VMware Cloud Community
Nashwood
Contributor
Contributor

Any security concerns with adding VMkernel IP's to DNS?

Quick background: We have a large ESX shop (200+), and we use a NAS for build scripts, config files and ESX backup. We have to switch over to a new NAS. Problem is that the new NAS (Celerra) has a 2048 character limit, so we cannot add all of the current hosts. EMC found a possible solution by defining netgroups. This works like a host file.

Service Console IP's and FQDN are in DNS, as they should be.

Issue: We have the VMkernel in isolated VLAN's. Storage guys would like to add the IP's for VMkernel into DNS, of course with different name (ex: hostname-vmk). This ensure that they we won't have to continue to add them in the netgroup.

Question: Are there any security concerns with adding VMkernel IP's to DNS?

Thanks in advance.

Scott

Reply
0 Kudos
3 Replies
abaum
Hot Shot
Hot Shot

Yes and No. If you live by "security by obscurity", then yes there is a security issue. If you take a more pragmatic approach, the answer is no. If you have good mgmt practices/processes, a solid network design and robust security, then you shouldn't have a problem. Standard disclaimer - your mileage may vary.

adam

Texiwill
Leadership
Leadership

Hello,

The question is really on which network the Celera exists. If it is just isolated to the vmkernel and the Celera server then you would need to break this isolation to use DNS. So if you break this isolation by using DNS, you then open this network up for attack. So in this case you should use a firewall and just pass DNS into this network from your DNS server. Alternatively you would need to add a DNS server into this isolated network. THere maybe a way to use a virtual firewall as well but you would need to bridge to a non-vmkernel portgroup using the same VLAN (or none if you do not use any) and on the same vSwitch as the vmkernel port group.

So you either have:

DNS <-> FW <-> Storage Network of ESX + Celera

or

Storage Network containing ESX + Celera + DNS (which could be a VM)


Best regards, Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009
Now Available on Rough-Cuts: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing ESX and the Virtual Environment'[/url]
Also available 'VMWare ESX Server in the Enterprise'[/url]
[url=http://www.astroarch.com/wiki/index.php/Blog_Roll]SearchVMware Pro[/url]|Blue Gears[/url]|Top Virtualization Security Links[/url]|Virtualization Security Round Table Podcast[/url]

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
Nashwood
Contributor
Contributor

Thanks a ton for the replies. Huge help!

- Scott

Reply
0 Kudos