its made running the little homeserver very easy. | | |
| ▲ | jeroenhd 6 hours ago | parent [-] | | Personally, I've started just using mDNS/Bonjour for local devices. Comes preinstalled on most devices (may need a manual package on BSD/Linux servers) and doesn't require any configuration. Just type in devicename.local and let the network do the rest. You can even broadcast additional device names for different services, so you don't need to do plex.nas.local, but can just announce plex.local and nas.local from the same machine. There's a theoretical risk of MitM attacks for devices reachable over self-signed certificates, but if someone breaks into my (W)LAN, I'm going to assume I'm screwed anyway. I've used split-horizon DNS for a couple of years but it kept breaking in annoying ways. My current setup (involving the pihole web UI because I was sick of maintaining BIND files) still breaks DNSSEC for my domain and I try to avoid it when I can. |
| |
| ▲ | AndyMcConachie 6 hours ago | parent | prev [-] | | The real trick, and the reason I don't build my own NAS, is standby power usage. How much wattage will a self built Linux box draw when it's not being used? It's not easy to figure out, and it's not easy to build a NAS optimized for this. Whereas Synology or other NAS manufacturers can tell me these numbers exactly and people have reviewed the hardware and tested it. |
|
|
| ▲ | jraph 8 hours ago | parent | prev [-] |
| > Can't even name the domains on my own damn server with an expectation of privacy now. You never could. A host name or a domain is bound to leave your box, it's meant to. It takes sending an email with a local email client. (Not saying, the NAS leak still sucks) |
| |
| ▲ | ahoka 3 hours ago | parent | next [-] | | I have internal zones in my home network and requests to resolve them never leave the private network. So no, it's not meant to. | | |
| ▲ | jraph 3 hours ago | parent [-] | | "Meant to" may indeed not be really accurate. However, domains and host names were not designed to be particularly private and should not be considered secret, many things don't consider them private, so you should not put anything sensible in a host name, even in a network that's supposed private. Unless your private network is completely air-gapped. Now, I wouldn't be surprised that hostnames were in fact originally expected to be explicitly public. |
| |
| ▲ | zaptheimpaler 7 hours ago | parent | prev [-] | | I don't know much about email, but how would some random service send an email from my domain if I've never given it any auth tokens? | | |
| ▲ | TheDong 5 hours ago | parent | next [-] | | You don't need any auth to send an email from your domain, or in fact from any domain. Just set whatever `From` you want. I've received many emails from `root@localhost` over the years. Admittedly, most residential ISPs block all SMTP traffic, and other email servers are likely to drop it or mark it as spam, but there's no strict requirement for auth. | | |
| ▲ | prmoustache 4 hours ago | parent | next [-] | | > Admittedly, most residential ISPs block all SMTP traffic, and other email servers are likely to drop it or mark it as spam, but there's no strict requirement for auth. Source? I've never seen that. Nobody could use their email provider of choice if that was the case. | | |
| ▲ | namibj 4 hours ago | parent | next [-] | | They don't do DPI, they just look at the destination port.
And that's why there's a separate port for submission to mail agents where such auth is expected and thus only outbound mail is typically even attempted to be submitted to.
Technically local delivery mail too, e.g. where the From and the To headers are valid and have the same domain. | |
| ▲ | TheDong 3 hours ago | parent | prev [-] | | The 3 most common ISPs in the US are Comcast, Spectrum, and AT&T Comcast blocks port 25: https://www.xfinity.com/support/articles/email-port-25-no-lo... AT&T says "port 25 may be blocked from customers with dynamically-assigned Internet Protocol addresses", which is the majority of customers https://about.att.com/sites/broadband/network What ISP are you using that isn't blocking port 25, and have you never had the misfortune of being stuck with comcast or AT&T as your only option? | | |
| ▲ | prmoustache 22 minutes ago | parent [-] | | Well I am not in the USA for a start but if it is blocked it must be only inbound otherwise it would break everybody. |
|
| |
| ▲ | flexagoon 3 hours ago | parent | prev [-] | | You can, but most email providers will immediately reject your email or put it into spam because of missing DKIM/DMARC/SPF |
| |
| ▲ | jraph 7 hours ago | parent | prev [-] | | It should not, but it's usual to configure random services to send mails to users, for instance for password resets, or for random notifications. Another thing usually sending mails is cron, but that should only go to the admin(s). Some services might also display the host name somewhere in their UI. |
|
|
