httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 50359] New: DNS caveats and using hostnames vs. IP addresses
Date Mon, 29 Nov 2010 00:21:16 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=50359

           Summary: DNS caveats and using hostnames vs. IP addresses
           Product: Apache httpd-2
           Version: 2.3-HEAD
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: minor
          Priority: P2
         Component: Documentation
        AssignedTo: docs@httpd.apache.org
        ReportedBy: calestyo@scientia.net


http://httpd.apache.org/docs/2.2/dns-caveats.html any many other places warn
from using hostnames instead of IP addresses in several directives.

It should be added that this is:
a) ...only partially true, when usgin "foreign" nameserver but having DNSSEC
deployed and used on all relevant zones
=> Then it's at least not possible to trick the server to use "wrong"
addresses, but DoS attacks might still be possible
b) ...totally safe to use hostnames, when using one's own nameservers, if
- connection to is secure (e.g. on the same host, TSIG, DNSSEC, IPsec secure
connection, etc.)
- they're authoritative for the respective zones
c) ...totally safe, when the respective host/domainnames are specified in
/etc/hosts, and that one is used rather than DNS (=> /etc/nsswitch.conf).


I guess it makes sense to note this, as right now, security conscious people
don't use hostnames (because of the warnings) but might find hostnames much
easier in order to make changing IP addresses less elaborate.

e.g. I specify things like:
1.2.3.4 eth0.localhost
in my /etc/hosts and have with that a central point to change my static IPs
(for all services using hostnames).

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org


Mime
View raw message