"dennisr@xxxxxxxx" <dennisr@xxxxxxxx> writes: > Thanks for the quick reply. Here’s some details on how we have things configured. > We are using RHEL 7.3, the DNS names below have been changed to protect the innocent or not so innocent depending on your point of view. > If I do a nslookup on the database host against the following CNAME some-cname-host.example.com <http://some-cname-host.example.com/> I get: > $> nslookup some-cname-host.example.com <http://some-cname-host.example.com/> > Server: 10.97.40.215 > Address: 10.97.40.215#53 > some-cname-host.example.com canonical name = canonical-host-name.example.com. > Name: canonical-host-name.example.com > Address: 10.65.160.213 > When I do the reverse lookup on the IP address return above I get the following: > $> nslookup 10.65.160.213 > Server: 10.97.40.215 > Address: 10.97.40.215#53 > 213.160.65.10.in-addr.arpa name = canonical-host-name.example.com. Given that, what you would have to put in pg_hba.conf is canonical-host-name.example.com (and that needs to forward-resolve to 10.65.160.213, and possibly other addresses as well). This cross-check is meant to prevent getting into a PG server by means of a faked reverse-DNS entry. (If you're wondering why we don't simply accept anything that some-cname-host.example.com forward-maps to, it's for performance reasons: that would require resolving every DNS name in pg_hba.conf to see if it matches, which could be pretty awful with long pg_hba.conf files.) regards, tom lane -- Sent via pgsql-admin mailing list (pgsql-admin@xxxxxxxxxxxxxx) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-admin
