[4380] in WWW Security List Archive
Re: Access Logfile Question
daemon@ATHENA.MIT.EDU (Hrvoje Crvelin)
Wed Feb 12 07:47:25 1997
Date: Wed, 12 Feb 1997 11:29:50 GMT
From: crv@efri.hr (Hrvoje Crvelin)
To: "www-security" <www-security@ns2.rutgers.edu>
Reply-To: Hrvoje Crvelin <crv@efri.hr>
Errors-To: owner-www-security@ns2.rutgers.edu
-----BEGIN PGP SIGNED MESSAGE-----
On Mon, 10 Feb 1997 David Murray wrote:
> I can't remember where I saw it, but I recently read an interesting
> article about mis-uses of DNS. Several backbone organizations put
> such detail into their host (and gateway and router) names, that
> using nslookup, it possible to physically map their network. Not
> many companies are willing to publish such vital corporate
> information, yet this is a perfectly reasonable and accepted policy
> for DNS.
I agree. DNS entries should have only necessary fields for normal
function. Revelation of some vital information could lead to serious
security problems. A good point to start is to read following RFC
documentation:
RFC1033 "Domain Administration Operations Guide",
RFC1183 "New DNS RR Definitions",
RFC1912 "Common DNS Operational and Configuration Errors".
I know RFC says nothing about security on this and that is perfectly
and accepted policy for DNS to put in there whatever that can be
putted, but I guess someone will get idea what is doing. Sometimes
HINFO filed is quite enough for someone to make denial of service
(e.g. ping vulnerability).
> Paul F Haskell (haskell) wrote:
>
> Our server is NCSA (HTTP/1.0), version is 1.3. When it fails a DNS
> lookup it does in fact record the IP address.
I don't have any experience with NCSA server, but I think Steff
Watkins's three possible reasons why a host's incoming IP ADDRESS
would not be valid through a DNS based search are answer to your
question. I have Apache. In httpd.conf you can choose:
# HostnameLookups: Log the names of clients or just their IP numbers
# e.g. oliver.efri.hr (on) or 161.53.42.3 (off)
HostnameLookups (on or off)
Sometimes access_log logs host names and sometimes IP addresses, but
I never encountered HOST_UNKNOWN. I don't know about NCSA, but I
have following line in httpd.conf (I guess NCSA has it too):
#ServerName new.host.name
ServerName allows you to set a host name which is sent back to clients
for your server if it's different than the one the program would get
(i.e. use "www" instead of the host's real name). As I know this
could cause troubles if defined name isn't valid DNS name for your
host. If same (or similar) field exist in NCSA httpd, UNKNOWN_HOST
could be "normal" answer if DNS settings are done wrong. This is wild
guessing since I don't have defined ServerName line (www is defined as
alias in DNS) and I could very easy be wrong on this.
+--------------------------------------------------------------------+
| Faculty of Economics Name: Hrvoje Crvelin |
| Business Informatics E-mail: crv@oliver.efri.hr |
| Drop your carrier PGP 2.6 Public Key available via http |
|We have you surrounded Fax: +385 51 51 30 92 |
|Visit Security Bugware Web: http://161.53.42.3/~crv |
+------------------------------------- Queen lives forever ----------+
PGP Key Fingerprint = 46 11 28 F7 7A 71 A9 F3 03 81 01 9E 74 B9 8D 83
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: cp850
iQCVAwUBMwBiuosoybE0rGOlAQFSpgQAzOuM2ODCdaB27gitY3wf5Ss4cckk9Fhf
9u2M0okScm0YVcExVbIwHnvw2WTekVo4BbjnCwkN6PCdsJJsUXr8aFcYVnKCjyc6
/s03tgprbXYCGipr9aivKn7lEy/FuyH7lsRLmmvZmpd6iVPAnJDyt+cR5ZH8fL7c
ySkPurXGPl8=
=kQ1w
-----END PGP SIGNATURE-----
