"dennisr@visi.com" <dennisr@visi.com> writes:
> Thanks for the quick reply. Here’s some details on how we have things configured.
> We are using RHEL 7.3, the DNS names below have been changed to protect the innocent or not so innocent depending on
yourpoint of view.
> If I do a nslookup on the database host against the following CNAME some-cname-host.example.com
<http://some-cname-host.example.com/>I get:
> $> nslookup some-cname-host.example.com <http://some-cname-host.example.com/>
> Server: 10.97.40.215
> Address: 10.97.40.215#53
> some-cname-host.example.com canonical name = canonical-host-name.example.com.
> Name: canonical-host-name.example.com
> Address: 10.65.160.213
> When I do the reverse lookup on the IP address return above I get the following:
> $> nslookup 10.65.160.213
> Server: 10.97.40.215
> Address: 10.97.40.215#53
> 213.160.65.10.in-addr.arpa name = canonical-host-name.example.com.
Given that, what you would have to put in pg_hba.conf is
canonical-host-name.example.com (and that needs to forward-resolve to
10.65.160.213, and possibly other addresses as well). This cross-check
is meant to prevent getting into a PG server by means of a faked
reverse-DNS entry.
(If you're wondering why we don't simply accept anything that
some-cname-host.example.com forward-maps to, it's for performance reasons:
that would require resolving every DNS name in pg_hba.conf to see if it
matches, which could be pretty awful with long pg_hba.conf files.)
regards, tom lane