Allowing hostname access in pg_hba.conf, won't work unless I also add the resolved ip address?

Question

I want to allow postgres access from a hostname rather than an IP. I added access from the hostname to my pg_hba.conf, but when looking at the error log it appears that DNS resolves this hostname to an IP, connections from this IP are not allowed unless I explicitly allow access. This defeats the whole purpose of using the hostname, as hostnames for my services will NEVER change, where as the ip addresses can change daily.

What is the solution to this problem? Maybe my conf is just incorrect?

error:

test@test FATAL:  no pg_hba.conf entry for host "10.81.128.90", user "test", database "test", SSL on[1]:
test@test DETAIL:  Client IP address resolved to "cannablrv2-locationserver-1.kontena.local", forward lookup not checked.

shell script that adds access to pg_hba.conf

# Restrict subnet to docker private network
echo "host    all             all             172.17.0.0/16               md5" >> /etc/postgresql/9.5/main/pg_hba.conf

# Allow access from locationserver
echo "host    all             all             cannablrv2-locationserver.test.kontena.local               md5" >> /etc/postgresql/9.5/main/pg_hba.conf

# And allow access from DockerToolbox / Boottodocker on OSX
echo "host    all             all             192.168.0.0/16               md5" >> /etc/postgresql/9.5/main/pg_hba.conf

# Listen on all ip addresses
echo "listen_addresses = '*'" >> /etc/postgresql/9.5/main/postgresql.conf
echo "port = 5432" >> /etc/postgresql/9.5/main/postgresql.conf

Answer 1

You see that the client IP address resolves to a different name than the one you entered in pg_hba.conf, which is why the connection fails.

Did you read the documentation? It explains in detail how host names are handled.

You might get away with using .kontena.local to match name sufixes.

Answer 2

This answer assumes that you are using a DNS server for hostname resolution. According to https://www.postgresql.org/docs/current/auth-pg-hba-conf.html, if hostname is provided, then a reverse DNS look up will be performed with that IP. In your case, the reverse DNS look up of IP 10.81.128.90 is resolving to cannablrv2-locationserver-1.kontena.local instead of cannablrv2-locationserver.test.kontena.local which you have provided in your pg_hba.conf. Also, both reverse and forward DNS look up must give the expected results.