Re: Whitelist security.debian.org
On Thu 22 Oct 2015 at 20:51:03 +0200, Pascal Hambourg wrote:
> Brian a écrit :
> > On Thu 22 Oct 2015 at 11:44:41 +0200, Sven Hartge wrote:
> >
> >> Pascal Hambourg <pascal@plouf.fr.eu.org> wrote:
> >>> Greencopper a écrit :
> >>
> >>>> Most likely OpenDNS has some load balancing of their own perhaps
> >>>> forwarding the request to different internal servers.
> >>>>
> >>>> Perhaps the only solution is to fix a specific IP address for
> >>>> security.debian.org in my local DNS server and then only use that!
> >>>
> >>> Or don't use OpenDNS servers.
> >>
> >> Or don't try to build firewall rules based on DNS lookups.
> >
> > Or amend sources.list to not require DNS. 149.20.20.6 is schein; use
> > villa if preferred.
> >
> > deb ftp://149.20.20.6/debian-security jessie/updates main
>
> I don't second that suggestion because it has several drawbacks.
> - It cancels the redundancy provided by security.debian.org.
True. It pins down getting security updates fron a designated IP.
> - It does not work with HTTP, so you have to use FTP which is harder to
> manage by firewalls.
I could not get http to work; don't know why. Any ideas?
> - If one day this one address does not serve as a Debian security mirror
> any more, you're stuck.
Correct. So, use
deb ftp://schein.debian.org/debian-security jessie/updates main
deb ftp://villa.debian.org/debian-security jessie/updates main
Untested, so your objection could still stand.
> - Changing a mirror forces APT to reload all the package list at the
> next update. This can be annoying with a low speed link.
Probably not relevant for the OP. But a reasonable point.
> I was serious when suggesting not tu use OpenDNS. Why use it if you have
> your own local recursive DNS cache ?
You could be right, I'll not argue that at length. unbound returns
; <<>> DiG 9.9.5-12-Debian <<>> security.debian.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23557
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 3, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;security.debian.org. IN A
;; ANSWER SECTION:
security.debian.org. 300 IN A 195.20.242.89
security.debian.org. 300 IN A 212.211.132.250
security.debian.org. 300 IN A 212.211.132.32
;; AUTHORITY SECTION:
security.debian.org. 28800 IN NS geo1.debian.org.
security.debian.org. 28800 IN NS geo3.debian.org.
security.debian.org. 28800 IN NS geo2.debian.org.
;; Query time: 430 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Oct 22 20:26:22 BST 2015
;; MSG SIZE rcvd: 153
Traceroutes to the machines in the ANSWER SECTION lead today to wieck.
villa and lobos respectively.
I'm also not inclined to second the suggestion but, failing sorting out
his firewall, it can work for the OP.
Reply to: