I gotta read messages all the way down before I respond.. Duh. You said
they were off and I told you to turn them off. That's probably at least
three demerits for me.
Anyway, unless you have an extremely busy server, those lookups are
generally not that expensive. For instance, I run TCP wrappers on all my
inetd monitored ports on all my machines, and I run in paranoid mode (looks
up once to get the name and then looks up the name to make sure it gets
that same address back -- makes spoofing harder). This includes just about
everything but sendmail and httpd. Even the pop and imap ports are
wrapped. The impact is negligible.
As far as the access rule, if the number of IP networks in question makes
doing access control by IP address too cumbersome, I suggest you install a
local cache only name server (only configured with the cache and loopback
files). Since it caches addresses (as all name servers do), you'll spend
somewhat less time in name lookups. If it's only your own domain you want
in, but it's still too cumbersome to do by IP, make the server a secondary
server for those addreses and set it up to do non-recursive lookups. That
means that if it can't resolve the address itself, it sends back an error
-- it doesn't go out to the net. I presume that apache, at that point,
will deny access.
Hope this is more useful than my last response.
-- Rob
--On Thursday, June 08, 2000 1:17 PM -0400 "Paul G. Weiss"
<[EMAIL PROTECTED]> wrote:
> Usually this is a result of an access rule:
>
> deny from all
> allow from *.mydomain.com
>
> When this happens Apache needs to do a lookup on
> the name even though you specified HostnameLookups
> off.
>
> I don't know what mod_perl would have had to do with
> it unless the installation modified your httpd.conf
> file.
>
> -Paul
>
>
> -----Original Message-----
> From: David Brown [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, June 08, 2000 11:08 AM
> To: [EMAIL PROTECTED]
> Subject: DNS Lookups ? huh ?
>
>
> Since upgrading to the latest verion of mod_perl I've noticed that I get
> remote host names appearing in my access logs rather than IP addresses (in
> 80% of entries).
>
> My concern is that my machine is try to perform DNS lookups, and the
> subsequent load it may add.
>
> My httpd.conf has-> HostnameLookups Off
>
> Could it just be that many browsers are supplying their remote host in
> their request .. if so, why have I not seen it before ?
>
> None of my scripts query $REMOTE..... values.
>
> Perhaps my recompilation of Apache triggered something I'd not had enabled
> before.
>
>
_ _ _ _ _ _ _ _ _ _
/\_\_\_\_\ /\_\ /\_\_\_\_\_\
/\/_/_/_/_/ /\/_/ \/_/_/_/_/_/ QUIDQUID LATINE DICTUM SIT,
/\/_/__\/_/ __ /\/_/ /\/_/ PROFUNDUM VIDITUR
/\/_/_/_/_/ /\_\ /\/_/ /\/_/
/\/_/ \/_/ /\/_/_/\/_/ /\/_/ (Whatever is said in Latin
\/_/ \/_/ \/_/_/_/_/ \/_/ appears profound)
Rob Tanner
McMinnville, Oregon
[EMAIL PROTECTED]
