11.8. Disabling DNS ResolutionYou should make sure that your httpd.conf file has this setting: HostnameLookups Off This is the default. If this directive is set to On (or even worse, Double), Apache will try to use DNS resolution to translate the client's IP address into its hostname for every single request. The problem is that there are many servers with broken reverse DNS, which means that resolution will never succeed, but it might take a significant time for the lookup attempt to time out. The web page will not be served before the lookup has either succeeded or timed out, because it's assumed that if you have this feature enabled you want to know the hostname from which the request came. Consequently Apache won't run any script or handler until the lookup attempt has concluded. Moreover, you can end up with a hostname that is completely useless and gives you far less information than the IP address would. To avoid this problem you can enable: HostnameLookups Double which does a reverse lookup, then a forward lookup on what it gets to make sure that the IP address is not being spoofed. However, this double lookup makes it even slower. If you need DNS names in some CGI script or handler, you should use gethostbyname( ) or its equivalents. In addition to having HostnameLookups turned off, you should avoid using hostname-based access control and use IP-based access control instead. If you have a setting like this: <Location /perl-status> ... Order deny, allow Deny from all Allow from www.example.com </Location> the server will have to perform a double reverse DNS lookup for each incoming IP address to make sure it matches the domain name listed in the Allow directive and is not being spoofed. Of course, in our example this will happen only for requests for URIs starting with /perl-status. This is another way to do the authorization based on the IP address: <Location /perl-status> ... Order deny, allow Deny from all Allow from 128.9.176.32 </Location> Note that since some IP addresses map to multiple hosts (multiple CNAME records), this solution will not always do what you want. Copyright © 2003 O'Reilly & Associates. All rights reserved. |
|