Score:0

How to disable reverse DNS lookup in Apache 2.2 or in recursive bind

cn flag

I would like to stop Apache (2.2) from doing reverse lookups for client IP addresses. I have

HostnameLookups Off

and

LogFormat "%h %l %u %t %V \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" port:%p" combined_vhost
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common

in httpd.conf but Apache still in many cases often does the lookups and writes down domain names instead of IP addresses into accesslogs.

I need the IPs from accesslogs to block them on firewall.

If it is not possible to set this up in Apache config., maybe it can be done in the bind config. On the machine I need to fix, bind runs as local recursive resolver.

The domain names are useless because they can't be resolved back to the original IP address (seems there is intentional lack of usual DNS A/AAAA record for these domain names).

Patrick Mevzek avatar
cn flag
`%h` in access log means hostname, see https://httpd.apache.org/docs/2.4/mod/mod_log_config.html#formats This is obviously obtained by doing a reverse DNS query on the IP address as this is the only thing that Apache sees being an HTTP server where the protocol is built upon TCP/IP.
cn flag
The page says *"%h Remote hostname. Will log the IP address if HostnameLookups is set to Off, which is the default. If it logs the hostname for only a few hosts, you probably have access control directives mentioning them by name."* That is what is happening, there are mostly IP addresses, but sometimes there are hostnames, which is the case in this attack. Maybe there are some "access control directives" that are causing the DNS resolution. However I don't see any such rules in any configuration. I tried setting up %a instead of %h, but this did not change apache behaviour.
cn flag
Oh, when LogFormat is changed in virtualhost, it makes no effect. But if I set it up in global httpd.conf, it does. So formatting string %a instead of %h in httpd.conf solves my problem.
Score:0
cn flag

Do not use names anywhere in configuration, just IP addresses and change the configuration format to log only IP addresses.

It is unclear however why you want to do that, you are creating a nightmare maintenance for yourself. IP addresses do change sometimes...

The domain names are useless because they can't be resolved back to the original IP address

That is not a problem at all. The DNS will timeout or return an error and life goes on.

cn flag
I've added some information. This is to block attackers client IPs.
Patrick Mevzek avatar
cn flag
This will not help blocking anyone.
cn flag
You do not understand my question.
cn flag
I need to get list of IP addresses. I can't get them from list of domain names, because those are attackers domains without A/AAAA record.
Score:0
cn flag

There is a LogFormat directive which tell Apache what should be written to accesslogs. For preferring IP address to hostname, there is the format string %a.

For Apache 2.2 LogFormat documentation, see

https://httpd.apache.org/docs/2.2/mod/mod_log_config.html#formats

When LogFormat is changed in a virtualhost context, it seems to have no effect; I tried changing %h into %a in a virtualhost block but still hostnames were being written into virtual host's accesslog.

But then I made the change in the global configuration file httpd.conf, and this helped. Now apache logs always IP addresses, not hostnames.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.