TLS Hostname in DNS setting

Dear all,
I hope you’re all doing well in this special times!

I have a quite simple question I guess and a very rookie one, too

Right now I am running the IPFire 2.23 (x86_64) - Core Update 139. I wanted to upgrade to the current version and wanted to make a clean installation on my second device.

I am using a static gateway on RED so I saw the (at least for me) “new” setting in the setup where I am just setting the gateway itself and not the DNS servers. In the Wiki I found the entry that I have to enter it my self in the WebUI in Network/Domian name system. The screenshot in the Wiki shows that the entry if the IP adress (obviously) and the entry of the TLS hostname are obligate but in the WebUI of the IPFire core 145 the TLS hostname is not (any more?)

So my question. Is it still required to add the TLS hostname? If not, are there any disadvantages to not do so?
I am really asking mainly for my personal interest ^^

Thanks in advance!
Kind regards,
Andreas

Look here

below

TLS hostname

1 Like

Hi,

for security reasons, please keep your IPFire machines up to date. Core Update 139 was released at January 9th, 2020, and you do not want to run a firewall on this security level. :slight_smile:

Is it still required to add the TLS hostname?

As @anon33261557 already mentioned: Yes. Otherwise you would do something like opportunistic TLS against unverified servers, thus being vulnerable to MITM attacks.

Thanks, and best regards,
Peter Müller

Hey Tulpenknicker (love that name ^^) and Peter,

thanks a lot for your fast and kind respond! :slight_smile:

edit: Shameful following question :woozy_face: - just to make sure: The TLS hostname ist the same that it displayed in the rDNS tab in my current firewall? So e.g.: .name1.name2-name3.de? (without the leading “.” - just made it here to create no link)

Kind regards,
Andreas

It should match in most cases but not always. The rDNS is the answer from DNS if you reverse resolve the IP. The TLS hostname is the name that used in the TLS handshake with the server. The rDNS is often set by the ISP and the admin cannot easy change this.

Hey Arne,

thats good to know!

@ Arne, Tupenknicker and Peter:
Thanks again for helping a rookie - I am learning each day a bit more :muscle: - I really appreciate your help!

Kind regards,
Andreas