Menu
▾
▴
Re: [Astlinux-users] Looking to implement DNS-TLS
|
From: Lonnie A. <li...@lo...> - 2023-08-11 00:19:24
|
Sounds like you have a use case to implement the the /mnt/kd/dnsmasq.static trick/workaround. Lonnie > On Aug 10, 2023, at 6:38 PM, Michael Knill <mic...@ip...> wrote: > > Hi Lonnie > > Whoops sorry for assuming you are psychic. It’s the dyndns-host-open plugin for the firewall. > You mentioned with the /mnt/kd/dnsmasq.static trick (I called it workaround) that it should only be implemented if it was not working. But DNS not working would be a bad thing and although I have a static entry for access in the firewall it would prevent access for all other addresses and ports using the dyndns-host-open plugin. > > Yes I suspect it would be rare but the impact would be high if it happened. > > Regards > Michael Knill > > > From: Lonnie Abelbeck <li...@lo...> > Date: Thursday, 10 August 2023 at 11:26 pm > To: AstLinux Users Mailing List <ast...@li...> > Subject: Re: [Astlinux-users] Looking to implement DNS-TLS > > Hi Michael, > > Not sure what you mean by "dyn-dns plugin"? Plugin to what? > > In this day and age, certificates that depend on the system to have a valid time are quite common. > > If you are using Network tab -> "Dynamic DNS Update:", the update will use HTTPS (via curl) to secure your credentials, which will require a valid system time. Note the "Dynamic DNS Update:" (set external DNS record) has nothing to do with "DNS-TLS" (retrieve DNS). > > The AstLinux system clock is maintained via one or more of: > > 1) CMOS flash with battery RTC (bare metal) > > 2) Virtual Machine host provides date/time (VM) > > 3) Time is set on startup using chrony using Network tab -> "Network Time Settings:" > > > While I have not had any practical issues over the years using "DNS-TLS", you can either use a manual IPv4 address in "Network Time Settings:" or use the /mnt/kd/dnsmasq.static trick as described here [1] to "almost" guarantee the clock is valid at startup. > > Lonnie > > [1] https://doc.astlinux-project.org/userdoc:tt_dns_tls_proxy#possible_startup_issues > > > > > > On Aug 10, 2023, at 1:28 AM, Michael Knill <mic...@ip...> wrote: > > > > Hi Group > > > > I’m currently using the dyn-dns plugin and wanting to extend it for additional Astlinux access. > > I’m concerned that DNS traffic is currently not being encrypted so I want to use DNS-TLS. > > > > I have two questions: > > • As you have mentioned in the notes, as it relies on reasonably correct time which needs DNS to be set correctly, I am concerned that we will not be able to access the system with dyn-dns if this occurs. Should I implement the workaround for this in /mnt/kd/dnsmasq.static always? > > • I currently have 1.1.1.1 & 8.8.8.8 configured as my standard DNS. I assume this is not possible with the DNS Proxy and DNSSEC? I do realise that Anycast DNS is very close to 100% uptime but I’m just cautious. > > > > Regards > > > > Michael Knill > > Managing Director > > > > D: +61 2 6189 1360 > > P: +61 2 6140 4656 > > E: mic...@ip... > > W: ipcsolutions.com.au > > > > <image001.png> > > Smarter Business Communications > > > > _______________________________________________ > > Astlinux-users mailing list > > Ast...@li... > > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > > > Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... > > > > _______________________________________________ > Astlinux-users mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... > _______________________________________________ > Astlinux-users mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... |
