[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Assorted arm-buster problems - network configuration

On Monday 08 July 2019 14:48:59 Lee wrote:

> On 7/8/19, Andrei POPESCU <andreimpopescu@gmail.com> wrote:
> > On Lu, 08 iul 19, 13:37:26, Lee wrote:
> >> On 7/7/19, andreimpopescu@gmail.com <andreimpopescu@gmail.com> 
wrote:
> >> > The dangers are not at all obvious to me, possibly because I
> >> > haven't used it much (if at all).
> >>
> >> Read the first three paragraph of the "Security Considerations"
> >> section https://tools.ietf.org/html/rfc6762#section-21
> >>
> >> Assuming everything on the network is a trusted host is a dangerous
> >> assumption, so paragraph 1 is N/A
> >>
> >> Assuming a trusted host won't get hacked is a dangerous assumption,
> >> so paragraph 3 is N/A.
> >>
> >> All that's left is paragraph 2 -- and uninstalling whatever
> >> software uses mDNS :)
> >
> > Security is not a black/white thing, it's more like a balancing act.
>
> Agreed
>
> > In my opinion mDNS/zeroconf can make perfect sense in some
> > environments and be a complete no-go in others.
>
> Apparently it's not clear that I agree :(
>
> I thought about concluding with something about different people
> making different assumptions & some not wanting or able to set up
> their own dns server & living with the risk, but it seemed like such
> an obvious conclusion that I didn't bother.
>
> Regards,
> Lee

If referring to my problem Lee, dns the way I have it setup since roughly 
1998 works perfectly. Its the lack of a dhcpd-like server, which adds 
needless complexity IMO to an otherwise working system I've been using 
since before I retired my amiga in 2000. In my case, both avahi-daemon 
and dchpcd5 were inventing bogus ip addresses, and setting the metric 
very low, forcing the system to use the bogus 169.254.etc numbers.  And 
they were cached, I suspect in /proc/network, so in order to achieve a 
working system, issueing the testing pings from the machines own 
address, asking the router for the NAT translation.  The router of 
course is running dnsmasq so it caches the common stuff, and if it does 
not have it in the cache its asks my ISP's dns. Takes about 90 ms if it 
has to ask a shentel dns server.

But both the router and the managed switch that connects the rest of my 
machines, respond only to 192.168.71.00/24 stuff, so 169 stuff 
is /dev/nulled as it should be.

So I had no external network access from that machine. I do have a dhcpd 
server in the router, facing the radio when its turned on and supposedly 
responding only to the MAC's of my sons smartfones.  So they can use my 
bandwidth when within range, but their smartfones can't see me. Most of 
the time they are 1000+ miles out of range.

Cheers, Gene Heskett
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
If we desire respect for the law, we must first make the law respectable.
 - Louis D. Brandeis
Genes Web page <http://geneslinuxbox.net:6309/gene>
Reply to: