Re: Are dns CNAME's allowed or useable in pg_hba.conf hostname specification

"dennisr(at)visi(dot)com" <dennisr(at)visi(dot)com> writes:
> Thanks for the quick reply. Here’s some details on how we have things configured.
> We are using RHEL 7.3, the DNS names below have been changed to protect the innocent or not so innocent depending on your point of view.

> If I do a nslookup on the database host against the following CNAME some-cname-host.example.com <http://some-cname-host.example.com/> I get:

> $> nslookup some-cname-host.example.com <http://some-cname-host.example.com/>
> Server: 10.97.40.215
> Address: 10.97.40.215#53

> some-cname-host.example.com canonical name = canonical-host-name.example.com.
> Name: canonical-host-name.example.com
> Address: 10.65.160.213

> When I do the reverse lookup on the IP address return above I get the following:

> $> nslookup 10.65.160.213
> Server: 10.97.40.215
> Address: 10.97.40.215#53

> 213.160.65.10.in-addr.arpa name = canonical-host-name.example.com.

Given that, what you would have to put in pg_hba.conf is
canonical-host-name.example.com (and that needs to forward-resolve to
10.65.160.213, and possibly other addresses as well). This cross-check
is meant to prevent getting into a PG server by means of a faked
reverse-DNS entry.

(If you're wondering why we don't simply accept anything that
some-cname-host.example.com forward-maps to, it's for performance reasons:
that would require resolving every DNS name in pg_hba.conf to see if it
matches, which could be pretty awful with long pg_hba.conf files.)

regards, tom lane