dns-caveats.html revision 091caae3b2ebdb760c98575d0d5e349cd686f913
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson<!-- Background white, links blue (unvisited), navy (visited), red (active) -->
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson BGCOLOR="#FFFFFF"
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson TEXT="#000000"
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews LINK="#0000FF"
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews VLINK="#000080"
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews ALINK="#FF0000"
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews<!--#include virtual="header.html" -->
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews<H1 ALIGN="CENTER">Issues Regarding DNS and Apache</H1>
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson<P>This page could be summarized with the statement: <EM>don't require
ddccd5811feff696ba460dabfb666ce61040f545Andreas GustafssonApache to use DNS for any parsing of the configuration files</EM>.
dafcb997e390efa4423883dafd100c975c4095d6Mark AndrewsIf Apache has to use DNS to parse the configuration files then your
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafssonserver may be subject to reliability problems (it might not boot), or
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafssondenial and theft of service attacks (including users able to steal hits
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafssonfrom other users).
ddccd5811feff696ba460dabfb666ce61040f545Andreas GustafssonConsider this configuration snippet:
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson <VirtualHost www.abc.dom>
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson ServerAdmin webgirl@abc.dom
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson </VirtualHost>
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson<P>In order for Apache to function properly it absolutely needs
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafssonto have two pieces of information about each virtual host: the
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson<A HREF="mod/core.html#servername"><CODE>ServerName</CODE></A>
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafssonand at least one IP address that the server
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafssonresponds to. This example does not include the IP address, so Apache
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafssonmust use DNS to find the address of <CODE>www.abc.dom</CODE>. If for
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafssonsome reason DNS is not available at the time your server is parsing its
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafssonconfig file, then this virtual host <STRONG>will not be configured</STRONG>. It
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafssonwon't be able to respond to any hits to this virtual host (prior to
ddccd5811feff696ba460dabfb666ce61040f545Andreas GustafssonApache version 1.2 the server would not even boot).
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson<P>Suppose that <CODE>www.abc.dom</CODE> has address 10.0.0.1. Then
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafssonconsider this configuration snippet:
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson <VirtualHost 10.0.0.1>
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson ServerAdmin webgirl@abc.dom
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson </VirtualHost>
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson<P>Now Apache needs to use reverse DNS to find the <CODE>ServerName</CODE>
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafssonfor this virtualhost. If that reverse lookup fails then it will partially
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafssondisable the virtualhost (prior to Apache version 1.2 the server would not
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafssoneven boot). If the virtual host is name-based then it will effectively
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafssonbe totally disabled, but if it is IP-based then it will mostly work.
ddccd5811feff696ba460dabfb666ce61040f545Andreas GustafssonHowever if Apache should ever have to generate a full URL for the server
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafssonwhich includes the server name then it will fail to generate a valid URL.
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson<P>Here is a snippet that avoids both of these problems.
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson <VirtualHost 10.0.0.1>
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson ServerAdmin webgirl@abc.dom
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson </VirtualHost>
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson<P>There are (at least) two forms that denial of service can come in.
ddccd5811feff696ba460dabfb666ce61040f545Andreas GustafssonIf you are running a version of Apache prior to version 1.2 then your
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafssonserver will not even boot if one of the two DNS lookups mentioned above
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafssonfails for any of your virtual hosts. In some cases this DNS lookup may
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafssonnot even be under your control. For example, if <CODE>abc.dom</CODE>
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafssonis one of your customers and they control their own DNS then they
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafssoncan force your (pre-1.2) server to fail while booting simply by deleting the
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson<P>Another form is far more insidious. Consider this configuration
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson <VirtualHost www.abc.dom>
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson ServerAdmin webgirl@abc.dom
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson </VirtualHost>
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson <VirtualHost www.def.dom>
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson ServerAdmin webguy@def.dom
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson </VirtualHost>
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson<P>Suppose that you've assigned 10.0.0.1 to <CODE>www.abc.dom</CODE> and
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson10.0.0.2 to <CODE>www.def.dom</CODE>. Furthermore, suppose that
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson<CODE>def.com</CODE> has control of their own DNS. With this config
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafssonyou have put <CODE>def.com</CODE> into a position where they can steal
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafssonall traffic destined to <CODE>abc.com</CODE>. To do so, all they have to
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafssondo is set <CODE>www.def.dom</CODE> to 10.0.0.1.
ddccd5811feff696ba460dabfb666ce61040f545Andreas GustafssonSince they control their own DNS you can't stop them from pointing the
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson<CODE>www.def.com</CODE> record wherever they wish.
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson<P>Requests coming in to 10.0.0.1 (including all those where users typed
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafssonin URLs of the form <CODE>http://www.abc.dom/whatever</CODE>) will all be
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafssonserved by the <CODE>def.com</CODE> virtual host. To better understand why
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafssonthis happens requires a more in-depth discussion of how Apache matches
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafssonup incoming requests with the virtual host that will serve it. A rough
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafssondocument describing this <A HREF="vhosts/details.html"> is available</A>.
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson<P>The addition of <A HREF="vhosts/name-based.html">name-based virtual host
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafssonsupport</A> in Apache 1.1 requires Apache to know the IP address(es) of
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafssonthe host that httpd is running on. To get this address it uses either
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafssonthe global <CODE>ServerName</CODE> (if present) or calls the C function
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson<CODE>gethostname</CODE> (which should return the same as typing
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson"hostname" at the command prompt). Then it performs a DNS lookup on
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafssonthis address. At present there is no way to avoid this lookup.
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson<P>If you fear that this lookup might fail because your DNS server is down
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafssonthen you can insert the hostname in <CODE>/etc/hosts</CODE> (where you
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafssonprobably already have it so that the machine can boot properly). Then
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafssonensure that your machine is configured to use <CODE>/etc/hosts</CODE>
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafssonin the event that DNS fails. Depending on what OS you are using this
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafssonmight be accomplished by editing <CODE>/etc/resolv.conf</CODE>, or maybe
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson<P>If your server doesn't have to perform DNS for any other reason
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafssonthen you might be able to get away with running Apache with the
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson<CODE>HOSTRESORDER</CODE> environment variable set to "local". This all
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafssondepends on what OS and resolver libraries you are using. It also affects
ddccd5811feff696ba460dabfb666ce61040f545Andreas GustafssonCGIs unless you use <A HREF="mod/mod_env.html"><CODE>mod_env</CODE></A>
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafssonto control the environment. It's best to consult the man pages or FAQs
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson<H3><A NAME="tips">Tips to Avoid these problems</A></H3>
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson<LI> use IP addresses in <CODE><VirtualHost></CODE>
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson<LI> use IP addresses in <CODE>Listen</CODE>
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson<LI> use IP addresses in <CODE>BindAddress</CODE>
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson<LI> ensure all virtual hosts have an explicit <CODE>ServerName</CODE>
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson<LI> create a <CODE><VirtualHost _default_:*></CODE> server that
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson has no pages to serve
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson<P>The situation regarding DNS is highly undesirable. For Apache
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson1.2 we've attempted to make the server at least continue booting
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafssonin the event of failed DNS, but it might not be the best we
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafssoncan do. In any event requiring the use of explicit IP addresses in
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafssonconfiguration files is highly undesirable in today's Internet where <A
47ad4fad771b9c570bcf57793d6a931e0ca9856cAndreas GustafssonHREF="http://www.ietf.org/html.charters/pier-charter.html">renumbering
47ad4fad771b9c570bcf57793d6a931e0ca9856cAndreas Gustafsson</A> is a necessity.
47ad4fad771b9c570bcf57793d6a931e0ca9856cAndreas Gustafsson<P>A possible work around to the theft of service attack described above
47ad4fad771b9c570bcf57793d6a931e0ca9856cAndreas Gustafssonwould be to perform a reverse DNS lookup on the ip address returned by
47ad4fad771b9c570bcf57793d6a931e0ca9856cAndreas Gustafssonthe forward lookup and compare the two names. In the event of a mismatch
47ad4fad771b9c570bcf57793d6a931e0ca9856cAndreas Gustafssonthe virtualhost would be disabled. This would require reverse DNS to be
47ad4fad771b9c570bcf57793d6a931e0ca9856cAndreas Gustafssonconfigured properly (which is something that most admins are familiar with
47ad4fad771b9c570bcf57793d6a931e0ca9856cAndreas Gustafssonbecause of the common use of "double-reverse" DNS lookups by FTP servers
47ad4fad771b9c570bcf57793d6a931e0ca9856cAndreas Gustafssonand TCP wrappers).
47ad4fad771b9c570bcf57793d6a931e0ca9856cAndreas Gustafsson<P>In any event it doesn't seem possible to reliably boot a virtual-hosted
47ad4fad771b9c570bcf57793d6a931e0ca9856cAndreas Gustafssonweb server when DNS has failed unless IP addresses are used. Partial
47ad4fad771b9c570bcf57793d6a931e0ca9856cAndreas Gustafssonsolutions such as disabling portions of the configuration might be worse
47ad4fad771b9c570bcf57793d6a931e0ca9856cAndreas Gustafssonthan not booting at all depending on what the webserver is supposed
47ad4fad771b9c570bcf57793d6a931e0ca9856cAndreas Gustafsson<P>As HTTP/1.1 is deployed and browsers and proxies start issuing the
47ad4fad771b9c570bcf57793d6a931e0ca9856cAndreas Gustafsson<CODE>Host</CODE> header it will become possible to avoid the use of
47ad4fad771b9c570bcf57793d6a931e0ca9856cAndreas GustafssonIP-based virtual hosts entirely. In this event a webserver has no requirement
47ad4fad771b9c570bcf57793d6a931e0ca9856cAndreas Gustafssonto do DNS lookups during configuration. But as of March 1997 these
47ad4fad771b9c570bcf57793d6a931e0ca9856cAndreas Gustafssonfeatures have not been deployed widely enough to be put into use on
47ad4fad771b9c570bcf57793d6a931e0ca9856cAndreas Gustafssoncritical webservers.
47ad4fad771b9c570bcf57793d6a931e0ca9856cAndreas Gustafsson<!--#include virtual="footer.html" -->