Re-enable master/slave DNS

Question

Re-enable master/slave DNS

Closed this issue 4 years ago · 5 comments

Hi, I noticed that in c95814c you removed the master/slave DNS capabilities which you added/extended in ae885b4, because "native replication is easier to setup and maintain".

As I'm not sure how to setup native replication (I have two distinct servers) and I don't find master/slave setup that complicated (I haven't got it to work yet because you disabled it, but I think it'd work) I'd like it if you re-enable the master/slave options. I don't think it hurts anyone if they're available.

Answer 1 · 2020-11-16T18:51:44.000Z

Hi Max,

in general it's fine adding this back, but I would like to avoid adding too many configuration options if not necessary.

I added a sample setup for native replication, please let me know if this works for you, otherwise I'll merge your PR.

HTH & BR
Christian

Answer 2 · 2020-11-16T20:16:30.000Z

Hi Christian,

This seems like a quite elegant solution indeed. However as my servers don't share an internal network I'd have to expose the master database to the internet which I don't like for security reasons. Therefore I'd appreciate it if you could merge the PR. Apologies for adding so many configuration options.

BR
Max

PS Thanks for maintaining this awesome repo :)

Answer 3 · 2020-11-17T17:06:19.000Z

Hi Max,

yeah sure, I wouldn't recommend exposing the database to the internet without precautions. However, you have some options to mitigate the security risks. Right now I can think of two approaches. Either you setup a VPN between your servers or you create a firewall rule that restricts the port to specific clients. Furthermore, with the sample setup you have certificate authentication in place. This means that the database access is only possible with a trusted certificate.

This is how you can create a firewall rule that restricts the port to the following client ip-addresses: 127.0.0.1, 127.0.0.2, and 127.0.0.3.

iptables -N DOCKER-USER
iptables -A DOCKER-USER -i eth0 -p tcp -s 127.0.0.1,127.0.0.2,127.0.0.3 --dport 5432 -j ACCEPT
iptables -A DOCKER-USER -i eth0 -p tcp --dport 5432 -j DROP

I have merged your PR. Can you please let me know which of the added configuration options you use once you are done with your setup, so that I can remove the others?

THX & BR
Christian

Answer 4 · 2020-11-20T22:19:47.000Z

Hi Christian,

Thanks a lot for merging the PR and also your tips. I've set up m/s DNS and it works like a charm. I used the following config options:

AUTHORITATIVE_MASTER
AUTHORITATIVE_DISABLE_AXFR
AUTHORITATIVE_SLAVE
AUTHORITATIVE_ALLOW_AXFR_IPS
AUTHORITATIVE_ALLOW_NOTIFY_FROM

BR
Max

Answer 5 · 2020-11-23T17:10:07.000Z

You're welcome. Thanks for reporting back.