HPE Community
Operating System - HP-UX
1825667 Members
3951 Online
109686 Solutions
New Discussion

Reverse DNS?

 
SOLVED
Go to solution
Paul Haygarth
Advisor

‎02-08-2005 08:56 AM

‎02-08-2005 08:56 AM

Reverse DNS?

Can someone explain to me why when I open a connect to our HP server, it attempts to do a reverse DNS lookup, if DNS resolving has been configured?

We have run into a few situations with customers, where the DNS server becomes flakey and connections (web and telnet) connections start timing out.
0 Kudos
Reply
10 REPLIES 10
Steven E. Protter
Exalted Contributor

‎02-08-2005 09:05 AM

‎02-08-2005 09:05 AM

Re: Reverse DNS?

Reverse DNS databases give the administrators and daemons of other servers you are connecting with the ability to figure out where the traffic is coming from.

Many mail servers, aol, mine require a reverse DNS database exist or they simply won't accept the mail. This is to reduce spam. That does work, that mere hack dropped my spam traffic 30% when I implemented it.

The existance or lack of existance of this database should make no difference with regards to web or telnet connections.

Are any errors being logged in the access_log database for the web server or the /var/adm/syslog/syslog.log log for the server?

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Reply
Paul Haygarth
Advisor

‎02-08-2005 09:11 AM

‎02-08-2005 09:11 AM

Re: Reverse DNS?

I'm not sure that I was clear on the situations we are seeing.

The web connections are not necessarily timing out. Some timout, some are just really slow, while it waits for the DNS timeout.

The telnet issue are only present when establishing the connections. Once a connection is made, then everything is fine. Again they don't get a login prompt until the DNS times out.

I'll check logs.
0 Kudos
Reply
harry d brown jr
Honored Contributor

‎02-09-2005 03:36 AM

‎02-09-2005 03:36 AM

Re: Reverse DNS?

Paul,

Can you post these files:

/etc/nsswitch.conf
/etc/resolv.conf

the output of:

what `which named`


live free or die
harry d brown jr
Live Free or Die
0 Kudos
Reply
Florian Heigl (new acc)
Honored Contributor

‎02-09-2005 03:50 AM

‎02-09-2005 03:50 AM

Re: Reverse DNS?

HP-UX does the reverse lookup to log the connecting host in syslog and/or wtmp.

This is a standard UNIX behavior, the timeout for telnetd can be raised using the -n option in inetd.conf. I do not know if it can be completely disabled, a way might be to disable inetd logging.

But I don't think it would be good to disable logging to solve this issue. Having no reverse lookup is against internet standards and I feel this would better be the better point for fixing something.
yesterday I stood at the edge. Today I'm one step ahead.
Reply
rick jones
Honored Contributor

‎02-09-2005 04:42 AM

‎02-09-2005 04:42 AM

Re: Reverse DNS?

That you said "the DNS server" rather than "the DNS servers" suggests that DNS is not properly setup - there should _always_ be _at least two_ DNS servers for a given domain, preferably in separate IP subnets.

There should be two or more DNS servers listed in /etc/resolv.conf.

A single DNS server is plusungood.
there is no rest for the wicked yet the virtuous have no pillows
0 Kudos
Reply
Paul Haygarth
Advisor

‎02-09-2005 05:38 AM

‎02-09-2005 05:38 AM

Re: Reverse DNS?

There are 3 DNS servers configured in /etc/resolv.conf. I said DNS server, because one is internal (the one causing the problems) and the other 2 are external to the company.

The length of time for the internal DNS to timeout, when it starts acting up, is what is causing the issue.

I guess what I really need is just an explanation, that I can give to the customer, since they are asking why the server does a reverse DNS lookup, and why can't it be disabled.

As a workaround to the problems they experience with connectivity from their WEB server, I have added necessary IP addresses to the hosts file.

Here are the contents of resolv.conf and nsswitch.conf in case anyone has some comments.

/etc/resolv.conf:
domain xxxxxxx.com
nameserver 10.200.4.103
nameserver 206.183.224.7
nameserver 206.183.224.8

/etc/nsswitch.conf:
hosts: files [NOTFOUND=continue] dns [NOTFOUND=continue UNAVAIL=continue]
0 Kudos
Reply
rick jones
Honored Contributor

‎02-09-2005 05:53 AM

‎02-09-2005 05:53 AM

Re: Reverse DNS?

The internal and external DNS servers can resolve all the same names yes?
there is no rest for the wicked yet the virtuous have no pillows
0 Kudos
Reply
Paul Haygarth
Advisor

‎02-09-2005 06:16 AM

‎02-09-2005 06:16 AM

Re: Reverse DNS?

Yes they do, for the most part. There would be some internal network names (i.e. printers, other devices on Non-Internet routable networks) that would not be resolved externally. We have already recommended that they change the server order, at least until they resolve the issue with the internal DNS. Unfortunately, changing the order is unlikely to happen, as they do not want to rely on external servers.
0 Kudos
Reply
rick jones
Honored Contributor

‎02-09-2005 06:23 AM

‎02-09-2005 06:23 AM

Solution

Re: Reverse DNS?

perhaps then there should be two internal servers?

anyhow, indeed the reason most apps will do the reverse lookup is to have nice names for logs, or to check against names - eg .rhosts files or stuff in inetd.sec or tcpwrappers etc etc. some allow it to be disabled, others do not
there is no rest for the wicked yet the virtuous have no pillows
Reply
Florian Heigl (new acc)
Honored Contributor

‎02-09-2005 09:17 AM

‎02-09-2005 09:17 AM

Re: Reverse DNS?

Paul - there a two different ways to make this problem a smaller problem.

a)
- increase the timeout for telnet
- change inetd_options from "-l" to ""
- disable hostname lookups in webserver config (in apache this is definitely possible)

b)
- lower the timeouts for the local nameserver
see my posting here:
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=809283
for You this would be something like
/etc/resolv.conf containing
domain internal.our.net
nameserver internal_ip
nameserver ext_1
nameserver ext_2
search some.thi.ng thi.ng
retry 2
retrans 1000

this would cause hp-ux to fail over to the
external dns servers after two seconds if the internal doesn't really work.

[c)
- wish for a better internet where everybody reads the RFCs and implements his networks that way.]


yesterday I stood at the edge. Today I'm one step ahead.
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.