From: Strata Rose Chalup (email@example.com)
Date: Mon Apr 17 2000 - 12:30:09 PDT
Very true, and a good catch. Domain based security is a good oxymoron
candidate in most (not *all*) situations, though.
Given DNS spoofing attacks, I would not expect most sites to rely on
domains as a security measure. For a site which seeks to regulate
access by business partners, departments, divisions, etc, using domain
or subdomain info could work very well. Of course, "domain security" is
only as secure as the DHCP-served jacks in the conference room off the
lobby at many sites.
If one truly had to have this, an Apache extension or Netscape
Enterprise plug-in could be written to extend the .htaccess validation
to check an arbitrarily-refreshed table of domain to IP references. For
domains or subdomains that correspond nicely to a CIDR block *and* have
reasonable physical security for hooking up to the wire itself, this
would be a good compromise. For large, changing domains such as
universities, I would not recommend that approach.
Of course, if you have the best-case solution of caring only about one
or more domains that use small numbers of proxies to route web requests
to you, just say "the Hack with It" and put their proxies and FQDNs into
your host table, slash your /etc/nsswitch.conf file to say notfound =
return after "hosts: files" and be done/be damned with it.
Not scaleable, not recommended, but better than either being wide-open
or putting up with the reverse lookup on everything. If you care, for
later, you can just post-analyze your logs with any of the zillions of
little perl scripts whirling by on various net.eddies.
Joe Touch wrote:
> Rohit Khare wrote:
> > http://patrick.net/wpt/index.html
> > http://web.oreilly.com/news/webperf_1098.html
> > Patrick's Top-Ten Web Tuning Tips and Tricks
> > by Patrick Killelea, author of Web Performance Tuning
> > ------------------------------------------------------------------------
> > While there are literally thousands of things you can do to help web
> > performance, here are Patrick's top ten:
> > 1. Make sure reverse DNS lookups are turned off in your web server.
> > Reverse DNS maps IP numbers to machine names in the web servers logs
> > and in CGI programs. CGI's can do the lookup themselves if they need
> > to and you can use log analysis programs to fill in names in the log
> > files later. Reverse DNS just slows you down if you do it for each
> > request.
> This means you cannot have domain-based security, e.g., .htaccess
> If you do, any access to that directory or below will result in a
> reverse lookup.
-- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Strata Rose Chalup [firstname.lastname@example.org] | email@example.com Project Manager | VirtualNet Consulting iPlanet/Netscape Professional Services | http://www.virtual.net/ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
This archive was generated by hypermail 2b29 : Mon Apr 17 2000 - 12:29:28 PDT