On Wed, 2007-12-19 at 16:33 -0700, Stephen John Smoogen wrote:
On Dec 19, 2007 4:15 PM, Mike McGrath <mmcgrath(a)redhat.com>
wrote:
> Stephen John Smoogen wrote:
> > On Dec 19, 2007 4:06 PM, Mike McGrath <mmcgrath(a)redhat.com> wrote:
> >
> >> Mike McGrath wrote:
> >>
> >>> Comments? +1's? -1's? I'm basically going for ease of
use among the
> >>> admins and since most people "ssh puppet1" instead of
"ssh
> >>> puppet1.fedora.phx.redhat.com" I think in our diverse environment
it
> >>> will be worth it and is easier then hosting a separate DNS server in
> >>> each of our locations.
> >>>
> >> I forgot to mention one other concern. A MitM attack or DNS poisoning.
> >> This possibility does exist, but exists in our environment as is
> >> anyway. This is something we should look at mitigating but other than
> >> running a DNS server at every site, I'm not totally sure how to fix
it.
> >> I consider all of our donations as partnerships. After all, they have
> >> local access to the box. At the same time though it is something we
> >> should count as a risk and mitigate as much as possible.
> >>
> >>
> >
> > As far as I can tell the only way to lower the risk of DNS poisoning
> > is local DNS servers. Having them getting DNS files from a central
> > host via a signed methodology would be not much different than
> > /etc/hosts except you can use other tricks and failovers
> >
>
> We could also implement stricter IP tables rules regarding creating
> external TCP connections.
>
Yes that would help on MitM attacks but not much on the DNS side.
Since we are looking for redundancy, could we draw a picture of what
it should look like in the end? Need it to see what we have and how we
are improving things in the future and what other ideas might be
useful.
The reason for all of this is the firewall in place at the PHX colo. If
that wasn't there we wouldn't need any of the games at all. We could
just have
foo.fedoraproject.org be resolveable from anywhere and
foo.vpn.fedoraproject.org just mean 'go over the vpn to get to it'.
seth 'big fan of simple networking' vidal
-sv