On Wed, Nov 28, 2012 at 11:13 PM, Reindl Harald <h.rei...@thelounge.net> wrote: > Am 29.11.2012 08:09, schrieb Andy Brody: >> On Wed, Nov 28, 2012 at 10:44 PM, Reindl Harald <h.rei...@thelounge.net> >> wrote: >>> Am 29.11.2012 07:40, schrieb Andy Brody: >>>> On Wed, Nov 28, 2012 at 10:35 PM, Reindl Harald <h.rei...@thelounge.net> >>>> wrote: >>>>> what about dnsmasq which is a very easy to setup dns-server >>>>> which can use /etc/hosts also as source for dns-answers? >>>>> >>>>> a dns-resolver is generally not a bad idea on a mailserver >>>>> >>>> >>>> Right, that would definitely be an option. I was hoping to avoid it >>>> since I thought postfix would be able to handle the lookups itself. >>>> This mail server does not generally talk to the public Internet, hence >>>> the lack of DNS. >>> >>> and you have no dns in your LAN? >>> why? >> >> The nodes all have their /etc/hosts managed by puppet, and it's a >> small enough cluster that running DNS isn't really worth the overhead >> and security risk > > don't get me wrong but a network without DNS is not a network > your troubles are facing why > > DNS was developed decades ago to not distribute hostfiles > and is not a security risk at all if it is not open on > the WAN interface
It really works just fine, with the possible exception of postfix. This is an environment that stores sensitive information, so it's much more important to prevent data exfiltration and to ensure the authenticity of the IP addresses than it is to avoid using host files. DNS was not designed with security in mind. (And many DNS servers have a rather poor record when it comes to security.)
