Re: Assorted arm-buster problems - network configuration
On Monday 08 July 2019 14:48:59 Lee wrote:
> On 7/8/19, Andrei POPESCU <email@example.com> wrote:
> > On Lu, 08 iul 19, 13:37:26, Lee wrote:
> >> On 7/7/19, firstname.lastname@example.org <email@example.com>
> >> > The dangers are not at all obvious to me, possibly because I
> >> > haven't used it much (if at all).
> >> Read the first three paragraph of the "Security Considerations"
> >> section https://tools.ietf.org/html/rfc6762#section-21
> >> Assuming everything on the network is a trusted host is a dangerous
> >> assumption, so paragraph 1 is N/A
> >> Assuming a trusted host won't get hacked is a dangerous assumption,
> >> so paragraph 3 is N/A.
> >> All that's left is paragraph 2 -- and uninstalling whatever
> >> software uses mDNS :)
> > Security is not a black/white thing, it's more like a balancing act.
> > In my opinion mDNS/zeroconf can make perfect sense in some
> > environments and be a complete no-go in others.
> Apparently it's not clear that I agree :(
> I thought about concluding with something about different people
> making different assumptions & some not wanting or able to set up
> their own dns server & living with the risk, but it seemed like such
> an obvious conclusion that I didn't bother.
If referring to my problem Lee, dns the way I have it setup since roughly
1998 works perfectly. Its the lack of a dhcpd-like server, which adds
needless complexity IMO to an otherwise working system I've been using
since before I retired my amiga in 2000. In my case, both avahi-daemon
and dchpcd5 were inventing bogus ip addresses, and setting the metric
very low, forcing the system to use the bogus 169.254.etc numbers. And
they were cached, I suspect in /proc/network, so in order to achieve a
working system, issueing the testing pings from the machines own
address, asking the router for the NAT translation. The router of
course is running dnsmasq so it caches the common stuff, and if it does
not have it in the cache its asks my ISP's dns. Takes about 90 ms if it
has to ask a shentel dns server.
But both the router and the managed switch that connects the rest of my
machines, respond only to 192.168.71.00/24 stuff, so 169 stuff
is /dev/nulled as it should be.
So I had no external network access from that machine. I do have a dhcpd
server in the router, facing the radio when its turned on and supposedly
responding only to the MAC's of my sons smartfones. So they can use my
bandwidth when within range, but their smartfones can't see me. Most of
the time they are 1000+ miles out of range.
Cheers, Gene Heskett
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
If we desire respect for the law, we must first make the law respectable.
- Louis D. Brandeis
Genes Web page <http://geneslinuxbox.net:6309/gene>