[Date Prev] [Date Index] [Date Next] [Thread Prev] [Thread Index] [Thread Next]

Re: resolving hostnames

Bryan Stansell bryan@conserver.com
Fri, 6 Jul 2001 13:04:54 -0700 (PDT)


So, this is how the host checking is done.  First, the server takes the
IP address of the client and tries to look up it's hostname.  It then
walks through the access list and tries to find a match with either
thing.  The client hostname is also repeatedly pruned
('host.domain.com' becomes 'domain.com' and then just 'com') and
checked as well.  So, in theory, if the ip address can be mapped to a
hostname and you have viragelogic.com in the access list, it should
match.

One thing you *can* see with debugging output is the access list
matching code.  With 7.0.3, you can (as yourself, not even root) do
'conserver -n -p 7777 -C /tmp/conserver.cf -D' and then connect to the
test conserver with 'console -p 7777 -w'.  The conserver.cf file could
be something as simple as two lines:

%%
allow: 127.0.0.1 viragelogic.com nj.viragelogic.com

If you use this example, you'll get an unexpected message from the
client about master forwarding being broken - but it gets you the
debugging output.

It will look something like:

conserver (18871): DEBUG: Access check: hostname=localhost, ip=127.0.0.1
conserver (18871): DEBUG: Access check:    who=localhost, trust=a

followed by this:

conserver (18871): DEBUG: Access check:       name=localhost

or:

conserver (18871): DEBUG: Access check:       host=7f000001(7f000001/ffffffff)
conserver (18871): DEBUG: Access check:        acl=a0a0a0a(a0a0a0a/ffffffff)

The hostname= and ip= are the client hostname and ip address (hostname
based on reverse lookup of ip).  You'll see multiple sets of the next
data.  First is who= and trust=, which are the entries in the access
list and their trust type.  The name= entries will be the hostname in
it's various pruned forms.  The host= and acl= entries are the client
ip address and access list ip address in hex form.  So, for access to
be granted, the who= and name= lines need to match or the host= and
acl= lines need to be the same.

Feel free to send me the debug output if you need help figuring out why
things aren't matching.  But it is up to the server to do all the
lookups, and if it can't rev map the ip to a hostname, no hostnames can
be used in the config file.

Well, there's a longer-than-expected "answer".  Hope it helps.

Bryan

On Fri, Jul 06, 2001 at 10:30:03AM -0400, Ernie Oporto wrote:
> I am running conserver 7.0.3 on Red Hat 7 and this is a problem I've
> had since the 6.0 versions.  For some reason, a line in conserver.cf
> like this works,
> 
>     allow: 127.0.0.1 129.200.11.69 129.200.11.10 129.200.11.40
> 129.200.11.128
> 
> but a line like this does not
> 
>     allow: 127.0.0.1 viragelogic.com nj.viragelogic.com
> 
> Ideally I will not give the entire domain client access to this
> machine, but no DNS hostnames seem to work at all, so I thought this
> would be the best place to start.
> 
> Ernie