Search domains in our environment (Proposal)

seth vidal skvidal at fedoraproject.org
Wed Dec 19 23:39:47 UTC 2007 

On Wed, 2007-12-19 at 16:33 -0700, Stephen John Smoogen wrote:
> On Dec 19, 2007 4:15 PM, Mike McGrath <mmcgrath at redhat.com> wrote:
> > Stephen John Smoogen wrote:
> > > On Dec 19, 2007 4:06 PM, Mike McGrath <mmcgrath at redhat.com> wrote:
> > >
> > >> Mike McGrath wrote:
> > >>
> > >>> Comments?  +1's?  -1's?  I'm basically going for ease of use among the
> > >>> admins and since most people "ssh puppet1" instead of "ssh
> > >>> puppet1.fedora.phx.redhat.com" I think in our diverse environment it
> > >>> will be worth it and is easier then hosting a separate DNS server in
> > >>> each of our locations.
> > >>>
> > >> I forgot to mention one other concern.  A MitM attack or DNS poisoning.
> > >> This possibility does exist, but exists in our environment as is
> > >> anyway.  This is something we should look at mitigating but other than
> > >> running a DNS server at every site, I'm not totally sure how to fix it.
> > >> I consider all of our donations as partnerships.  After all, they have
> > >> local access to the box.  At the same time though it is something we
> > >> should count as a risk and mitigate as much as possible.
> > >>
> > >>
> > >
> > > As far as I can tell the only way to lower the risk of DNS poisoning
> > > is local DNS servers. Having them getting DNS files from a central
> > > host via a signed methodology would be not much different than
> > > /etc/hosts except you can use other tricks and failovers
> > >
> >
> > We could also implement stricter IP tables rules regarding creating
> > external TCP connections.
> >
> 
> Yes that would help on MitM attacks but not much on the DNS side.
> Since we are looking for redundancy, could we draw a picture of what
> it should look like in the end? Need it to see what we have and how we
> are improving things in the future and what other ideas might be
> useful.
> 

The reason for all of this is the firewall in place at the PHX colo. If
that wasn't there we wouldn't need any of the games at all. We could
just have foo.fedoraproject.org be resolveable from anywhere and
foo.vpn.fedoraproject.org just mean 'go over the vpn to get to it'.

seth 'big fan of simple networking' vidal
-sv

More information about the infrastructure mailing list