Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Board Pools
Re: [25+PH] Kano CKPool kano.is 0.9% PPLNS US,DE,SG,JP,NL,NYA
by
kano
on 30/01/2017, 20:17:14 UTC
Quote from: dance191 on January 30, 2017, 07:50:09 PM
Quote from: daemondazz on January 30, 2017, 01:43:53 PM
Quote from: -EOS- on January 30, 2017, 11:56:43 AM
Since the firewall you use only works with IP addresses in the rules, maybe allow your miners to 8.8.8.8 and 8.8.4.4 port 53 for DNS?  Set your miners DNS to those 2 IP's, then you wouldn't have to worry next time an IP changes.  Just throwing out options for you..

That won't work for him either. The shortcoming (not going to say problem) is that the firewall would need to do the DNS lookup at the time it boots (and maybe periodically to refresh) to determine what firewall rule to put in place and it doesn't support that.

The "fix" would be to allow all outbound traffic to TCP port 3333, but that would open him to up his miners being able to connect to pools he doesn't want them to (which I would assume is what is trying to be prevented).

Yep, that is 100% the problem.  The problem isn't name resolution, it is I want to control what outbound connections the machines on my network connect to.  With tons of machines running all types of god knows what on them (I am not talking about cgminer Smiley, I don't want it to be a free-for-all.  Basically, I trust them to make outbound connections to any server Kano sets up (and to a few other places), but not to anywhere else.  Thus, the need to use the IP address of the pool server as it can not be done by name (stratum.kano.is).  As I said before, I like to lock everything down as much as possible!  It makes some things more of a pain, but I like to sleep at night Smiley

Thanks for the input guys!
If you add one of my DNS servers it will only resolve domains I manage - and thus the only domains that have anything to do with mining being kano.is/kano.space Smiley
I have 3 DNS servers for those domains (a 4th one soon in china when I get around to setting it up)
I run my DNS servers - and mail servers and web servers and ... everything Smiley

However, if you're concern is MITM DNS redirection, then as I mentioned before, using proxies means that if you do need to change where they point, you only need to change the proxies you are running (and the firewall), not all the miners, since the miners would all point to the few proxies and the proxies would decide where they are mining. Of course that could all still be IP address based as you're currently doing, and the proxies would of course be in there with the miners, not outside somewhere.

Edit: you could then make your firewall rules even more specific, only allowing the proxies to talk to the pool/pools Smiley