Re: Are dns CNAME's allowed or useable in pg_hba.conf hostname specification

From: "dennisr(at)visi(dot)com" <dennisr(at)visi(dot)com>
To: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: pgsql-admin(at)postgresql(dot)org, Scott Whitney <scott(at)journyx(dot)com>
Subject: Re: Are dns CNAME's allowed or useable in pg_hba.conf hostname specification
Date: 2016-12-06 00:09:22
Message-ID: 26EFFF38-A2FF-4BCB-A24D-4FD2D9E5E9EB@visi.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-admin


> On Dec 5, 2016, at 5:15 PM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
>
> "dennisr(at)visi(dot)com" <dennisr(at)visi(dot)com> writes:
>> Thanks for the quick reply. Here’s some details on how we have things configured.
>> We are using RHEL 7.3, the DNS names below have been changed to protect the innocent or not so innocent depending on your point of view.
>
>> If I do a nslookup on the database host against the following CNAME some-cname-host.example.com <http://some-cname-host.example.com/> I get:
>
>> $> nslookup some-cname-host.example.com <http://some-cname-host.example.com/>
>> Server: 10.97.40.215
>> Address: 10.97.40.215#53
>
>> some-cname-host.example.com canonical name = canonical-host-name.example.com.
>> Name: canonical-host-name.example.com
>> Address: 10.65.160.213
>
>> When I do the reverse lookup on the IP address return above I get the following:
>
>> $> nslookup 10.65.160.213
>> Server: 10.97.40.215
>> Address: 10.97.40.215#53
>
>> 213.160.65.10.in-addr.arpa name = canonical-host-name.example.com.
>
> Given that, what you would have to put in pg_hba.conf is
> canonical-host-name.example.com (and that needs to forward-resolve to
> 10.65.160.213, and possibly other addresses as well). This cross-check
> is meant to prevent getting into a PG server by means of a faked
> reverse-DNS entry.
>
> (If you're wondering why we don't simply accept anything that
> some-cname-host.example.com forward-maps to, it's for performance reasons:
> that would require resolving every DNS name in pg_hba.conf to see if it
> matches, which could be pretty awful with long pg_hba.conf files.)
>
> regards, tom lane
>

OK thanks, sadly not the answer I was hoping for though.

My preference is to use a network address for this stuff but I was over ruled and needed to use a host specific name or address in the config file. I wanted to use a CNAME in place of the A or PTR records so as in the event we ever have to rebuild a new WAL receiver, I would only need to repoint the CNAME in the DNS system and avoid the possibility of updating a few hundred pg_hba.conf’s with a new IP address or hostname (this is a private cloud environment I am working with so I don’t have a lot of control over hostnames of the nodes they give me or even the networks the node is placed in.)

Dennis

In response to

Responses

Browse pgsql-admin by date

  From Date Subject
Next Message sreekanth Palluru 2016-12-07 22:47:39 ERROR invalid page header in block xxx of relation base/xxxxx/xxxxx/
Previous Message Tom Lane 2016-12-05 23:15:12 Re: Are dns CNAME's allowed or useable in pg_hba.conf hostname specification