dns-caveats.html revision 2e0d9ca2c106dc600ecc92fe5203e8fb93b29664
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
7a2a1b8b14fc804ac80612d7b98064095e445be5Automatic Updater<title>Issues Regarding DNS and Apache</title>
0c39b3ed9409ecb277d5e32fa763a4e4d6598df8Automatic Updater<!--#include virtual="header.html" -->
fe84edc17e0d582cf7b4270f8df9d4742a107b1cAutomatic Updater<p>This page could be summarized with the statement: <i>don't require
79b273c187a4aa1016a62181983dfdd0521681aeMark AndrewsApache to use DNS for any parsing of the configuration files</i>.
3349f0044fda807e1fd6681c833d3593a22dad86Tinderbox UserIf Apache has to use DNS to parse the configuration files then your
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtonserver may be subject to reliability problems (it might not boot), or
b253dcf9668f95e141bce9556dc88e30d3305a1dTinderbox Userdenial and theft of service attacks (including users able to steal hits
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox Userfrom other users).
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark AndrewsConsider this configuration snippet:
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews <VirtualHost www.abc.dom>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews ServerAdmin webgirl@abc.dom
89623368b8f662d458d9964b923050f33c5f75b0Tinderbox User </VirtualHost>
efb0e886f18894a1d2489f1ad74ad14b579e11c7Mark Andrews<p>In order for Apache to function properly it absolutely needs
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updaterto have two pieces of information about each virtual host: the
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson<a href="mod/core.html#servername"><code>ServerName</code></a>
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updaterand at least one IP address that the server
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updaterresponds to. This example does not include the IP address, so Apache
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafssonmust use DNS to find the address of <code>www.abc.dom</code>. If for
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updatersome reason DNS is not available at the time your server is parsing its
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox Userconfig file, then this virtual host <b>will not be configured</b>. It
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox Userwon't be able to respond to any hits to this virtual host (prior to
aa9c561961e9d877946ebaa8795fa2be054ab7bfEvan HuntApache version 1.2 the server would not even boot).
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater<p>Suppose that <code>www.abc.dom</code> has address 10.0.0.1. Then
aa9c561961e9d877946ebaa8795fa2be054ab7bfEvan Huntconsider this configuration snippet:
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater <VirtualHost 10.0.0.1>
aa9c561961e9d877946ebaa8795fa2be054ab7bfEvan Hunt ServerAdmin webgirl@abc.dom
2d2dc37599979c83495510f8af8d1756753aa2c5Automatic Updater </VirtualHost>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater<p>Now Apache needs to use reverse DNS to find the <code>ServerName</code>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updaterfor this virtualhost. If that reverse lookup fails then it will partially
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updaterdisable the virtualhost (prior to Apache version 1.2 the server would not
cdfc81e048bd34c1d628380247bda6b80a89e20eAutomatic Updatereven boot). If the virtual host is name-based then it will effectively
cdfc81e048bd34c1d628380247bda6b80a89e20eAutomatic Updaterbe totally disabled, but if it is IP-based then it will mostly work.
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic UpdaterHowever if Apache should ever have to generate a full URL for the server
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updaterwhich includes the server name then it will fail to generate a valid URL.
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater<p>Here is a snippet that avoids both of these problems.
eabc9c3c07cd956d3c436bd7614cb162dabdda76Mark Andrews <VirtualHost 10.0.0.1>
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User ServerAdmin webgirl@abc.dom
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater </VirtualHost>
c59750de3ea3c7d5890000fb4606e8f5835a52aaTinderbox User<p>There are (at least) two forms that denial of service can come in.
80faf1588895fd26490f82f95a7a1b771df1c324Automatic UpdaterIf you are running a version of Apache prior to version 1.2 then your
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrewsserver will not even boot if one of the two DNS lookups mentioned above
ec7751119a08c6a7250f3187beed69a8b836d349Tinderbox Userfails for any of your virtual hosts. In some cases this DNS lookup may
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrewsnot even be under your control. For example, if <code>abc.dom</code>
114f7780384371121918624ae2c80ecfce545683Tinderbox Useris one of your customers and they control their own DNS then they
693c4232dfdffaff672197d4b9fea944c64cf80aAutomatic Updatercan force your (pre-1.2) server to fail while booting simply by deleting the
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson<p>Another form is far more insidious. Consider this configuration
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater <VirtualHost www.abc.dom>
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson ServerAdmin webgirl@abc.dom
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater </VirtualHost>
b871c7156eb037d41f53828c6fcb9cc876128962Mark Andrews <VirtualHost www.def.dom>
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews ServerAdmin webguy@def.dom
3349f0044fda807e1fd6681c833d3593a22dad86Tinderbox User </VirtualHost>
3349f0044fda807e1fd6681c833d3593a22dad86Tinderbox User<p>Suppose that you've assigned 10.0.0.1 to <code>www.abc.dom</code> and
3349f0044fda807e1fd6681c833d3593a22dad86Tinderbox User10.0.0.2 to <code>www.def.dom</code>. Furthermore, suppose that
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<code>def.com</code> has control of their own DNS. With this config
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrewsyou have put <code>def.com</code> into a position where they can steal
3349f0044fda807e1fd6681c833d3593a22dad86Tinderbox Userall traffic destined to <code>abc.com</code>. To do so, all they have to
3349f0044fda807e1fd6681c833d3593a22dad86Tinderbox Userdo is set <code>www.def.dom</code> to 10.0.0.1.
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark AndrewsSince they control their own DNS you can't stop them from pointing the
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews<code>www.def.com</code> record wherever they wish.
24bf1e02f03577db0feb50b80238c4150c96d05dAutomatic Updater<p>Requests coming in to 10.0.0.1 (including all those where users typed
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrewsin URLs of the form <code>http://www.abc.dom/whatever</code>) will all be
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrewsserved by the <code>def.com</code> virtual host. To better understand why
7500521cecdff3c00e594ec41d3a17292332ffbcTinderbox Userthis happens requires a more in-depth discussion of how Apache matches
a308b69ac66fadf66863484f301314d6e6a3f1d2Automatic Updaterup incoming requests with the virtual host that will serve it. A rough
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrewsdocument describing this <a href="vhosts-in-depth.html"> is available</a>.
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<p>The addition of <a href="host.html">non-IP-based virtual host
b871c7156eb037d41f53828c6fcb9cc876128962Mark Andrewssupport</a> in Apache 1.1 requires Apache to know the IP address(es) of
b871c7156eb037d41f53828c6fcb9cc876128962Mark Andrewsthe host that httpd is running on. To get this address it uses either
b871c7156eb037d41f53828c6fcb9cc876128962Mark Andrewsthe global <code>ServerName</code> (if present) or calls the C function
01a5c5503482fb3ba52088bf0178a7213273bf96Mark Andrews<code>gethostname</code> (which should return the same as typing
b871c7156eb037d41f53828c6fcb9cc876128962Mark Andrews"hostname" at the command prompt). Then it performs a DNS lookup on
b871c7156eb037d41f53828c6fcb9cc876128962Mark Andrewsthis address. At present there is no way to avoid this lookup.
cdfc81e048bd34c1d628380247bda6b80a89e20eAutomatic Updater<p>If you fear that this lookup might fail because your DNS server is down
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updaterthen you can insert the hostname in <code>/etc/hosts</code> (where you
fe80a4909bf62b602feaf246866e9d29f7654194Automatic Updaterprobably already have it so that the machine can boot properly). Then
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updaterensure that your machine is configured to use <code>/etc/hosts</code>
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updaterin the event that DNS fails. Depending on what OS you are using this
fe80a4909bf62b602feaf246866e9d29f7654194Automatic Updatermight be accomplished by editing <code>/etc/resolv.conf</code>, or maybe
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson<p>If your server doesn't have to perform DNS for any other reason
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updaterthen you might be able to get away with running Apache with the
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews<code>HOSTRESORDER</code> environment variable set to "local". This all
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafssondepends on what OS and resolver libraries you are using. It also affects
dd65eb1efb40b1c47d57963192bfc54873b219beAutomatic UpdaterCGIs unless you use <a href="mod/mod_env.html"><code>mod_env</code></a>
dd65eb1efb40b1c47d57963192bfc54873b219beAutomatic Updaterto control the environment. It's best to consult the man pages or FAQs
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater<p>Any address that happens to go to your webserver which doesn't match
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafssonthe IP address of any of the webservers will be served from the "main" or
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater"default" server configurations. The "main" server configuration consists
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox Userof all those definitions appearing outside of any VirtualHost section.
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox UserYou may want instead to define a <code><VirtualHost _default_:*></code>
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox Userwhich returns 403 or 404 for all hits. (The trailing <code>:*</code>
1368e4b34cef64604c874fcc40201c78e548714cTinderbox Usermakes it apply to all ports, which is just a safety measure should you
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox Userbegin using multiple <code><a href="mod/core.html#listen">Listen</a></code>
8f2c45a35dd8c40bcc9caba8f7d40ce64fc27bcdAutomatic Updater<h3><a name="tips">Tips to Avoid these problems</a></h3>
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User<li> use IP addresses in <code><VirtualHost></code>
269519eeb959d905ed125f96426e01d725c3b597Tinderbox User<li> use IP addresses in <code>BindAddress</code>
8711e5c73ca872d59810760af0332194cbdd619bAutomatic Updater<li> ensure all virtual hosts have an explicit <code>ServerName</code>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<li> create a <code><VirtualHost _default_:*></code> server that
8f2c45a35dd8c40bcc9caba8f7d40ce64fc27bcdAutomatic Updater has no pages to serve
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<p>The situation regarding DNS is highly undesirable. For Apache
bc0a53583d92309bebcf93c408e2f3247ebd3d3cAutomatic Updater1.2 we've attempted to make the server at least continue booting
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updaterin the event of failed DNS, but it might not be the best we
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updatercan do. In any event requiring the use of explicit IP addresses in
59528addd704f8d5757b54e540520f74e588a7c7Automatic Updaterconfiguration files is highly undesirable in today's Internet where <a
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updaterhref="http://www.ietf.org/html.charters/pier-charter.html">renumbering
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater</a> is a necessity.
59528addd704f8d5757b54e540520f74e588a7c7Automatic Updater<p>A possible work around to the theft of service attack described above
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updaterwould be to perform a reverse DNS lookup on the ip address returned by
3f616e6f846be57b1717c6beaba0f74de9d5a7c6Automatic Updaterthe forward lookup and compare the two names. In the event of a mismatch
8f2c45a35dd8c40bcc9caba8f7d40ce64fc27bcdAutomatic Updaterthe virtualhost would be disabled. This would require reverse DNS to be
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updaterconfigured properly (which is something that most admins are familiar with
19b3dc94bce93fa76bd7e066f9298630dbc9dcb4Automatic Updaterbecause of the common use of "double-reverse" DNS lookups by FTP servers
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updaterand TCP wrappers).
7f94d9a8162c9a96b56e66176702b66e79d8e1a2Automatic Updater<p>In any event it doesn't seem possible to reliably boot a virtual-hosted
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updaterweb server when DNS has failed unless IP addresses are used. Partial
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updatersolutions such as disabling portions of the configuration might be worse
5ecad47f69b3fd945472ab2900a9ff826a7ce2f6Automatic Updaterthan not booting at all depending on what the webserver is supposed
71bd43eebd9d6e42dbcae62b730f5b6508d5acd8Automatic Updater<p>As HTTP/1.1 is deployed and browsers and proxies start issuing the
82447d835d3ff5c658749b4e9b4f66166407b3eaAutomatic Updater<code>Host</code> header it will become possible to avoid the use of
7262eb86f2b465822206122921e2f357218f0cfdAutomatic UpdaterIP-based virtual hosts entirely. In this event a webserver has no requirement
96ea71632887c58a9d00f47eb318bf76b35903c3Mark Andrewsto do DNS lookups during configuration. But as of March 1997 these
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updaterfeatures have not been deployed widely enough to be put into use on
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updatercritical webservers.
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater<!--#include virtual="footer.html" -->