docs/manual/dns-caveats.xml - httpd - Git at Google

 <?xml version="1.0" encoding="UTF-8" ?>
 <!DOCTYPE manualpage SYSTEM "./style/manualpage.dtd">
 <?xml-stylesheet type="text/xsl" href="./style/manual.en.xsl"?>
 <!-- $LastChangedRevision$ -->

 <!--
  Licensed to the Apache Software Foundation (ASF) under one or more
  contributor license agreements.  See the NOTICE file distributed with
  this work for additional information regarding copyright ownership.
  The ASF licenses this file to You under the Apache License, Version 2.0
  (the "License"); you may not use this file except in compliance with
  the License.  You may obtain a copy of the License at

      http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
  limitations under the License.
 -->

 <manualpage metafile="dns-caveats.xml.meta">

   <title>Issues Regarding DNS and Apache HTTP Server</title>

   <summary>
     <p>This page could be summarized with the statement: don't
     configure Apache HTTP Server in such a way that it relies on DNS resolution
     for parsing of the configuration files. If httpd requires DNS
     resolution to parse the configuration files then your server
     may be subject to reliability problems (ie. it might not start up),
     or denial and theft of service attacks (including virtual hosts able
     to steal hits from other virtual hosts).</p>
   </summary>

   <section id="example">
     <title>A Simple Example</title>

     <highlight language="config">
 # This is a misconfiguration example, do not use on your server
 &lt;VirtualHost www.example.dom&gt;
   ServerAdmin webgirl@example.dom
   DocumentRoot "/www/example"
 &lt;/VirtualHost&gt;
     </highlight>

     <p>In order for the server to function properly, it absolutely needs
     to have two pieces of information about each virtual host: the
     <directive module="core">ServerName</directive> and at least one
     IP address that the server will bind and respond to. The above
     example does not include the IP address, so httpd must use DNS
     to find the address of <code>www.example.dom</code>. If for some
     reason DNS is not available at the time your server is parsing
     its config file, then this virtual host <strong>will not be
     configured</strong>. It won't be able to respond to any hits
     to this virtual host.</p>

     <p>Suppose that <code>www.example.dom</code> has address 192.0.2.1.
     Then consider this configuration snippet:</p>

     <highlight language="config">
 # This is a misconfiguration example, do not use on your server
 &lt;VirtualHost 192.0.2.1&gt;
   ServerAdmin webgirl@example.dom
   DocumentRoot "/www/example"
 &lt;/VirtualHost&gt;
     </highlight>

     <p>This time httpd needs to use reverse DNS to find the
     <code>ServerName</code> for this virtualhost. If that reverse
     lookup fails then it will partially disable the virtualhost.
     If the virtual host is name-based then it will effectively be
     totally disabled, but if it is IP-based then it will mostly
     work. However, if httpd should ever have to generate a full
     URL for the server which includes the server name (such as when a
     Redirect is issued), then it will fail to generate a valid URL.</p>

     <p>Here is a snippet that avoids both of these problems:</p>

     <highlight language="config">
 &lt;VirtualHost 192.0.2.1&gt;
   ServerName www.example.dom
   ServerAdmin webgirl@example.dom
   DocumentRoot "/www/example"
 &lt;/VirtualHost&gt;
     </highlight>
   </section>

   <section id="denial">
     <title>Denial of Service</title>

     <p>Consider this configuration snippet:</p>

     <highlight language="config">
 &lt;VirtualHost www.example1.dom&gt;
   ServerAdmin webgirl@example1.dom
   DocumentRoot "/www/example1"
 &lt;/VirtualHost&gt;
 &lt;VirtualHost www.example2.dom&gt;
   ServerAdmin webguy@example2.dom
   DocumentRoot "/www/example2"
 &lt;/VirtualHost&gt;
     </highlight>

     <p>Suppose that you've assigned 192.0.2.1 to
     <code>www.example1.dom</code> and 192.0.2.2 to
     <code>www.example2.dom</code>. Furthermore, suppose that
     <code>example1.dom</code> has control of their own DNS. With this
     config you have put <code>example1.dom</code> into a position where
     they can steal all traffic destined to <code>example2.dom</code>. To
     do so, all they have to do is set <code>www.example1.dom</code> to
     192.0.2.2. Since they control their own DNS you can't stop them
     from pointing the <code>www.example1.dom</code> record wherever they
     wish.</p>

     <p>Requests coming in to 192.0.2.2 (including all those where
     users typed in URLs of the form
     <code>http://www.example2.dom/whatever</code>) will all be served by
     the <code>example1.dom</code> virtual host. To better understand why
     this happens requires a more in-depth discussion of how httpd
     matches up incoming requests with the virtual host that will
     serve it. A rough document describing this <a
     href="vhosts/details.html">is available</a>.</p>
   </section>

   <section id="main">
     <title>The "main server" Address</title>

     <p><a href="vhosts/name-based.html">Name-based
     virtual host support</a> requires httpd to know
     the IP address(es) of the host that <program>httpd</program>
     is running on. To get this address it uses either the global
     <directive module="core">ServerName</directive>
     (if present) or calls the C function <code>gethostname</code>
     (which should return the same as typing "hostname" at the
     command prompt). Then it performs a DNS lookup on this address.
     At present there is no way to avoid this lookup.</p>

     <p>If you fear that this lookup might fail because your DNS
     server is down then you can insert the hostname in
     <code>/etc/hosts</code> (where you probably already have it so
     that the machine can boot properly). Then ensure that your
     machine is configured to use <code>/etc/hosts</code> in the
     event that DNS fails. Depending on what OS you are using this
     might be accomplished by editing <code>/etc/resolv.conf</code>,
     or maybe <code>/etc/nsswitch.conf</code>.</p>

     <p>If your server doesn't have to perform DNS for any other
     reason then you might be able to get away with running httpd
     with the <code>HOSTRESORDER</code> environment variable set to
     "local". This all depends on what OS and resolver libraries you
     are using. It also affects CGIs unless you use
     <module>mod_env</module> to control the environment. It's best
     to consult the man pages or FAQs for your OS.</p>
   </section>

   <section id="tips">
     <title>Tips to Avoid These Problems</title>

     <ul>
       <li>
         use IP addresses in
         <directive module="core">VirtualHost</directive>
       </li>

       <li>
         use IP addresses in
         <directive module="mpm_common">Listen</directive>
       </li>

       <li>
         ensure all virtual hosts have an explicit
         <directive module="core">ServerName</directive>
       </li>

       <li>create a <code>&lt;VirtualHost _default_:*&gt;</code>
       server that has no pages to serve</li>
     </ul>
   </section>

 </manualpage>
	<?xml version="1.0" encoding="UTF-8" ?>
	<!DOCTYPE manualpage SYSTEM "./style/manualpage.dtd">
	<?xml-stylesheet type="text/xsl" href="./style/manual.en.xsl"?>
	<!-- $LastChangedRevision$ -->

	<!--
	Licensed to the Apache Software Foundation (ASF) under one or more
	contributor license agreements. See the NOTICE file distributed with
	this work for additional information regarding copyright ownership.
	The ASF licenses this file to You under the Apache License, Version 2.0
	(the "License"); you may not use this file except in compliance with
	the License. You may obtain a copy of the License at

	http://www.apache.org/licenses/LICENSE-2.0

	Unless required by applicable law or agreed to in writing, software
	distributed under the License is distributed on an "AS IS" BASIS,
	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	See the License for the specific language governing permissions and
	limitations under the License.
	-->

	<manualpage metafile="dns-caveats.xml.meta">

	<title>Issues Regarding DNS and Apache HTTP Server</title>

	<summary>
	<p>This page could be summarized with the statement: don't
	configure Apache HTTP Server in such a way that it relies on DNS resolution
	for parsing of the configuration files. If httpd requires DNS
	resolution to parse the configuration files then your server
	may be subject to reliability problems (ie. it might not start up),
	or denial and theft of service attacks (including virtual hosts able
	to steal hits from other virtual hosts).</p>
	</summary>

	<section id="example">
	<title>A Simple Example</title>

	<highlight language="config">
	# This is a misconfiguration example, do not use on your server
	<VirtualHost www.example.dom>
	ServerAdmin webgirl@example.dom
	DocumentRoot "/www/example"
	</VirtualHost>
	</highlight>

	<p>In order for the server to function properly, it absolutely needs
	to have two pieces of information about each virtual host: the
	<directive module="core">ServerName</directive> and at least one
	IP address that the server will bind and respond to. The above
	example does not include the IP address, so httpd must use DNS
	to find the address of <code>www.example.dom</code>. If for some
	reason DNS is not available at the time your server is parsing
	its config file, then this virtual host <strong>will not be
	configured</strong>. It won't be able to respond to any hits
	to this virtual host.</p>

	<p>Suppose that <code>www.example.dom</code> has address 192.0.2.1.
	Then consider this configuration snippet:</p>

	<highlight language="config">
	# This is a misconfiguration example, do not use on your server
	<VirtualHost 192.0.2.1>
	ServerAdmin webgirl@example.dom
	DocumentRoot "/www/example"
	</VirtualHost>
	</highlight>

	<p>This time httpd needs to use reverse DNS to find the
	<code>ServerName</code> for this virtualhost. If that reverse
	lookup fails then it will partially disable the virtualhost.
	If the virtual host is name-based then it will effectively be
	totally disabled, but if it is IP-based then it will mostly
	work. However, if httpd should ever have to generate a full
	URL for the server which includes the server name (such as when a
	Redirect is issued), then it will fail to generate a valid URL.</p>

	<p>Here is a snippet that avoids both of these problems:</p>

	<highlight language="config">
	<VirtualHost 192.0.2.1>
	ServerName www.example.dom
	ServerAdmin webgirl@example.dom
	DocumentRoot "/www/example"
	</VirtualHost>
	</highlight>
	</section>

	<section id="denial">
	<title>Denial of Service</title>

	<p>Consider this configuration snippet:</p>

	<highlight language="config">
	<VirtualHost www.example1.dom>
	ServerAdmin webgirl@example1.dom
	DocumentRoot "/www/example1"
	</VirtualHost>
	<VirtualHost www.example2.dom>
	ServerAdmin webguy@example2.dom
	DocumentRoot "/www/example2"
	</VirtualHost>
	</highlight>

	<p>Suppose that you've assigned 192.0.2.1 to
	<code>www.example1.dom</code> and 192.0.2.2 to
	<code>www.example2.dom</code>. Furthermore, suppose that
	<code>example1.dom</code> has control of their own DNS. With this
	config you have put <code>example1.dom</code> into a position where
	they can steal all traffic destined to <code>example2.dom</code>. To
	do so, all they have to do is set <code>www.example1.dom</code> to
	192.0.2.2. Since they control their own DNS you can't stop them
	from pointing the <code>www.example1.dom</code> record wherever they
	wish.</p>

	<p>Requests coming in to 192.0.2.2 (including all those where
	users typed in URLs of the form
	<code>http://www.example2.dom/whatever</code>) will all be served by
	the <code>example1.dom</code> virtual host. To better understand why
	this happens requires a more in-depth discussion of how httpd
	matches up incoming requests with the virtual host that will
	serve it. A rough document describing this <a
	href="vhosts/details.html">is available</a>.</p>
	</section>

	<section id="main">
	<title>The "main server" Address</title>

	<p><a href="vhosts/name-based.html">Name-based
	virtual host support</a> requires httpd to know
	the IP address(es) of the host that <program>httpd</program>
	is running on. To get this address it uses either the global
	<directive module="core">ServerName</directive>
	(if present) or calls the C function <code>gethostname</code>
	(which should return the same as typing "hostname" at the
	command prompt). Then it performs a DNS lookup on this address.
	At present there is no way to avoid this lookup.</p>

	<p>If you fear that this lookup might fail because your DNS
	server is down then you can insert the hostname in
	<code>/etc/hosts</code> (where you probably already have it so
	that the machine can boot properly). Then ensure that your
	machine is configured to use <code>/etc/hosts</code> in the
	event that DNS fails. Depending on what OS you are using this
	might be accomplished by editing <code>/etc/resolv.conf</code>,
	or maybe <code>/etc/nsswitch.conf</code>.</p>

	<p>If your server doesn't have to perform DNS for any other
	reason then you might be able to get away with running httpd
	with the <code>HOSTRESORDER</code> environment variable set to
	"local". This all depends on what OS and resolver libraries you
	are using. It also affects CGIs unless you use
	<module>mod_env</module> to control the environment. It's best
	to consult the man pages or FAQs for your OS.</p>
	</section>

	<section id="tips">
	<title>Tips to Avoid These Problems</title>

	<ul>
	<li>
	use IP addresses in
	<directive module="core">VirtualHost</directive>
	</li>

	<li>
	use IP addresses in
	<directive module="mpm_common">Listen</directive>
	</li>

	<li>
	ensure all virtual hosts have an explicit
	<directive module="core">ServerName</directive>
	</li>

	<li>create a <code><VirtualHost _default_:*></code>
	server that has no pages to serve</li>
	</ul>
	</section>

	</manualpage>