On 22 Nov 2016, at 21.47, Juliusz Chroboczek <[email protected]> wrote: >> Now that I have thought about it more, I do not control all devices in >> my home that well to start with (hello, embedded things that talk IP), >> and I am not that keen to allow them to punch holes in >> firewall. Obviously, they can do call-home anyway > Uh-huh. I don't see how punching holes in the firewall is worse than > allowing access to the Global Internet.
The recent IoT DDoS publicity is a good example; the devices that are the Mirai botnet are devices that had/have open ports facing the internet. They are not (as far as I know) contacting corrupted servers, nor is there active DNS attack ongoing, but instead IPv4 address range is being scanned and then the bad software being exploited. (Default username+password for most part in this case, but it could be equally well buffer overflow on the protocol implementation listening on that port that would be port scannable.) It is all about reducing the attack surface. (Obviously having no bad software would be even better.) >> - ohybridproxy (only really scalable and sensible IPv6 rdns source that >> I am aware of, given nodes talk mdns) > Noted, thanks for the opinion. I still don't understand how it works (who > gets port 53? how are data from multiple links merged?), but I intend to > do my homework. I give dnsmasq port 53, and then have it forward queries for .home (chuckle) and my IPv4/IPv6 reverses in .arpa-land to 127.0.0.1:54 where ohp listens on my routers. (xns-ch called and wants its port but I try to resist.) Cheers, -Markus _______________________________________________ homenet mailing list [email protected] https://www.ietf.org/mailman/listinfo/homenet
