httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dean Gaudet <dgau...@arctic.org>
Subject Re: hostname lookups
Date Tue, 01 Jul 1997 06:28:25 GMT
And btw, none of the documentation mentions the lack of double reverse. 
Configuration used to mention -DMAXIMUM_DNS, but even that is gone.  It
should at least be mentioned on the mod_access page.  It should probably
even be a run-time option to enable double reverse.

Dean

P.S. "double reverse" is when you do a reverse lookup on an ip, then do a
forward on that to ensure they overlap.  Without it there's absolutely no
security offered by a "allow foobar.dom" or "deny foobar.dom". 

On Mon, 30 Jun 1997, Dean Gaudet wrote:

> Ok I'll revert the 1.2.1 changes.  The main intention of making the
> default off is to prevent new sites from coming online with
> hostnamelookups when they don't really need them.  But I guess enough
> people start from the .conf-dist files and just edit back in their own
> local changes that it'll be an issue.  I always assume people know they
> can just use their existing config files. 
> 
> It may be possible to add a warning in mod_access during config time that
> says "hostname lookups are off, but you've asked for resolution based on
> hostnames". 
> 
> Dean
> 
> On Tue, 1 Jul 1997, Marc Slemko wrote:
> 
> > My vote is turn hostnamelookups back on for 1.2.1, then consider what we
> > want to do for 1.3.  There are too many unresolved issues.
> > 
> > There is a big difference between running a server with hostnamelookups on
> > and resolving the names later.  If you process a week's worth of logfiles
> > and cache the results, you will do a lot less lookups than if you do them
> > when you get the request.  Just as importantly, lookups take time and add
> > another serialization to the process.
> > 
> > On Mon, 30 Jun 1997, Randy Terbush wrote:
> > 
> > > FTR - I don't view having 'HostnameLookups on' as that big of a 
> > > problem. Certainly not big enough to justify the tidal wave of "bug"
> > > reports that this will surely generate. 
> > > 
> > > What is the difference between me running servers with 
> > > HostnameLookups on and having a log processor running on the side 
> > > resolving an endless stream of requests?
> > > 
> > > The real problem here is the thousands of sites out there that 
> > > can't seem to configure reverse lookups for their clients. If the 
> > > address can be resolved, it is in local cache and that is the end 
> > > of it. If it can't be resolved, it creates an endless number of 
> > > failed attempts everywhere it goes on the net.
> > > 
> > > If we want to do the net a favor, add the code to refuse serving 
> > > clients with addresses that cannot be resolved. That way we shift 
> > > the bug reports off to the service providers. :-)
> > > 
> > > IMHO - This type of change does not belong in 1.2.x
> > > 
> > > 
> > > 
> > > 
> > 
> > 
> 
> 


Mime
View raw message