httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Reindl Harald <h.rei...@thelounge.net>
Subject Re: access control for dynamic hosts
Date Mon, 29 Feb 2016 10:05:22 GMT


Am 29.02.2016 um 07:16 schrieb fabien@apache.org:
>>> Maybe the reverse dns is working on your test address?
>>
>> I checked it and yes it does work that way. I never knew it did.
>
> Indeed.
>
> This feature makes sense because it allows to allow a full domain, say
> "apache.org", any host of which the inverse dns resolves to the domain
> can then be allowed.
>
> But this also means that if the reverse dns is not controlled, say with
> the dynamic dns and a moving ip, ip control does not work, hence my
> proposal for a lesser version which just checks that a client ip is
> allowed just by resolving a name.

that is unsafe

it takes me exactly 5 seconds to add a PTR "myserver.apache.org" to one 
of our public ip-addresses if i would like to and nobody can do anything 
against it except check if the A record matchs because that can only be 
controlled by the domain owner

the same for anybody else who has a /24 or bigger network and the 
reverse dns delegated to his own namservers - i would not do such 
things, others would and so it's nothing to hand authentication on it



Mime
View raw message