topic Avoid INETD on doing reverse-lookups in Operating System - HP-UX

Avoid INETD on doing reverse-lookups

Jorge Fabregas — Mon, 17 Nov 2003 17:46:52 GMT

Hello everyone,

Is there a way to stop inetd doing reverse DNS lookups on new connections? The only work-around I have found is to place an entry on /etc/hosts for the machine trying to connect to my server (if that machine doesn't have an entry on DNS).

If I don't do this, it takes a couple of minutes before you get the login prompt be it ftp or sshd. I'm spending a lot of time adding entries to /etc/hosts when someone wants to connect to the server.

I did my homework and did a search on the forums but nothing comes up. There is a "-s" switch for inetd that it is supposed to disable logging but it still doesn't work. So far, I just know that inetd does this because it's in log-mode.

Any ideas anyone? I have a bag full of points :)

Thanks,
Jorge

Re: Avoid INETD on doing reverse-lookups

Vijaya Kumar_3 — Mon, 17 Nov 2003 17:58:49 GMT

Hi

Visit this link:

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=62885

I think your delay is due to logging... why dont u disable it.

-Vijay

Re: Avoid INETD on doing reverse-lookups

Jorge Fabregas — Mon, 17 Nov 2003 18:05:14 GMT

Hello Vijayakumar,

I saw that thread. However, I tried using inetd -l and inetd -s, to toggle log options...but it still doesn't solve the problem.

Thanks.

Jorge

Re: Avoid INETD on doing reverse-lookups

Steven E. Protter — Mon, 17 Nov 2003 18:23:02 GMT

Jorge,

I'd like to see your inetd.conf file.

I'm posting up a sample file.

My system has BIND 9.2 and does not do this.

I thought however this was a feature of how you configured BIND, not inetd.

## Configured using SAM by root on Mon Jun 10 20:00:03 2002
## Configured using SAM by root on Mon Feb 10 12:06:01 2003
##
#
# @(#)B.11.11_LRinetd.conf $Revision: 1.24.214.3 $ $Date: 97/09/10 14:50:49 $
#
# Inetd reads its configuration information from this file upon execution
# and at some later time if it is reconfigured.
#
# A line in the configuration file has the following fields separated by
# tabs and/or spaces:
#
# service name as in /etc/services
# socket type either "stream" or "dgram"
# protocol as in /etc/protocols
# wait/nowait only applies to datagram sockets, stream
# sockets should specify nowait
# user name of user as whom the server should run
# server program absolute pathname for the server inetd will
# execute
# server program args. arguments server program uses as they normally
# are starting with argv[0] which is the name of
# the server.
#
# See the inetd.conf(4) manual page for more information.
##

##
#
# ARPA/Berkeley services
#
##
ftp stream tcp nowait root /usr/lbin/ftpd ftpd -l
telnet stream tcp nowait root /usr/lbin/telnetd telnetd -b /etc/issue

# Before uncommenting the "tftp" entry below, please make sure
# that you have a "tftp" user in /etc/passwd. If you don't
# have one, please consult the tftpd(1M) manual entry for
# information about setting up this service.

tftp dgram udp wait root /usr/lbin/tftpd tftpd\
/images\
/opt/ignite\
/var/opt/ignite
bootps dgram udp wait root /usr/lbin/bootpd bootpd
#finger stream tcp nowait bin /usr/bin/cat cat /etc/finger.msg
login stream tcp nowait root /usr/lbin/rlogind rlogind
shell stream tcp nowait root /usr/lbin/remshd remshd
exec stream tcp nowait root /usr/lbin/rexecd rexecd
#uucp stream tcp nowait root /usr/sbin/uucpd uucpd
ntalk dgram udp wait root /usr/lbin/ntalkd ntalkd
ident stream tcp wait bin /usr/lbin/identd identd

##
#
# Other HP-UX network services
#
##
# printer stream tcp nowait root /usr/sbin/rlpdaemon rlpdaemon -i

##
#
# inetd internal services
#
##
daytime stream tcp nowait root internal
daytime dgram udp nowait root internal
time stream tcp nowait root internal
#time dgram udp nowait root internal
echo stream tcp nowait root internal
echo dgram udp nowait root internal
discard stream tcp nowait root internal
discard dgram udp nowait root internal
chargen stream tcp nowait root internal
chargen dgram udp nowait root internal

##
#
# rpc services, registered by inetd with portmap
# Do not uncomment these unless your system is running portmap!
#
##
# WARNING: The rpc.mountd should now be started from a startup script.
# Please enable the mountd startup script to start rpc.mountd.
##
#rpc stream tcp nowait root /usr/sbin/rpc.rexd 100017 1 rpc.rexd
# #rpc dgram udp wait root /usr/lib/netsvc/rstat/rpc.rstatd 100001 2-4 rpc.rstatd
#rpc dgram udp wait root /usr/lib/netsvc/rusers/rpc.rusersd 100002 1-2 rpc.rusersd
#rpc dgram udp wait root /usr/lib/netsvc/rwall/rpc.rwalld 100008 1 rpc.rwalld
#rpc dgram udp wait root /usr/sbin/rpc.rquotad 100011 1 rpc.rquotad
#rpc dgram udp wait root /usr/lib/netsvc/spray/rpc.sprayd 100012 1 rpc.sprayd

##
#
# The standard remshd and rlogind do not include the Kerberized
# code. You must install the InternetSvcSec/INETSVCS-SEC fileset and
# configure Kerberos as described in the SIS(5) man page.
#
##
kshell stream tcp nowait root /usr/lbin/remshd remshd -K
klogin stream tcp nowait root /usr/lbin/rlogind rlogind -K

##
#
# NCPM programs.
# Do not uncomment these unless you are using NCPM.
#
##

#ncpm-pm dgram udp wait root /opt/ncpm/bin/ncpmd ncpmd
#ncpm-hip dgram udp wait root /opt/ncpm/bin/hipd hipd

dtspc stream tcp nowait root /usr/dt/bin/dtspcd /usr/dt/bin/dtspcd
rpc xti tcp swait root /usr/dt/bin/rpc.ttdbserver 100083 1 /usr/dt/bin/rpc.ttdbserver
registrar stream tcp nowait root /etc/opt/resmon/lbin/registrar /etc/opt/resmon/lbin/registrar

recserv stream tcp nowait root /usr/lbin/recserv recserv -display :0
rpc dgram udp wait root /usr/dt/bin/rpc.cmsd 100068 2-5 rpc.cmsd
swat stream tcp nowait.400 root /opt/samba/bin/swat swat
bpcd stream tcp nowait root /usr/openv/netbackup/bin/bpcd bpcd
vopied stream tcp nowait root /usr/openv/netbackup/bin/vopied vopied
bpjava-msvc stream tcp nowait root /usr/openv/netbackup/bin/bpjava-msvc bpjava-msvc -transient
instl_boots dgram udp wait root /opt/ignite/lbin/instl_bootd instl_bootd
vnetd stream tcp nowait root /usr/openv/bin/vnetd vnetd

Note the Berkley protocols are enabled. We turn them on when we need them and right now we're using them.

Here is a document on the BIND named.conf configuration file:
http://docs.hp.com/cgi-bin/fsearch/framedisplay?top=/hpux/onlinedocs/B2355-60103/B2355-60103_top.html&con=/hpux/onlinedocs/B2355-60103/00/39/3922-con.html&toc=/hpux/onlinedocs/B2355-60103/00/39/3922-toc.html&searchterms=lookup%7cBIND%7cReverse&queryid=20031117-162208

SEP

Re: Avoid INETD on doing reverse-lookups

Jorge Fabregas — Mon, 17 Nov 2003 18:39:00 GMT

Hello Steven,

Here's the inetd.conf attached..

Thanks,
Jorge

Re: Avoid INETD on doing reverse-lookups

Jeff Schussele — Mon, 17 Nov 2003 19:09:10 GMT

Hi Jorge,

In my opinion reverse lookups are something you WANT. If it's causing delays or problems then that's due to improperly configured hosts files and/or DNS.
Fix *those* problems & all will be well again.
Keep in mind that lookups in both directions are a security feature that's designed to work *for* you. Don't circumvent them or you're likely to become a ripe target for spammers or other unsavory characters. Then you'll have all kinds of fun trying to get other domains to accept your mail & your Security folks will have you on their Top-ten list.
So my advice to you is fix the *problem* - NOT the symptom.

My 2 cents,
Jeff

Re: Avoid INETD on doing reverse-lookups

Jorge Fabregas — Mon, 17 Nov 2003 20:49:35 GMT

Hi Jeff,

The server is not exposed to the internet so security is not a major issue -in this sense-.

DNS is working fine on the server (also, resolving thru hosts file). I have them properly configured on nsswitch.conf.

The sympton is: You don't have a DNS entry or your ip is not on my hosts file: you're going to wait A WHILE before you the login prompt.

I put you on my hosts file: everything works perfect.

Thanks,

Jorge

Re: Avoid INETD on doing reverse-lookups

Bill Hassell — Mon, 17 Nov 2003 22:34:27 GMT

This behavior is by design. Tools such as remsh, rcp and rlogin as well as telnet and ftp will try to verify that the incoming connection is authenticated, at least partially. It doesn't matter whether your computer is behind a firewall, accepting any connection from any location is not a good policy. Using /etc/hosts is a good choice since you must make a conscious decision about each IP address.

Now if the problem is due to a DHCP server, then it needs to be integrated into your DNS system or find a DNS server that can handle DHCP address assignments. Many DNS admins will simply create unique names for every IP address that can be handed out.