Hi Lonnie Whoops sorry for assuming you are psychic. It’s the dyndns-host-open plugin for the firewall. You mentioned with the /mnt/kd/dnsmasq.static trick (I called it workaround) that it should only be implemented if it was not working. But DNS not working would be a bad thing and although I have a static entry for access in the firewall it would prevent access for all other addresses and ports using the dyndns-host-open plugin.
Yes I suspect it would be rare but the impact would be high if it happened. Regards Michael Knill From: Lonnie Abelbeck <li...@lonnie.abelbeck.com> Date: Thursday, 10 August 2023 at 11:26 pm To: AstLinux Users Mailing List <astlinux-users@lists.sourceforge.net> Subject: Re: [Astlinux-users] Looking to implement DNS-TLS Hi Michael, Not sure what you mean by "dyn-dns plugin"? Plugin to what? In this day and age, certificates that depend on the system to have a valid time are quite common. If you are using Network tab -> "Dynamic DNS Update:", the update will use HTTPS (via curl) to secure your credentials, which will require a valid system time. Note the "Dynamic DNS Update:" (set external DNS record) has nothing to do with "DNS-TLS" (retrieve DNS). The AstLinux system clock is maintained via one or more of: 1) CMOS flash with battery RTC (bare metal) 2) Virtual Machine host provides date/time (VM) 3) Time is set on startup using chrony using Network tab -> "Network Time Settings:" While I have not had any practical issues over the years using "DNS-TLS", you can either use a manual IPv4 address in "Network Time Settings:" or use the /mnt/kd/dnsmasq.static trick as described here [1] to "almost" guarantee the clock is valid at startup. Lonnie [1] https://doc.astlinux-project.org/userdoc:tt_dns_tls_proxy#possible_startup_issues > On Aug 10, 2023, at 1:28 AM, Michael Knill > <michael.kn...@ipcsolutions.com.au> wrote: > > Hi Group > > I’m currently using the dyn-dns plugin and wanting to extend it for > additional Astlinux access. > I’m concerned that DNS traffic is currently not being encrypted so I want to > use DNS-TLS. > > I have two questions: > • As you have mentioned in the notes, as it relies on reasonably > correct time which needs DNS to be set correctly, I am concerned that we will > not be able to access the system with dyn-dns if this occurs. Should I > implement the workaround for this in /mnt/kd/dnsmasq.static always? > • I currently have 1.1.1.1 & 8.8.8.8 configured as my standard DNS. I > assume this is not possible with the DNS Proxy and DNSSEC? I do realise that > Anycast DNS is very close to 100% uptime but I’m just cautious. > > Regards > > Michael Knill > Managing Director > > D: +61 2 6189 1360 > P: +61 2 6140 4656 > E: michael.kn...@ipcsolutions.com.au > W: ipcsolutions.com.au > > <image001.png> > Smarter Business Communications > > _______________________________________________ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org. _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
_______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
