Hi Lonnie

Whoops sorry for assuming you are psychic. It’s the dyndns-host-open plugin for 
the firewall.
You mentioned with the /mnt/kd/dnsmasq.static trick (I called it workaround) 
that it should only be implemented if it was not working. But DNS not working 
would be a bad thing and although I have a static entry for access in the 
firewall it would prevent access for all other addresses and ports using the 
dyndns-host-open plugin.

Yes I suspect it would be rare but the impact would be high if it happened.

Regards
Michael Knill


From: Lonnie Abelbeck <li...@lonnie.abelbeck.com>
Date: Thursday, 10 August 2023 at 11:26 pm
To: AstLinux Users Mailing List <astlinux-users@lists.sourceforge.net>
Subject: Re: [Astlinux-users] Looking to implement DNS-TLS
Hi Michael,

Not sure what you mean by "dyn-dns plugin"?  Plugin to what?

In this day and age, certificates that depend on the system to have a valid 
time are quite common.

If you are using Network tab -> "Dynamic DNS Update:", the update will use 
HTTPS (via curl) to secure your credentials, which will require a valid system 
time.  Note the "Dynamic DNS Update:" (set external DNS record) has nothing to 
do with "DNS-TLS" (retrieve DNS).

The AstLinux system clock is maintained via one or more of:

1) CMOS flash with battery RTC (bare metal)

2) Virtual Machine host provides date/time (VM)

3) Time is set on startup using chrony using Network tab -> "Network Time 
Settings:"


While I have not had any practical issues over the years using "DNS-TLS", you 
can either use a manual IPv4 address in "Network Time Settings:" or use the 
/mnt/kd/dnsmasq.static trick as described here [1] to "almost" guarantee the 
clock is valid at startup.

Lonnie

[1] 
https://doc.astlinux-project.org/userdoc:tt_dns_tls_proxy#possible_startup_issues




> On Aug 10, 2023, at 1:28 AM, Michael Knill 
> <michael.kn...@ipcsolutions.com.au> wrote:
>
> Hi Group
>
> I’m currently using the dyn-dns plugin and wanting to extend it for 
> additional Astlinux access.
> I’m concerned that DNS traffic is currently not being encrypted so I want to 
> use DNS-TLS.
>
> I have two questions:
>        • As you have mentioned in the notes, as it relies on reasonably 
> correct time which needs DNS to be set correctly, I am concerned that we will 
> not be able to access the system with dyn-dns if this occurs. Should I 
> implement the workaround for this in /mnt/kd/dnsmasq.static always?
>        • I currently have 1.1.1.1 & 8.8.8.8 configured as my standard DNS. I 
> assume this is not possible with the DNS Proxy and DNSSEC? I do realise that 
> Anycast DNS is very close to 100% uptime but I’m just cautious.
>
> Regards
>
> Michael Knill
> Managing Director
>
> D: +61 2 6189 1360
> P: +61 2 6140 4656
> E: michael.kn...@ipcsolutions.com.au
> W: ipcsolutions.com.au
>
>  <image001.png>
> Smarter Business Communications
>
> _______________________________________________
> Astlinux-users mailing list
> Astlinux-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>
> Donations to support AstLinux are graciously accepted via PayPal to 
> pay...@krisk.org.



_______________________________________________
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users

Donations to support AstLinux are graciously accepted via PayPal to 
pay...@krisk.org.
_______________________________________________
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users

Donations to support AstLinux are graciously accepted via PayPal to 
pay...@krisk.org.

Reply via email to