--On 06/08/00 13:42:45 -0600 Marc Slemko <[EMAIL PROTECTED]> wrote:
> On Thu, 8 Jun 2000, Rob Tanner wrote:
>
>> I gotta read messages all the way down before I respond.. Duh. You said
>> they were off and I told you to turn them off. That's probably at least
>> three demerits for me.
>>
>> Anyway, unless you have an extremely busy server, those lookups are
>> generally not that expensive. For instance, I run TCP wrappers on all
>> my inetd monitored ports on all my machines, and I run in paranoid mode
>> (looks up once to get the name and then looks up the name to make sure
>> it gets that same address back -- makes spoofing harder). This
>> includes just about everything but sendmail and httpd. Even the pop
>> and imap ports are wrapped. The impact is negligible.
>
> No, the impact is _HUGE_ in many cases. The problem is that there
> are many addresses out there with broken reverse DNS, so they can
> take a significant time for the lookup attempt to timeout before
> serving the pages. You can cry that the remote systems are broken
> until you are blue in the face, and you are right. That doesn't stop
> you from hurting those users and having them go to another site that
> works for them. On top of that, it ties up your httpds for longer, which
> is never a good thing.
>
> In addition, most of the time the hostnames are not used for anything, so
> going to the extra pain to log them doesn't make much sense.
I am not arguing that there aren't broken name servers out there. The
question is what is the imapact on your system. Since I wrap ip ports I do
two lookups (reverse followed by a forward) everytime anyone access my
servers for anything -- which is a great deal more that just WEB traffic.
Again, my experience is that its imapct on my systems is negligible. And
unless you are getting more simultaneous WEB hits than you have apache
processes, only the folks coming from that misconfigured domains are
affected -- they might therefore put pressure on their DNS admins to fix
the problem. BESIDES, the issue the original poster had was not one of
logging, it was access control. If the number of subnets you are either
allowing or denying is small (like maybe just local traffic allowed in),
than I agree that using IP addresses is more efficient. But otherwise you
have to use names. Moreover, I've seen a number of sites that wrap there
standard network service ports using the same paranoid scheme as I use. It
is a minimal, but very effective weapon against all but the most serious
spoofer. And if any of those folks in badly administered DNS domains need
to access such a secured site, the slowness of your WEB response to them is
the least of their problems.
Access control and security are almost always a more important
consideration, and that conflicts with response times, response time should
almost always take a back seat.
-- Rob
_ _ _ _ _ _ _ _ _ _
/\_\_\_\_\ /\_\ /\_\_\_\_\_\
/\/_/_/_/_/ /\/_/ \/_/_/_/_/_/ QUIDQUID LATINE DICTUM SIT,
/\/_/__\/_/ __ /\/_/ /\/_/ PROFUNDUM VIDITUR
/\/_/_/_/_/ /\_\ /\/_/ /\/_/
/\/_/ \/_/ /\/_/_/\/_/ /\/_/ (Whatever is said in Latin
\/_/ \/_/ \/_/_/_/_/ \/_/ appears profound)
Rob Tanner
McMinnville, Oregon
[EMAIL PROTECTED]
