From owner-freebsd-questions@freebsd.org Thu Aug 13 20:23:54 2020 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id DC2113AB971 for ; Thu, 13 Aug 2020 20:23:54 +0000 (UTC) (envelope-from aryeh.friedman@gmail.com) Received: from mail-il1-x133.google.com (mail-il1-x133.google.com [IPv6:2607:f8b0:4864:20::133]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4BSJ1j6vr1z3Xqc for ; Thu, 13 Aug 2020 20:23:53 +0000 (UTC) (envelope-from aryeh.friedman@gmail.com) Received: by mail-il1-x133.google.com with SMTP id p13so6659685ilh.4 for ; Thu, 13 Aug 2020 13:23:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=m7G02MtDJGqCECG3A3LhAMvIWptCr7bFDWs1qSUzfms=; b=p1jdV4TCFnJzawnoyC9nIw6w4DxTot82fHvsrNYZcqW/TJVNjwG3kh+AE0h04IDt4I zxP5aOaFbtYM6e35RfwxhifGlkkgz7FdsK2tQ9kShQbwr06MsV8dmJJZ5U7ujf7q6Fko 1R1rdTWUbliEEnjYjtF29pEgAdkccrOmVVvUuKOjjdaLpMgkB0Yo+BbYeCmcVili68yP Jx93T4IV4i5AGJSjfyyruDU8VDaO+M+0dHj22xoGmJqd1N83zadzJHpMwvMWIcHWcbcc v09E/TLyQaklr85lesSBJkfabLh8G/u8qaBT5zsOUgMTI772n5BStH+oUbAFv2wug8d3 ASQw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=m7G02MtDJGqCECG3A3LhAMvIWptCr7bFDWs1qSUzfms=; b=nLtj3Gv5TdmHpRRmNT6K5ZMIzblPsVgnvUXGbYj41cISRgGn/IF19X5zm6d73lcHYc HWbLnhHwmNrozCCQWjwNiQTw6EiTo1WcBNt1pfZptBxho1jpIqcdA9Llwd4pTcNzt+NL kB6+WhLx8+aTWWPWS5s9IFtJj1YIFhnBJtkXEr9r3N4CWF/nIJbwkFbtAtsUZM8FS4Bt KgV0qwTl+qYUVOpSxbRTkiTLvZRiDz3jcjpy8gXzkQzn6BKlPagDw0Y8r3hUww2jRh1y f3xxhfcms8/s6UV5jCvyxY7445YO+E8SFagJCWII5J9oWdNXdnzQYBCXthgM+iFhW430 Bs1g== X-Gm-Message-State: AOAM532n/OdIk4o8cCYOFcwIfH1BMsYI7DAxCudmNk5m4kWap/skJ+Sf OAHvS5+FHhsRvtv9p/W+5MNQx397BwOMwG0ZnZQ= X-Google-Smtp-Source: ABdhPJyjHguO0MxzxLNXCZBPNX7Ad+D85woofx/IHi1TWKX69i2S0jKp+RIm0K3G4ObLYmOvZTtv5bQ3fQg82RP86F0= X-Received: by 2002:a92:cbd0:: with SMTP id s16mr6150092ilq.187.1597350232800; Thu, 13 Aug 2020 13:23:52 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Aryeh Friedman Date: Thu, 13 Aug 2020 16:23:41 -0400 Message-ID: Subject: Re: OT: Dealing with a hosting company with it's head up it's rear end To: Michael Sierchio Cc: "Jack L." , FreeBSD Mailing List X-Rspamd-Queue-Id: 4BSJ1j6vr1z3Xqc X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=p1jdV4TC; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of aryehfriedman@gmail.com designates 2607:f8b0:4864:20::133 as permitted sender) smtp.mailfrom=aryehfriedman@gmail.com X-Spamd-Result: default: False [-3.42 / 15.00]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; NEURAL_HAM_MEDIUM(-1.02)[-1.021]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; FREEMAIL_FROM(0.00)[gmail.com]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org]; NEURAL_HAM_LONG(-0.99)[-0.995]; RCVD_COUNT_TWO(0.00)[2]; TO_MATCH_ENVRCPT_SOME(0.00)[]; TO_DN_ALL(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::133:from]; NEURAL_HAM_SHORT(-0.41)[-0.407]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; TAGGED_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[]; FREEMAIL_CC(0.00)[gmail.com,freebsd.org] Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.33 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Aug 2020 20:23:54 -0000 On Thu, Aug 13, 2020 at 3:13 PM Michael Sierchio wrote: > > Unless they are completely clueless, that's easily detected. Although > there is evidence suggestive of them being clueless... > Yes they are complete clueless as evidenced in the same thread:' us: We need reverse DNS on the private IP range that the VM's are on and a request to get a stable VPN connection (not one that dies randomly every 30 to 60 mins) them: You should be using the IP address when connecting to the servers which would not utilize rDNS, I am not sure what you are referring to when mentioning reverse DNS on the LAN for rapid communication? Can you please clarify the specific record being requested .... As for the VPN - I will relay this to our network team to review the timeout settings on the VPN - however going forward RDP and SSH will be closed off and utilizing the NCentral login provided to connect from within NCentral using the usernames and passwords provided will be the best and most secure method of accessing either server. us: Almost everything that is accessible by IP (SSH, SCP, Mail, HTTP, etc.) for security and record keeping reasons will when you connect to the remote side of the connection attempt to turn the IP you are coming from into a DNS name and in *MANY* cases (such as all 4 listed above, and many others) will attempt to resolve the IP you are coming from before allowing you to connect. If they can't then they in most cases will hang until the resolution times out (in more extreme cases will just refuse the connection after the timeout hang). This causes 10 to 30 second hangs during each connection being made. Since part of our system requires many such connections (HTTP from windows to FreeBSD) on the order of 2 or 3 a minute this causes a severe performance hit on that subsystem and makes it barely usable (note to Steve this is *ONE*, out of quite a few other ones, of the sources of performance issues your staff/clients are complaining about).. As to what we need: 1. We need all IP's within the VPN/private network to have a reasonable reverse DNS entry and be accessible from the nameserver(s) that Windows, FreeBSD and CentOS us. 2. Because the IP assigned when connecting to the VPN is dynamic it is not possible to have a one entry fixes all type solution and thus the entire range must have entries them: TCP/IP is not designed for your use case (super WTF?!?!?) -- Aryeh M. Friedman, Lead Developer, http://www.PetiteCloud.org