Search domains in our environment (Proposal)
Mike McGrath
mmcgrath at redhat.com
Wed Dec 19 23:15:00 UTC 2007
Stephen John Smoogen wrote:
> On Dec 19, 2007 4:06 PM, Mike McGrath <mmcgrath at redhat.com> wrote:
>
>> Mike McGrath wrote:
>>
>>> Comments? +1's? -1's? I'm basically going for ease of use among the
>>> admins and since most people "ssh puppet1" instead of "ssh
>>> puppet1.fedora.phx.redhat.com" I think in our diverse environment it
>>> will be worth it and is easier then hosting a separate DNS server in
>>> each of our locations.
>>>
>> I forgot to mention one other concern. A MitM attack or DNS poisoning.
>> This possibility does exist, but exists in our environment as is
>> anyway. This is something we should look at mitigating but other than
>> running a DNS server at every site, I'm not totally sure how to fix it.
>> I consider all of our donations as partnerships. After all, they have
>> local access to the box. At the same time though it is something we
>> should count as a risk and mitigate as much as possible.
>>
>>
>
> As far as I can tell the only way to lower the risk of DNS poisoning
> is local DNS servers. Having them getting DNS files from a central
> host via a signed methodology would be not much different than
> /etc/hosts except you can use other tricks and failovers
>
We could also implement stricter IP tables rules regarding creating
external TCP connections.
-Mike
More information about the Fedora-infrastructure-list
mailing list