Hi,
I was just updating this to use "pool" directives:
https://tools.bitfolk.com/wiki/Securing_NTP
and it struck me that these days Chrony is perhaps a more suitable
NTP client.
If any of you use Chrony and are willing to share what a sensible
default config for a BitFolk VM would look like, please do edit the
article.
I might even switch the Debian installer to use it by default.
Cheers,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting
Hi All,
Is letting bind9 listening on all interfaces a good practice? Or letting it listening on specific interface best ?
If I set specific address listening, bind9 failed to start and stops listening.
If i set bind9 to listen to all and block using the firewall the interface I do not it to listen to bind9 to powerdns replication did not work. Powerdns as primary here.
It seems to be working if I set bind9 to listen to all interfaces and not block by the firewall.
Regards,
-badli
Hello,
If you do not make use of BitFolk's secondary DNS service then you
can safely skip this email.
Over the last few days we've upgraded the servers used for our
secondary DNS service and also switched software from PowerDNS to
BIND. On the whole nothing changes, but there is one thing I would
like to draw your attention to.
BIND actually pays attention to the expire timers that you set
in your SOA records whereas PowerDNS does not.
An SOA record looks like this:
$ dig +multi +noall +answer -t soa bitfolk.combitfolk.com. 86383 IN SOA a.authns.bitfolk.co.uk. hostmaster.bitfolk.com. (
2023042101 ; serial
14400 ; refresh (4 hours)
7200 ; retry (2 hours)
1209600 ; expire (2 weeks)
43200 ; minimum (12 hours)
)
The "expire" timer tells authoritative DNS servers how long the
records they hold are valid for, if they have not been able to
contact the primary nameservers. In the above example, should the
primary nameserver be unreachable, any secondary nameservers that
are still responding will serve the zone content for a further two
weeks. After that time they will respond with SERVFAIL. Compliant
DNS client behaviour is to retry any other servers when that
happens.
PowerDNS does not implement these "expire" semantics and always
answers queries.
In watching logs carefully over the last few days I have seen that
some of you have extremely short expire timers. I'm not sure whether
you intend for that to be the case. For example, there are many
zones currently on BitFolk's servers with an expire time of 300
seconds. That means that you are indicating that the entire zone
should not be served 5 minutes¹ after your primary server stops
responding. It doesn't seem likely to me that you really want all
authoritative servers for your domain to stop working 5 minutes into
any sort of outage.
Since the secondary servers will now really believe you on this, I
urge you to review your expire timers. If in doubt please put your
domain name into this:
https://zonemaster.net/en/run-test
and it'll advise you if any of those timers seem wrong.
Cheers,
Andy
¹ Different DNS server implementations actually behave slightly
differently here. As mentioned, PowerDNS doesn't handle expire
timers at all. BIND has a minimum of 300 seconds, or the
refresh+retry timers, whichever is larger. So in fact the shortest
expire behaviour I can see at the moment is 600 seconds (10
minutes). Which still seems unusually short.
See:
https://jpmens.net/2022/01/14/fun-with-the-dns-soa-expire-field/
for more info about how different implementations treat the expire
timer.
--
https://bitfolk.com/ -- No-nonsense VPS hosting
Hi,
Today and tonight (UK time) we're going to be doing some work on
b.authns.bitfolk.com (secondary DNS service).
I'm going to disable alerts for it and stop it from responding (so
it can't give any incorrect answers). The other servers will remain
up and working; I'm just letting you know in case you notice it is
intermittently down.
Thanks,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting
Hello,
I found this an interesting read:
https://changelog.complete.org/archives/10478-easily-accessing-all-your-stu…
The author's favourite is Yggdrasil which I'll summarise.
It can be used as a simple VPN of course, but also an overlay
network to easily connect together disparate networks, VMs and
containers.
Once you run the daemon your host generates itself a static IPv6
address inside 200::/7 (a range of addresses that are marked as
deprecated so should not be in use anywhere else). That IPv6 address
stays with you as long as the keys the daemon generated still exist,
and it's how other nodes on the overlay network talk to you.
Initially I was a bit perturbed by this use of "someone else's"
IPv6, but it does make things very simple.
A normal VPN does all of that as well, but it's interesting that
yggdrasil will try to pick an optimal route. For example, if you
have two laptops which are away from their home network and they
want to talk to each other on their 200::/7 addresses they will try
to peer with each other directly over the Internet. That might fail
if they are both behind multiple layers of NAT or on really
restrictive networks or something. They would both also be trying to
peer with every other peer they know about though, so you'd probably
also have a node on your home network for them to connect to. Once
they'd both connected to that, traffic between them would go via
that node as if they were both traditional VPN clients in a star
topology. Yet once they both end up at their home network again the
traffic would go directly between them, bypassing the home server
node - without you having to change anything.
It's doing TCP-over-TCP which is also frowned upon, but they seem to
have taken some steps to optimise it. You might not notice the
overhead unless you're on a >1Gbps network. It's comparable to
Tailscale and ~50% to ~66% that of Wireguard.
As far as I understand, Tailscale does a lot of similar things as
well. I've not used it yet, but I'm liking the apparent simplicity
of Yggdrasil. Tailscale's free pricing tier is only for personal use
and you have to authenticate with github to use it.
Anyone else looked at Yggdrasil?
Cheers,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting
Hi,
After 12 years I am actually making some progress on implementing
DNSSEC for BitFolk domains:
https://tools.bitfolk.com/redmine/issues/59
I will continue to update this as more progress is made.
Sorry it's taken so long to get going. Mistakes are scary with this
(for me).
Cheers,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting
Hi,
I just ran through the provisioning of a new Debian 12 VM and it
started up with the first network interface being enX0 instead of
eth0.
This means that the network doesn't come up because the
/etc/network/interfaces file that BitFolk creates on a new install
uses eth0. A simple:
# sed -e 's/eth0/enX0/g' /etc/network/interfaces
# ifup enX0
makes it work.
So at the moment this is a minor bug in our installer for Debian
testing, which we will fix.
It doesn't affect Ubuntu because as of 22.04 that doesn't use the
same installer (it boots the official Ubuntu Cloud Image).
I have not yet tested if upgrades from Debian 11 cause eth0 to
rename to enX0 or if they retain the eth0 they were previously
using.
We knew this was probably coming; the only reason why it hadn't
happened sooner is that udev didn't know what a Xen network
interface was, so it left it alone. Now, apparently, it does.
A lot of VM hosting companies seem to be supplying the net,ifnames=0
kernel command line option, which disables all this network
interface renaming and ensures you just have eth0. When we last
discussed this subject here, most were in favour of us not doing
that so as to be more like a "normal" OS install. So we won't. But
you can, if you like.
Cheers,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting
Hi all,
I am having to leave Proxmox behind - every time there has been a power
cut (every 4-6 weeks), the machine has failed to boot. This last time, I
have had to re-install and restore VMs from backup. So I am
investigating what to use instead, in the hope that it will be less
damaged by power breaks.
VBox is familiar, and the machine is not a lap-top, so running windows
24/7 is not a problem, although I suspect I should reboot once a week,
weather it needs it on not. :)
Xen is another option. New to me, but my websites are on Xen on Bitfolk,
so high compatibility.
The VMs are all Ubuntu. If I use Xen I will have to install a Windows VM
because I use software that has no Linux version yet.
Has anyone any advice or warnings they would like to share?
Thanks
Ian
--
Ian Hobson
Tel (+66) 626 544 695
Hello,
It's often the case that customers want to use disk encryption to
protect against someone with physical access to BitFolk's storage¹
reading their data. The major inconvenience with this is that the VM
doesn't boot on its own any more; it waits for the LUKS passphrase
to be typed into the console.
Today I saw this article that goes through the steps of how to
configure things so that the passphrase can be stored in the initrd
file and used to automatically unlock the root filesystem at boot
time:
https://michael-prokop.at/blog/2023/03/22/automatically-unlocking-a-luks-en…
It might be a useful middle ground for someone.
Obviously anyone with access to the initrd file, which is stored in
the unencrypted /boot, could use it to unlock the disk so this
would not protect against someone with root access to a running
BitFolk server².
In general it should also be considered that someone with root
access to BitFolk's infrastructure can read everything written to
(or displayed on) your consoles, so could just wait for your next
reboot to capture you typing your LUKS passphrase in.
Cheers,
Andy
¹ This doesn't have to be BitFolk staff or an attacker, but could be
someone who got hold of a storage device that was replaced and
taken out of service. Though discard/TRIM is used where possible.
² The attack method would be:
1. Take snapshot of customer disk and transfer it off-site.
2. Unpack initrd file from inside unencrypted customer /boot.
3. Use the LUKS passphrase from within that to unlock customer
root rilesystem.
All of which could be done without your knowledge.
--
https://bitfolk.com/ -- No-nonsense VPS hosting
