[4326] in WWW Security List Archive
Re: Access Logfile Question
daemon@ATHENA.MIT.EDU (Steff Watkins)
Mon Feb 10 15:03:26 1997
Date: Mon, 10 Feb 1997 17:22:28 +0000 (GMT)
From: Steff Watkins <Steff.Watkins@Bristol.ac.uk>
To: www-security@ns2.rutgers.edu
In-Reply-To: <32FF13CB.78B4@teknoland.es>
Errors-To: owner-www-security@ns2.rutgers.edu
On Mon, 10 Feb 1997, Colman Lopez wrote:
> Paul F Haskell (haskell) wrote:
> >
> > Our server is NCSA (HTTP/1.0), version is 1.3. When it fails a DNS
> > lookup it does in fact record the IP address.
>
> Just coment that i use a NCSA server version 1.5.2 and i have to a lot
> (each 10.000), UNKNOW_HOST donain name.. i dont want to say that the
> server do it each 10.000, i just apoint the version.
Hello all,
OK.. here goes (gets out the memory cell with this bit in..)
The NCSA 1.5+ webserver has a configuration option in the httpd.conf file
called DNSMode.
This option has four options; NONE, MINIMUM, STANDARD or MAXIMUM. The
default is STANDARD. These options can be set in your 'httpd.conf' file
as follows:
DNSMode Standard
If this mode is set to STANDARD or MAXIMUM, then the webserver will (as
far as I can work out) attempt to reverse lookup the incoming call and
determine the HOSTNAME of the site making the current call ('hit',
'access' or whatever you want to call it).
Now, I haven't looked too deeply into the working of this piece of code,
but basically what seems to happen is, in STANDARD mode, the webserver
just does a rev-lookup on the IP ADDRESS (numeric) to determine the IP
NAME (alpha-numeric). In MAXIMUM mode, it will also rev-lookup the
discovered IP NAME (alpha-numeric) to see if that gives the same IP
ADDRESS (numeric) as was given by the incoming caller.
Now, if either of these tests fails (depending on the level you have
set), then the webserver will set 'UNKNOWN_HOST' as the name of the host
making the incoming web-call.
Now, as far as I can see, there are THREE possible reasons why a host's
incoming IP ADDRESS would NOT be valid through a DNS based search..
1> That the host has not been properly/fully DNS registered. This happens
a lot, especially with the widening of the Internet and the lack of
braincells being exhibited by a lot of people who set themselves up as
network admins.
OR
2> That the host is a deliberate spoof, trying to hide/cloak it's true
identity.
OR
3> The the host is properly registered but that it's registration has not
either a> fully propagated through the DNS structure or b> your local DNS
nameserver is...errr... corrupt!!!
In any of these cases, the only real reason to be running your webserver
in MAXIMUM DNSMode (or even STANDARD) is if you are going to RELY/DEPEND
on the IP statistics of the incoming call for some security feature, such
as 'allow/deny's in the .htaccess/access.conf sections of your local web.
If it really annoys you to see these entries, then do yourself (and your
incoming visitors) a favour and set the DNSMode to MINIMUM or NONE.
Two pennies,
Steff
: Steff Watkins, General Computer-type being
: University of Bristol, Clifton, Bristol, BS8 1TH, UK
:
: RFC-822 : Steff.Watkins@bris.ac.uk
: X-400 : /G=Steff/S=Watkins/O=Bristol/PRMD=UK.AC/ADMD= /C=GB/
: Phone: +44 177 9287869 (external) 3046 / 7869 (internal)
