Hi Lonnie Whoops sorry for assuming you are psychic. It’s the dyndns-host-open plugin for the firewall. You mentioned with the /mnt/kd/dnsmasq.static trick (I called it workaround) that it should only be implemented if it was not working. But DNS not working would be a bad thing and although I have a static entry for access in the firewall it would prevent access for all other addresses and ports using the dyndns-host-open plugin.
Yes I suspect it would be rare but the impact would be high if it happened. Regards Michael Knill From: Lonnie Abelbeck <[email protected]> Date: Thursday, 10 August 2023 at 11:26 pm To: AstLinux Users Mailing List <[email protected]> Subject: Re: [Astlinux-users] Looking to implement DNS-TLS Hi Michael, Not sure what you mean by "dyn-dns plugin"? Plugin to what? In this day and age, certificates that depend on the system to have a valid time are quite common. If you are using Network tab -> "Dynamic DNS Update:", the update will use HTTPS (via curl) to secure your credentials, which will require a valid system time. Note the "Dynamic DNS Update:" (set external DNS record) has nothing to do with "DNS-TLS" (retrieve DNS). The AstLinux system clock is maintained via one or more of: 1) CMOS flash with battery RTC (bare metal) 2) Virtual Machine host provides date/time (VM) 3) Time is set on startup using chrony using Network tab -> "Network Time Settings:" While I have not had any practical issues over the years using "DNS-TLS", you can either use a manual IPv4 address in "Network Time Settings:" or use the /mnt/kd/dnsmasq.static trick as described here [1] to "almost" guarantee the clock is valid at startup. Lonnie [1] https://doc.astlinux-project.org/userdoc:tt_dns_tls_proxy#possible_startup_issues > On Aug 10, 2023, at 1:28 AM, Michael Knill > <[email protected]> wrote: > > Hi Group > > I’m currently using the dyn-dns plugin and wanting to extend it for > additional Astlinux access. > I’m concerned that DNS traffic is currently not being encrypted so I want to > use DNS-TLS. > > I have two questions: > • As you have mentioned in the notes, as it relies on reasonably > correct time which needs DNS to be set correctly, I am concerned that we will > not be able to access the system with dyn-dns if this occurs. Should I > implement the workaround for this in /mnt/kd/dnsmasq.static always? > • I currently have 1.1.1.1 & 8.8.8.8 configured as my standard DNS. I > assume this is not possible with the DNS Proxy and DNSSEC? I do realise that > Anycast DNS is very close to 100% uptime but I’m just cautious. > > Regards > > Michael Knill > Managing Director > > D: +61 2 6189 1360 > P: +61 2 6140 4656 > E: [email protected] > W: ipcsolutions.com.au > > <image001.png> > Smarter Business Communications > > _______________________________________________ > Astlinux-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > [email protected]. _______________________________________________ Astlinux-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to [email protected].
_______________________________________________ Astlinux-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to [email protected].
