On Dec 19, 2007 4:15 PM, Mike McGrath <mmcgrath@xxxxxxxxxx> wrote: > Stephen John Smoogen wrote: > > On Dec 19, 2007 4:06 PM, Mike McGrath <mmcgrath@xxxxxxxxxx> wrote: > > > >> Mike McGrath wrote: > >> > >>> Comments? +1's? -1's? I'm basically going for ease of use among the > >>> admins and since most people "ssh puppet1" instead of "ssh > >>> puppet1.fedora.phx.redhat.com" I think in our diverse environment it > >>> will be worth it and is easier then hosting a separate DNS server in > >>> each of our locations. > >>> > >> I forgot to mention one other concern. A MitM attack or DNS poisoning. > >> This possibility does exist, but exists in our environment as is > >> anyway. This is something we should look at mitigating but other than > >> running a DNS server at every site, I'm not totally sure how to fix it. > >> I consider all of our donations as partnerships. After all, they have > >> local access to the box. At the same time though it is something we > >> should count as a risk and mitigate as much as possible. > >> > >> > > > > As far as I can tell the only way to lower the risk of DNS poisoning > > is local DNS servers. Having them getting DNS files from a central > > host via a signed methodology would be not much different than > > /etc/hosts except you can use other tricks and failovers > > > > We could also implement stricter IP tables rules regarding creating > external TCP connections. > Yes that would help on MitM attacks but not much on the DNS side. Since we are looking for redundancy, could we draw a picture of what it should look like in the end? Need it to see what we have and how we are improving things in the future and what other ideas might be useful. Hope this makes sense.. on painkillers. -- Stephen J Smoogen. -- CSIRT/Linux System Administrator How far that little candle throws his beams! So shines a good deed in a naughty world. = Shakespeare. "The Merchant of Venice" _______________________________________________ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
