[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Whitelist security.debian.org

On Thu 22 Oct 2015 at 20:51:03 +0200, Pascal Hambourg wrote:

> Brian a écrit :
> > On Thu 22 Oct 2015 at 11:44:41 +0200, Sven Hartge wrote:
> > 
> >> Pascal Hambourg <pascal@plouf.fr.eu.org> wrote:
> >>> Greencopper a écrit :
> >>  
> >>>> Most likely OpenDNS has some load balancing of their own perhaps
> >>>> forwarding the request to different internal servers.
> >>>>
> >>>> Perhaps the only solution is to fix a specific IP address for
> >>>> security.debian.org in my local DNS server and then only use that!
> >>>
> >>> Or don't use OpenDNS servers.
> >>
> >> Or don't try to build firewall rules based on DNS lookups.
> > 
> > Or amend sources.list to not require DNS. 149.20.20.6 is schein; use
> > villa if preferred.
> > 
> >   deb ftp://149.20.20.6/debian-security jessie/updates main
> 
> I don't second that suggestion because it has several drawbacks.
> - It cancels the redundancy provided by security.debian.org.

True. It pins down getting security updates fron a designated IP.

> - It does not work with HTTP, so you have to use FTP which is harder to
> manage by firewalls.

I could not get http to work; don't know why. Any ideas?

> - If one day this one address does not serve as a Debian security mirror
> any more, you're stuck.

Correct. So, use

   deb ftp://schein.debian.org/debian-security jessie/updates main
   deb ftp://villa.debian.org/debian-security jessie/updates main

Untested, so your objection could still stand.

> - Changing a mirror forces APT to reload all the package list at the
> next update. This can be annoying with a low speed link.

Probably not relevant for the OP. But a reasonable point.
 
> I was serious when suggesting not tu use OpenDNS. Why use it if you have
> your own local recursive DNS cache ?

You could be right, I'll not argue that at length. unbound returns

; <<>> DiG 9.9.5-12-Debian <<>> security.debian.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23557
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 3, ADDITIONAL: 1

  ;; OPT PSEUDOSECTION:
  ; EDNS: version: 0, flags:; udp: 4096
  ;; QUESTION SECTION:
  ;security.debian.org.           IN      A

  ;; ANSWER SECTION:
  security.debian.org.    300     IN      A       195.20.242.89
  security.debian.org.    300     IN      A       212.211.132.250
  security.debian.org.    300     IN      A       212.211.132.32

  ;; AUTHORITY SECTION:
  security.debian.org.    28800   IN      NS      geo1.debian.org.
  security.debian.org.    28800   IN      NS      geo3.debian.org.
  security.debian.org.    28800   IN      NS      geo2.debian.org.

  ;; Query time: 430 msec
  ;; SERVER: 127.0.0.1#53(127.0.0.1)
  ;; WHEN: Thu Oct 22 20:26:22 BST 2015
  ;; MSG SIZE  rcvd: 153

Traceroutes to the machines in the ANSWER SECTION lead today to wieck.
villa and lobos respectively.

I'm also not inclined to second the suggestion but, failing sorting out
his firewall, it can work for the OP.
Reply to: