Controlling Server Access with Reverse DNS

Cris Perdue

Many server software packages have facilities to restrict access to certain hosts by name. A couple of common examples are the tcpd utility for inetd and the Apache web server. Using these facilities may not always give you the results you intend unless you understand how reverse DNS works behind the scenes.

Internet protocols such as TCP allow the server to check the IP address of the client. but do not provide any names directly. In almost all cases, the server software determines the name by some sort of "reverse name lookup". Unix systems provide two main ways for the server to do these reverse lookups: the gethostbyaddr C library call, and true reverse DNS lookups using the DNS protocol. Many implementations of gethostbyaddr allow the system administrator to configure the information sources consulted by this call and the order in which they are tried. Two typical information sources are the /etc/hosts file and DNS.

Gethostbyaddr. In a typical Linux configuration, gethostbyaddr first consults /etc/hosts. If the address does not appear there, it consults DNS. One important and sometimes confusing point occurs because /etc/hosts can map an IP address to more than one name. In this case, standard practice is for gethostbyname to return the first name found. This means that if you put an unqualified name like romeo immediately after its IP address, you must refer to this host with the unqualified name romeo. An advantage of this is the convenience of using the shorter name. Use of the short name is also a clue that the name will be looked up in /etc/hosts. Defining important computer names in /etc/hosts has the additional advantages that it is fast and under your control. The short name may no longer work if only DNS information is available though.

DNS. If you use the DNS mappings, it is important to understand how reverse name mapping is done in DNS. It is not simply an inversion of the forward mapping. No matter that you control what your name maps to in the forward direction, only the owner of your block of IP addresses has control over your machine's reverse DNS mapping. A reverse mapping in fact is really an ordinary DNS mapping using a special naming convention. To check the reverse mapping of an IP address, take the octets of the address in the usual decimal notation, reverse the order of the octets, and append ".in-addr.arpa". For example, a reverse lookup of the name for 192.168.123.234 is done by looking up the name 234.123.168.192.in-addr.arpa. (Technically these requests look up PTR records.) A few software packages insist on using DNS only, and ignore other information sources such as /etc/hosts.

Double lookups. Some software such as tcpd checks both reverse and forward DNS entries and compares them. The first lookup is the reverse lookup since the client IP address is the information immediately available to it. This gives a name which can be mapped back to an IP address. The tcpd software in particular may drop a connection if the initial IP address does not match the address for its name. Your ISP generally controls the mapping from your IP address to a name, and you may have to be sure that the same name maps to your IP address, or some server software may refuse you access.