|
Apache HTTP Server Version 1.3Issues Regarding DNS and ApacheThis page could be summarized with the statement: don't require Apache to use DNS for any parsing of the configuration files. If Apache has to use DNS to parse the configuration files then your server may be subject to reliability problems (it might not boot), or denial and theft of service attacks (including users able to steal hits from other users). A Simple ExampleConsider this configuration snippet:<VirtualHost www.abc.dom> ServerAdmin webgirl@abc.dom DocumentRoot /www/abc </VirtualHost> In order for Apache to function properly it absolutely needs
to have two pieces of information about each virtual host: the
Suppose that <VirtualHost 10.0.0.1> ServerAdmin webgirl@abc.dom DocumentRoot /www/abc </VirtualHost> Now Apache needs to use reverse DNS to find the Here is a snippet that avoids both of these problems. <VirtualHost 10.0.0.1> ServerName www.abc.dom ServerAdmin webgirl@abc.dom DocumentRoot /www/abc </VirtualHost> Denial of ServiceThere are (at least) two forms that denial of service can come in.
If you are running a version of Apache prior to version 1.2 then your
server will not even boot if one of the two DNS lookups mentioned above
fails for any of your virtual hosts. In some cases this DNS lookup may
not even be under your control. For example, if Another form is far more insidious. Consider this configuration snippet: <VirtualHost www.abc.dom> ServerAdmin webgirl@abc.dom DocumentRoot /www/abc </VirtualHost> <VirtualHost www.def.dom> ServerAdmin webguy@def.dom DocumentRoot /www/def </VirtualHost> Suppose that you've assigned 10.0.0.1 to Requests coming in to 10.0.0.1 (including all those where users typed
in URLs of the form The "main server" AddressThe addition of name-based virtual host
support in Apache 1.1 requires Apache to know the IP address(es) of
the host that httpd is running on. To get this address it uses either
the global If you fear that this lookup might fail because your DNS server is down
then you can insert the hostname in If your server doesn't have to perform DNS for any other reason
then you might be able to get away with running Apache with the
Tips to Avoid these problems
Appendix: Future DirectionsThe situation regarding DNS is highly undesirable. For Apache 1.2 we've attempted to make the server at least continue booting in the event of failed DNS, but it might not be the best we can do. In any event requiring the use of explicit IP addresses in configuration files is highly undesirable in today's Internet where renumbering is a necessity. A possible work around to the theft of service attack described above would be to perform a reverse DNS lookup on the ip address returned by the forward lookup and compare the two names. In the event of a mismatch the virtualhost would be disabled. This would require reverse DNS to be configured properly (which is something that most admins are familiar with because of the common use of "double-reverse" DNS lookups by FTP servers and TCP wrappers). In any event it doesn't seem possible to reliably boot a virtual-hosted web server when DNS has failed unless IP addresses are used. Partial solutions such as disabling portions of the configuration might be worse than not booting at all depending on what the webserver is supposed to accomplish. As HTTP/1.1 is deployed and browsers and proxies start issuing the
Apache HTTP Server Version 1.3 |
|||||||||||||||||
With any suggestions or questions please feel free to contact us |