httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From fab...@apache.org
Subject Re: access control for dynamic hosts
Date Tue, 01 Mar 2016 12:44:54 GMT

>> This feature makes sense because it allows to allow a full domain, say
>> "apache.org", any host of which the inverse dns resolves to the domain
>> can then be allowed.
>> 
>> But this also means that if the reverse dns is not controlled, say with
>> the dynamic dns and a moving ip, ip control does not work, hence my
>> proposal for a lesser version which just checks that a client ip is
>> allowed just by resolving a name.
>
> that is unsafe

> it takes me exactly 5 seconds to add a PTR "myserver.apache.org" to one of 
> our public ip-addresses if i would like to and nobody can do anything against 
> it except check if the A record matchs because that can only be controlled by 
> the domain owner

Indeed, but then "host" also checks that forward resolution works, that is 
"myserver.apache.org" must *also* point back to the same IP.

> the same for anybody else who has a /24 or bigger network and the reverse dns 
> delegated to his own namservers - i would not do such things, others would 
> and so it's nothing to hand authentication on it

Sure, the second forward checks that all is well.


The feature I'm proposing is not related to that. I'm suggesting to have a 
way to specify host names *only* which are checked forward *only*.

   Require xxx foo.apache.org
   # allows ip of "foo.apache.org", just be resolving the name

For use with dyndns services.

-- 
Fabien.

Mime
View raw message