On Monday 08 July 2019 14:48:59 Lee wrote: > On 7/8/19, Andrei POPESCU <andreimpope...@gmail.com> wrote: > > On Lu, 08 iul 19, 13:37:26, Lee wrote: > >> On 7/7/19, andreimpope...@gmail.com <andreimpope...@gmail.com> wrote: > >> > The dangers are not at all obvious to me, possibly because I > >> > haven't used it much (if at all). > >> > >> Read the first three paragraph of the "Security Considerations" > >> section https://tools.ietf.org/html/rfc6762#section-21 > >> > >> Assuming everything on the network is a trusted host is a dangerous > >> assumption, so paragraph 1 is N/A > >> > >> Assuming a trusted host won't get hacked is a dangerous assumption, > >> so paragraph 3 is N/A. > >> > >> All that's left is paragraph 2 -- and uninstalling whatever > >> software uses mDNS :) > > > > Security is not a black/white thing, it's more like a balancing act. > > Agreed > > > In my opinion mDNS/zeroconf can make perfect sense in some > > environments and be a complete no-go in others. > > Apparently it's not clear that I agree :( > > I thought about concluding with something about different people > making different assumptions & some not wanting or able to set up > their own dns server & living with the risk, but it seemed like such > an obvious conclusion that I didn't bother. > > Regards, > Lee
If referring to my problem Lee, dns the way I have it setup since roughly 1998 works perfectly. Its the lack of a dhcpd-like server, which adds needless complexity IMO to an otherwise working system I've been using since before I retired my amiga in 2000. In my case, both avahi-daemon and dchpcd5 were inventing bogus ip addresses, and setting the metric very low, forcing the system to use the bogus 169.254.etc numbers. And they were cached, I suspect in /proc/network, so in order to achieve a working system, issueing the testing pings from the machines own address, asking the router for the NAT translation. The router of course is running dnsmasq so it caches the common stuff, and if it does not have it in the cache its asks my ISP's dns. Takes about 90 ms if it has to ask a shentel dns server. But both the router and the managed switch that connects the rest of my machines, respond only to 192.168.71.00/24 stuff, so 169 stuff is /dev/nulled as it should be. So I had no external network access from that machine. I do have a dhcpd server in the router, facing the radio when its turned on and supposedly responding only to the MAC's of my sons smartfones. So they can use my bandwidth when within range, but their smartfones can't see me. Most of the time they are 1000+ miles out of range. Cheers, Gene Heskett -- "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) If we desire respect for the law, we must first make the law respectable. - Louis D. Brandeis Genes Web page <http://geneslinuxbox.net:6309/gene>
