[svlug] to hosts or not to hosts

James Sparenberg james at linuxrebel.org
Mon Jan 26 17:24:53 PST 2009


On Wednesday 21 January 2009 19:06:19 Greg Lindahl wrote:
> On Wed, Jan 21, 2009 at 06:28:14PM -0800, James Sparenberg wrote:
> 
> > With hosts on the other hand it's a  login, change, test, change 
> > again, logout, repeat scenario and, if one of the boxes is gone, or 
if 
> > you later go to DNS and forget, it can create a trouble shooting 
> > nightmare.  I know I spent the first year with my current company 
> > fixing problems like this all over the place.  
> 
> It's true that if you're a complete novice, this doesn't work
> well. Most Linux shops have a good method of synchronizing files
> across hosts which doesn't have this problem. I have successfully
> avoided local DNS and NIS for most of my career.
> 
> -- greg
>
Problem there is that you are now opening yourself up to having your 
firewall end around attacked with DNS.  Since all of your systems are 
going out to the internet for DNS this means that your firewall is open 
to having someone come in via DNS "packets" (ala IODINE or similar 
product), dribbling in data a little at a time and eventually building 
themselves a gateway.   Local DNS allows me to limit DNS crossing my 
border to specific systems and has gone a long way to preventing 
rootkits.

James




More information about the svlug mailing list