tickets #159195
closedRepo server IP address not in DNS
0%
Description
Hi,
Have a system that firewall restricts all outbound traffic except a few
certain allowances, notably opensuse tumbleweed repos/mirrors.
Accordingly, have resolved all the repo related domains to their
respective ip addresses, but lately system updates fail to retrieve some
packages from cdn.opensuse.org, seemingly due to failure to reach it.
A dig on cdn.opensuse.org consistently resolves to these four, which
have been allowed already by the firewall...
151.101.129.91
151.101.1.91
151.101.65.91
151.101.193.91
However, these failed retrievals are apparently because cannot reach
146.75.9.91, and when manually adding it for firewall allowance, the
problem is resolved.
Although, this ip address is never found by a dig on the domain, and a
hard-coded / manual solution will not suffice here.
Is it some mistake that this ip is not in cdn.opensuse.org dns records,
and will perhaps be added? What do you advise on this?
This pertains to the the ticket...
https://progress.opensuse.org/issues/115142
...although, assume there's no need to actually look at said ticket to
understand what's above.
Thank you
Updated by crameleon 13 days ago
- Category set to Mirrors
- Status changed from New to Closed
- Private changed from Yes to No
Hi,
cdn.opensuse.org is a CNAME to a domain operated by Fastly, the company hosting the CDN. We do not control the Fastly domain and the IP addresses behind it - they could change at any time, and the HTTP server behind the initial domain might redirect you to other domains (and IP addresses), which is likely what you are observing.
For filtering outbound traffic I recommend choosing a static mirror close to you from https://mirrors.opensuse.org/ and configuring that both on your clients and in your firewall policy. Of course, the mirror providers might change their IP addresses at some point as well - but it is less common since they are usually bound to whitelisting on our origin server.
Best,
Georg