domain names in access whitelist
Allow domain names in whitelist for IP address. (And rename whitelist to allowlist).
I have a server (app) on heroku. It has a domain name. I don't have a dedicated ip address range. But if I could put my domain name in (myapp.herokupapp.com or myapp.com if I get that name from godaddy), then when my server connects, you could do a DNS lookup of the domain names in the whitelist, and allow connection from those. And then, my app, and many others would be more secure. People could also use dynamic dns to support connections from their home computers, more securely.
I've seen some traffic about mongodb databases being hacked, though their security was weak, I think a quick effort on this could add a lot of security for a lot of people.
Andrew (Admin, MongoDB) : commented
-Unfortunately at the TCP layer we will only see the source IP address of the request and not your domain.
I'd love to have a call with your developers and explain how you can use DNS to lookup the IP address of the domain name I put into the white list, at the time that the server tries to open a connection, and then verify that IP address with the IP address in the source IP address in the layer 2 header.
And you said:
- many customers do open up to 0.0.0.0/0
It can be done, and it would be valuable to a lot of people. I hope you will bring this up with product management.
Unfortunately at the TCP layer we will only see the source IP address of the request and not your domain.
However, please note that MongoDB Atlas requires security in depth including database level authentication on top of the IP Access List (we have already changed the name of this capability in the UI btw).
Selective IP Access List management is a best practice but many customers do open up to 0.0.0.0/0 and take care to ensure their database cluster passwords are securely managed.
Another option is to procure a static IP address or leverage VPC peering.