Apache Cookbook-Apache Cookbook

Recipe 11.5 Avoiding DNS Lookups

Problem

You want to avoid situations where you have to do DNS lookups of client addresses, as this is a very slow process.

Solution

Always set the HostNameLookups directive to Off:

HostNameLookups Off

And make sure that, whenever possible, Allow from and/or Deny from directives use the IP address, rather than the hostname of the hosts in question.

Discussion

DNS lookups can take a very long time and should be avoided at all costs. In the event that a client address cannot be looked up at all, it can take up to a minute for the lookup to time out, during which time the child process that is doing the lookup cannot do anything else.

There are a number of cases in which Apache will need to do DNS lookups, and so the goal here is to completely avoid those situations.

HostNameLookups

Prior to Apache 1.3, HostNameLookups, which determines whether Apache logs client IP addresses or hostnames, defaulted to on, meaning that each Apache log entry required a DNS lookup to convert the client IP address to a hostname to put in the logfile. Fortunately, that directive now defaults to off, and so this is primarily an admonition to leave it alone.

If you need to have these addresses converted to hostnames, then this should be done by another program, preferably running on a machine other than your production web server. That is, you really should copy the file to some other machine for the purpose of processing, so that the effort required to do this processing does not negatively effect your web server's performance.

Apache comes with a utility called logresolve, which will process your logfile, replacing IP addresses with hostnames. Additionally, most logfile analysis tools will also do this name resolution as part of the log analysis process.

Allow and Deny from hostnames

When you do host-based access control, using the Allow from and Deny from directives, Apache takes additional precautions to make sure that the client is not spoofing its hostname. In particular, it does a DNS lookup on the IP address of the client to obtain the name to compare against the access restriction. It then looks up the name that was obtained, just to make sure that the DNS record is not being faked.^[1]

^[1] For example, the owner of the IP address could very easily put a PTR record in their reverse-DNS zone, pointing their IP address at a name belonging to someone else.