[kortilla]

> On the other hand, most devs / technical staff type IPs into the browser and terminal daily.

No they don’t. Configure a DNS server and type these in once. Any time I see IP addresses passed around it’s a sign of broken infrastructure. (It also means you aren’t using tls or you’re training people to accept cert errors)

[i_like_to_post]

> No they don’t

Oh yes they do.

> Any time I see IP addresses passed around it’s a sign of broken infrastructure

Nope.

> It also means you aren’t using tls or you’re training people to accept cert errors

So, let me get this straight. You have a server that's behind CloudFlare, and you're claiming we should use DNS and TLS to SSH into it?

[kortilla]

I think you’re confused a bit, so let’s split apart the use cases to be clear why IPs are bad in both cases.

You said devs and technical staff were typing IPs into their browsers. Presumably this means the address bar, which breaks TLS.

SSH derives a big chunk of security from key caching. If you’re using IPs you now can’t have an IP change without triggering key warnings on the SSH clients for a new key at a minimum or (worst case) a breach.

[Symbiote]

IPs should be passed to the DNS server, yes.

Every server/VM I control (~200) has a DNS entry. Every active IP has a reverse (PTR) entry.

I have a monitoring task to check for missing DNS entries, as it usually suggests a problem (i.e. we've deployed or undeployed something incompletely).