nsfailover icon indicating copy to clipboard operation
nsfailover copied to clipboard
verified publisher icon kvz

Caching private IPs in /etc/hosts

Open nicpottier opened this issue 9 years ago • 2 comments

Hey hey, ran into this when I got bit by AWS's DNS blowing up as well.

Looks close to what we need, but wondering how you are resolving the RDS private IPs since that seems related (and I gather from your blog post comments you also rely on RDS).

Just switching the resolv to Google's DNS will get you public IPs no? Will that fly?

Wondering whether another solution would be to "cache" the private ips for a configurable set of hosts and then write those to /etc/hosts when the primary DNS fails.

Thoughts? If I added this would you be interested? Alternatively how do you deal with this?

nicpottier avatar Oct 28 '16 17:10 nicpottier

We can also connect to public IP, but that might not fly depending on your setup indeed. It's worth testing though, since that would solve a lot of complexity.

If it doesn't, writing to /etc/hosts also is the first thing that comes to my mind without introducing many more moving parts / servers that will just add more vulnerable links to your chain.

I do worry a bit about atomicity (what If I'm also making a change to /etc/hosts using vim or ansible or aws is doing so via cloud-init for instance). It seems hard to do this is a failsafe way (not impossible).

kvz avatar Nov 01 '16 09:11 kvz

I might be down with using the public IP in those rare cases. Did you manage to get a security group rule that restricted it to just your security group? Haven't managed to do that since I think once you go to the public IP you are treated as any other public traffic incoming. Definitely don't want RDS open to the world.

nicpottier avatar Nov 01 '16 15:11 nicpottier