

Disabling old IP addresses - gregman
https://github.com/blog/1675-disabling-old-ip-addresses

======
kojoru
Why do people add github's ip-addresses to their hosts file? What are the
practical gains?

~~~
voidlogic
practical gains? None.

theroetical gains?

* They can try to pick a server near them (I don't think the servers are geo-dist)

* No external DNS lookup (silly, whats a one-time cached 150 ms between friends)

* Immune to DNS outage (lol, if your DNS is working other stuff is prob broke..)

* More resistant to someone pretending to be github (expect that github uses HTTPS..)

So really no point I can think of... but is sure makes you computer brittle to
github changing anything!

~~~
moonie1
One scenario: If you have a build server, say running jenkins, that consumes
PRs from your private github repo and automatically runs them, someone from
your team has to store an API key on it. Now imagine an attacker has gotten
access to the network and is able to perform DNS cache poisoning.

~~~
zapu
Wouldn't the attacker also have to have github keys, cause it's all HTTPS or
SSH?

------
technoweenie
For what it's worth, we have an API endpoint that has had the right IP network
listed ever since it went active. If you _need_ to verify IPs for whatever
reason, use this:

[http://developer.github.com/v3/meta/](http://developer.github.com/v3/meta/)

------
IgorPartola
I think the more likely explanation is the behavior I have seen in IE8 and
below where DNS entries get cached and as long as the server responds
correctly, they cache is not busted. On one particular upgrade we brought the
TTL down to 60 seconds and had to wait three days for the traffic to subside.

Also, at least older versions of nginx in reverse proxying mode have the same
issue. Had to send the nginx processes a SIGHUP or restart them entirely,
don't remember which, to get them to use the new IP's.

~~~
Dylan16807
I recently learned the hard way that Firefox has a cache that does the same
thing. Obsolete documentation lists a 60 second cache but I watched it making
requests to the wrong server almost an entire day after the (3 hour TTL)
records were changed. And yes, I checked that other apps showed the right IP.

[https://bugzilla.mozilla.org/show_bug.cgi?id=861273](https://bugzilla.mozilla.org/show_bug.cgi?id=861273)

[https://bugzilla.mozilla.org/show_bug.cgi?id=709976](https://bugzilla.mozilla.org/show_bug.cgi?id=709976)

------
joaomsa
We check a request's IP address for blocks owned by GitHub as a form of
authentication for service hooks to consume commits and implement continuous
integration/delivery on a project.

They list these blocks in the service hooks configuration page. Are these
address blocks also due for change/deprecation?

~~~
saidajigumi
Better to ask the source, I'd say. Per the bar at the bottom of the GitHub
post:

    
    
        Have feedback? Let @github[1] know on Twitter.
    

[1]
[https://twitter.com/intent/tweet?text=@github%20&related=git...](https://twitter.com/intent/tweet?text=@github%20&related=github&url=https://github.com/blog/1675-disabling-
old-ip-addresses)

