- User Since
- Nov 13 2017, 9:38 PM (9 w, 2 d)
Tue, Dec 19
Awesome. :) Let me know if you ever need an extra pair of hands on the infrastructure front.
If you can at least get a strong hash sum of the ISO from the master, that should be sufficient regardless of where the binary is downloaded from. Of course, if the master is compromised, all bets are off.
This begs the question about the mirror mechanism. My mirror supports TLS, but most don't.
Dec 16 2017
Sorry for the unsolicited feedback, but... BUT... ;-) Honestly, I think the way the Pi-Hole stack is put together does not lend itself well to a firmware-like platform like VyOS. In fact, personally I can't even suggest it for anything more than home use. Frankly, it's a bit cludgy on the back-end. Further, it increases the potential attack surface of your router, which is in general bad security practice. IMO the best course, even if by some twist of fate Pi-Hole WAS integrated into VyOS, would be to run Pi-Hole as a separate service. DNS is one of those things that's easy to run alongside routers; there's no compelling reason I can think of to run it ON the router. Buy a $35 Pi, run a tiny VM on existing hardware, etc. and serve that DNS server to DHCP clients via VyOS. That's my $0.02, adjusted for inflation.
Nov 28 2017
Web proxies are relatively complex by nature and offer an attractive attack surface. I don't like having such software on routers at all, even if they are properly maintained. Better to relegate this functionality to a system which is external to the router.