ferricoxideAn inspired bit of networking security:
1. Require all VMs in your VPC to pass through a (transparent) proxy to talk to the vendor-managed yum repository (that's hosted in your CSP's networks)
2. Block requests from clients whose IP addresses don't have PTR records
You want to ask, "you do realize that the clients' DNS entries don't get created until after the clients register themselves to DNS, right? And you understand that the clients need to talk to the yum repository to pull down the binaries necessary to register themselves with DNS? Do you see the problem here?"
Maybe, I dunno, set up your transparent proxy's allow/deny rules to allow any client in a valid IP range to reach its target hosts? Or, if that's too broad an exception, maybe allow any client in a valid IP range to reach that repository server?
#TechRants
1. Require all VMs in your VPC to pass through a (transparent) proxy to talk to the vendor-managed yum repository (that's hosted in your CSP's networks)
2. Block requests from clients whose IP addresses don't have PTR records
You want to ask, "you do realize that the clients' DNS entries don't get created until after the clients register themselves to DNS, right? And you understand that the clients need to talk to the yum repository to pull down the binaries necessary to register themselves with DNS? Do you see the problem here?"
Maybe, I dunno, set up your transparent proxy's allow/deny rules to allow any client in a valid IP range to reach its target hosts? Or, if that's too broad an exception, maybe allow any client in a valid IP range to reach that repository server?
#TechRants