Skip site navigation (1) Skip section navigation (2)

Re: Why don't we allow DNS names in pg_hba.conf?

From: "Marc G(dot) Fournier" <scrappy(at)postgresql(dot)org>
To: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: pgsql-hackers(at)postgreSQL(dot)org
Subject: Re: Why don't we allow DNS names in pg_hba.conf?
Date: 2006-01-01 18:50:37
Message-ID: 20060101144616.L1088@ganymede.hub.org (view raw or flat)
Thread:
Lists: pgsql-hackers
On Sun, 1 Jan 2006, Tom Lane wrote:

> I was reminded of $subject by
> http://archives.postgresql.org/pgsql-admin/2006-01/msg00002.php
>
> While I haven't tried it, I suspect that allowing a DNS host name
> would take little work (basically removing the AI_NUMERICHOST flag
> passed to getaddrinfo in hba.c).  There was once a good reason not
> to allow it: slow DNS lookups would lock up the postmaster.  But
> now that we do this work in an already-forked backend, with an overall
> timeout that would catch any indefinite blockage, I don't see a good
> reason why we shouldn't let people use DNS names.
>
> Thoughts?

Security?

Employee adds his DNS to pg_hba.conf, becomes disgruntled employee, moves 
to different IP and same name, and can still access your database?

What about "DNS hijacking/forging"?  I don't know how hard it is to do, 
but if one of the upstream network provides puts in a 'filter' for port 53 
(DNS) and starts feeding you incorrect data, so that they can access your 
databases?

Both are relatively extreme, and in both bases, the 'attacker' would have 
to have previous knowledge (ie. disgruntled ex employee) but DNS != 
trusted IP ... then again, it may be possible to hijack/forge the IP 
itself, in which case, there is no difference ...


----
Marc G. Fournier           Hub.Org Networking Services (http://www.hub.org)
Email: scrappy(at)hub(dot)org           Yahoo!: yscrappy              ICQ: 7615664

In response to

Responses

pgsql-hackers by date

Next:From: Qingqing ZhouDate: 2006-01-01 18:59:53
Subject: Re: EINTR error in SunOS
Previous:From: Tom LaneDate: 2006-01-01 18:30:46
Subject: Why don't we allow DNS names in pg_hba.conf?

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group