I do use an allow/deny with a domain name.
My question is, does it only force the lookup for the directory that the rule applies
to. Or, does simply having the rule force
lookups on ALL pages?
Thanks for the help
-Jason
----- Original Message -----
From: "Marc Slemko" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, June 08, 2000 12:42 PM
Subject: RE: DNS Lookups ? huh ?
> On Thu, 8 Jun 2000, Rob Tanner wrote:
>
> > I gotta read messages all the way down before I respond.. Duh. You said
> > they were off and I told you to turn them off. That's probably at least
> > three demerits for me.
> >
> > Anyway, unless you have an extremely busy server, those lookups are
> > generally not that expensive. For instance, I run TCP wrappers on all my
> > inetd monitored ports on all my machines, and I run in paranoid mode (looks
> > up once to get the name and then looks up the name to make sure it gets
> > that same address back -- makes spoofing harder). This includes just about
> > everything but sendmail and httpd. Even the pop and imap ports are
> > wrapped. The impact is negligible.
>
> No, the impact is _HUGE_ in many cases. The problem is that there
> are many addresses out there with broken reverse DNS, so they can
> take a significant time for the lookup attempt to timeout before
> serving the pages. You can cry that the remote systems are broken
> until you are blue in the face, and you are right. That doesn't stop
> you from hurting those users and having them go to another site that
> works for them. On top of that, it ties up your httpds for longer, which
> is never a good thing.
>
> In addition, most of the time the hostnames are not used for anything, so
> going to the extra pain to log them doesn't make much sense. And on
> top of it, unless you enable "Hostnamelookups double" (which does a
> reverse lookup then a forward on what it gets), which are even slower,
> then you can end up with a hostname that is completely useless and gives
> you far less information than the IP address would.
>
> If you don't have any hostname based access restrictions, then you don't
> get any security from requiring that the reverse DNS is there.
>
> In any case, the default is off and that is for very good reasons.
