mySQL DNS - security risk?

software development


Why does DreamHost automatically publish mySQL hostnames to public DNS? I may just have a poor understanding of the DNS system, but doesn’t that allow someone to quickly scan for the mySQL hosts that I have configured (especially if I use the default names)?

My understanding is that it would be more secure for DH to only register the mySQL hostnames within its own datacenter’s DNS servers, unless I explicitly need to publish that. More than likely, the majority of mySQL hosts at DH are created solely for Joomla! or Wordpress installs, so there is no possible reason to make them externally visible. (Possibly the phyMyAdmin portal and similar would have problems without the public DNS?)

Thoughts? Is this a security risk that I should be concerned about? (I’m not advocating security by obscurity, but layered security with limited exposure is what I learned as a best practice.)


It is, but I think it’s mitigated by limiting connections to a whitelist. Still, make sure your DB username and pasword are as long and complex as reasonably possible. There’s no reason why either should be memorable or less than at least 12 characters.


Thanks, I wasn’t aware of the connection whitelist. That does help. (I guess bypassing that would require someone to get an account on the same machine as mine.)

My faith in DH’s security is - mostly - restored. I still see plain-text storage of passwords in several places when I’m working in the control panel, though… :slight_smile:


It’s not bad, but it’s not good because they cater to the lowest common denominator, i.e. someone who has no idea what they are doing, just wants to write a blog that no one will read, and can’t remember a password to save his/her life. So they store passwords in a recoverable format along with other practices which, as we can see, will come back to bite them and their customers.

What I would like to see is very very good security with options to have less security (recoverable passwords) with the risks spelt out to the customers. As it stands now, we all are forced into mediocre security just because some (most?) people don’t know the significance of what they are doing.