Search domains in our environment (Proposal)
Stephen John Smoogen
smooge at gmail.com
Wed Dec 19 23:33:41 UTC 2007
On Dec 19, 2007 4:15 PM, Mike McGrath <mmcgrath at redhat.com> wrote:
> Stephen John Smoogen wrote:
> > On Dec 19, 2007 4:06 PM, Mike McGrath <mmcgrath at redhat.com> wrote:
> >> Mike McGrath wrote:
> >>> Comments? +1's? -1's? I'm basically going for ease of use among the
> >>> admins and since most people "ssh puppet1" instead of "ssh
> >>> puppet1.fedora.phx.redhat.com" I think in our diverse environment it
> >>> will be worth it and is easier then hosting a separate DNS server in
> >>> each of our locations.
> >> I forgot to mention one other concern. A MitM attack or DNS poisoning.
> >> This possibility does exist, but exists in our environment as is
> >> anyway. This is something we should look at mitigating but other than
> >> running a DNS server at every site, I'm not totally sure how to fix it.
> >> I consider all of our donations as partnerships. After all, they have
> >> local access to the box. At the same time though it is something we
> >> should count as a risk and mitigate as much as possible.
> > As far as I can tell the only way to lower the risk of DNS poisoning
> > is local DNS servers. Having them getting DNS files from a central
> > host via a signed methodology would be not much different than
> > /etc/hosts except you can use other tricks and failovers
> We could also implement stricter IP tables rules regarding creating
> external TCP connections.
Yes that would help on MitM attacks but not much on the DNS side.
Since we are looking for redundancy, could we draw a picture of what
it should look like in the end? Need it to see what we have and how we
are improving things in the future and what other ideas might be
Hope this makes sense.. on painkillers.
Stephen J Smoogen. -- CSIRT/Linux System Administrator
How far that little candle throws his beams! So shines a good deed
in a naughty world. = Shakespeare. "The Merchant of Venice"
More information about the Fedora-infrastructure-list