11.8 Disabling DNS Resolution
You should make sure that your
httpd.conf file has this setting:
HostnameLookups Off
This is the default.
If this directive is set to On (or even worse,
Double), Apache will try to use DNS resolution to
translate the client's IP address into its hostname
for every single request.
The problem is that there are many servers with broken reverse DNS,
which means that resolution will never succeed, but it might take a
significant time for the lookup attempt to time out. The web page
will not be served before the lookup has either succeeded or timed
out, because it's assumed that if you have this
feature enabled you want to know the hostname from which the request
came. Consequently Apache won't run any script or
handler until the lookup attempt has concluded.
Moreover, you can end up with a hostname that is completely useless
and gives you far less information than the IP address would. To
avoid this problem you can enable:
HostnameLookups Double
which does a reverse lookup, then a forward lookup on what it gets to
make sure that the IP address is not being spoofed. However, this
double lookup makes it even slower.
If you need DNS names in some CGI script or handler, you should use
gethostbyname( ) or its equivalents.
In addition to having HostnameLookups turned off,
you should avoid using hostname-based access control and use IP-based
access control instead. If you have a setting like this:
<Location /perl-status>
...
Order deny, allow
Deny from all
Allow from www.example.com
</Location>
the server will have to perform a double reverse DNS lookup for each
incoming IP address to make sure it matches the domain name listed in
the Allow directive and is not being spoofed. Of
course, in our example this will happen only for requests for URIs
starting with /perl-status.
This is another way to do the authorization based on the IP address:
<Location /perl-status>
...
Order deny, allow
Deny from all
Allow from 128.9.176.32
</Location>
Note that since some IP addresses map to multiple hosts (multiple
CNAME records), this solution will not always do what you want.
|