![]() I then simply just added the IP of the NxFilter installation to be the first DNS Server in the list of DNS Servers handed out by the DHCP Server on router and added the IP of router and it's DNS Resolver as the upstream DNS server of NxFilter. To try I just installed NxFilter as a docker container on server with it's own LAN ip. But, I'm starting to feel that it might be a bit "to many" DNS's involved in my setup and that I might not be doing it in the "correct" way. My idea is to be able to do more fine grained DNS filtering with that for the kids based on their Domain Users. ![]() The Active Directory on the domain works fine, internal hostnames work fine and external hosts are resolved correctly.īut, now I was thinking about addin NxFilter to the mix. I had set the DHCP Server on router to give the ip of dc as the first DNS server and then dc uses router as a forwarding DNS for things outside my own network. Since I have three children in the house it also allows me to apply basic DNS filtering based "protection" against certain "known things" by running BlockerNG and Snort (although I still need more time to configure this). It allows it (and me) to easily add specific hostnames for an ip, reroute stuff etc. For instance server would have issues asking for a DHCP lease from dc if it hadn't started the VM of dc first. Mostly because it's handy to log into the webadmin of pfSense to fix things instead of using Remote Desktop to login to dc and also since dc is a VM and depending on a reboot of its host server might not be up when I need it to. The router is acting as the DHCP server, although I have heard that it's prefered to let dc handle it. I then have another physical machine acting as my router running pfsense ( router). LetsEncrypt mandates a 3 Month rotation with new certs, new SSL base for encryption.I have a setup consisting of a physical server ( server) running Ubuntu, on that, a Windows 2016 Server running as a VM serves as a Domain Controller ( dc).(At least you’ll likely be blissfully ignorant your server has long been rooted…) A self created ssl cert is usually static for eternity.(Gives a potential hacker a years time to use brute force) A (bought) ssl cert is static for one year usually.The ssl cert encrypts the over the air transfers. Some people state security reasons, but I doubt they understand the issues. Most AD needs a valid SSL cert nowadays, but a lot of Windows Admins still use. → It’s now almost the end of 2022 now, concepts from before the millenium should be left where they belong, in the dust!Įven Microsoft has been suggesting to use a subdomain like ad.domain.tld for your AD, using a real Internet DNS domain - and this for more than ten years now! ![]() NethServer automatically renews the LE cert on time…Īll of the above is of course in vain, if your AD is set up using very outdated concepts like a. ![]() etc/e-smith/events/certificate-update/S80push2ad Set executable permissions on the script:Ĭhmod 750 /etc/e-smith/events/certificate-update/S80push2ad Nano /etc/e-smith/events/certificate-update/S80push2adĬp -f -p /etc/pki/tls/certs/localhost.crt /var/lib/machines/nsdc/var/lib/samba/private/tls/cert.pemĬp -f -p /etc/pki/tls/private/localhost.key /var/lib/machines/nsdc/var/lib/samba/private/tls/key.pemĬhmod 600 /var/lib/machines/nsdc/var/lib/samba/private/tls/key.pemĬhmod 644 /var/lib/machines/nsdc/var/lib/samba/private/tls/cert.pem Get your LE certs working, set them as default (Use the three dots!), then follow this:Ĭreate the needed script in the right directory: These work, eg with QNAP and other Apps, most likely also your NXFILTER - but only if your AD also uses valid LE SSL certs, which is NOT the case out of the box with NethServer…Īdd your ADs name (must be resolvable from external DNS, this can point to your firewall, forwarding ports 80 and 443 to NethServer) to the list of LetsEncrypt Aliases in NethServer (The LE Request). Your AD is on a NethServer, and NethServer can easily use LetsEncrypt SSL certs for free… JAVA and PHP programmed applications tend to be such languages… I think you’re unaware of the fact that a lot of applications - and programming languages - are very fussy when it comes to SSL certs.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |