#154 DNS
Closed: Fixed None Opened 16 years ago by mmcgrath.

In our current environment we have internal and external machines. With the different donations we've received it makes sense de-centralize the way we look at our infrastructure. Presently access to machines is either:
fedora.phx.redhat.com or fedoraproject.org

People have to know what machines are where ahead of time to get to the hosts. I'll be setting up a vpn for all of our machines so that all machines can be accessed via hostname.vpn.fedoraproject.org once you're on the network (typically through bastion)

All front facing servers will be accessed via fedoraproject.org (this will ultimately include our test servers as well)

These are the steps as I see them:

  • Setup vpn.fedoraproject.org domain
  • Populate it with all ip's
  • Setup vpn for static ip's
  • install a slave dns server in PHX (maybe 2)
  • Secure dns server (optional) - Knowing what internal ip's are doesn't do much harm since we're not secretive about it but its an option
  • Go server group by server group, switch configs to use the new ip and name scheme and change resolv.conf
  • Test for pros and cons of using local services vs through vpn services (IE, proxy1 -> app1 vs proxy1 -> vpn -> app1). One is quicker but more complicated, the other is easier but slower. I think its just a matter of finding proper management for local site stuff.

Also we can use the search field in resolv.conf to simplify your hosts as well as give preference when talking about which server should talk to what. For example, the proxy servers in PHX could have a search like:

search fedora.phx.redhat.com vpn.fedoraproject.org fedoraproject.org

Then when searching for app4 or app3 they would hit phx directly, bypassing the vpn. but when searching for app5, they would hit the vpn.

I'd like to move to using the search field in /etc/resolv.conf This will generally make it easier for us to do things.

DNS should be all set now.

Login to comment on this ticket.

Metadata