Hostname Lookup

D

dpalme

I have noticed that although hostname lookup is enabled in the apache httpd-default.conf file my logs are still only showing the ip addresses.

I checked the resolv.conf file and I have the following entries:

Code: 
search phx.dedicated.codero.com
nameserver 127.0.0.1
nameserver 64.150.176.124
nameserver 69.64.66.10

What else could I be missing?
 
Did you actually restart Apache? And is your nameserver on localhost seeing those queries?
 
I have not changed the settings, they were that way from the start. Yes, I have restarted apache several times.....
 
Try putting the second nameserver first. The lookups may be timing out, and Apache is not very patient when that happens.
 
Did that, issued a KILLALL -HUP httpd to restart apache and still the same result.

I took the ip address and did a nslookup on it, and it came back imemdiately with the host name.....

Do I need to restart the name server as well?
 
Please restart Apache the 'normal' way, i.e. # /usr/local/etc/rc.d/apache22 restart or # apachectl graceful/restart.

If your own nameserver (the localhost one) responds to a $ dig -x ip.add.re.ss +short command with a hostname (not every IP address has a hostname), there's no reason why Apache wouldn't get that result as well.
 
Yes it responds with the ip address, and I restarted apache using the restart command, still getting the same results.

could it be something to do with my dns server ?
 
Whether Apache looks up an IP address, or you do from the same server, both will look in /etc/resolv.conf where to find the DNS server. So if your command-line lookups work, then so should Apache's.

Try # tcpdump -s 0 -pnli lo0 port 53 to see if and when your DNS gets queried. If you see a log line being added to the Apache log, you should see a packet exchange on localhost:53.
 
Well I ran that from the command line, queried one of the domains and nothing showed up on the screen.....although I am not really sure what I am looking for.

The acess_log file shows the hit.
 
Ok something is happening because now I am getting all kinds of hits....

Here is sample:
Code: 
1:29:39.902339 IP 64.150.176.124.56428 > 64.150.176.124.53: 62993+ PTR? 4.128.108.113.in-addr.arpa. (44)
21:29:39.902541 IP 64.150.176.124.53 > 64.150.176.124.56428: 62993 NXDomain 0/1/0 (88)
21:29:39.903401 IP 64.150.176.124.50823 > 64.150.176.124.53: 62993+ PTR? 4.128.108.113.in-addr.arpa. (44)
21:29:39.903612 IP 64.150.176.124.53 > 64.150.176.124.50823: 62993 NXDomain 0/1/0 (88)
21:29:40.802249 IP 64.150.176.124.64685 > 64.150.176.124.53: 19680+ PTR? 4.128.108.113.in-addr.arpa. (44)
21:29:40.802457 IP 64.150.176.124.53 > 64.150.176.124.64685: 19680 NXDomain 0/1/0 (88)
21:29:40.803369 IP 64.150.176.124.57867 > 64.150.176.124.53: 19680+ PTR? 4.128.108.113.in-addr.arpa. (44)
21:29:40.803577 IP 64.150.176.124.53 > 64.150.176.124.57867: 19680 NXDomain 0/1/0 (88)
21:29:41.569865 IP 64.150.176.124.49255 > 64.150.176.124.53: 55219+ PTR? 4.128.108.113.in-addr.arpa. (44)
21:29:41.570078 IP 64.150.176.124.53 > 64.150.176.124.49255: 55219 NXDomain 0/1/0 (88)
21:29:41.570984 IP 64.150.176.124.51245 > 64.150.176.124.53: 55219+ PTR? 4.128.108.113.in-addr.arpa. (44)
21:29:41.571192 IP 64.150.176.124.53 > 64.150.176.124.51245: 55219 NXDomain 0/1/0 (88)

the apache logs still only show the ip address though
 
That is quite possible. The NXdomain signifies that no PTR record was found, so the IP address does not resolve to a hostname. These are not queries on localhost, though. Try putting 127.0.0.1 back at the top of /etc/resolv.conf.
 
No I have not.

/etc/resolv.conf is as follows:

Code: 
earch phx.dedicated.codero.com
nameserver 64.150.176.124
nameserver 127.0.0.1
nameserver 69.64.66.10
 
This is weird because I restarted the tcpdump command you gave me and requeried one of the domains and now I am getting nothing again.
 
Ok, I logged off and logged back on and tried it again and I got the following:

Code: 
21:35:59.271430 IP 64.150.176.124.59368 > 64.150.176.124.53: 49312+ A? twitter.com. (29)
21:35:59.671350 IP 64.150.176.124.53 > 64.150.176.124.59368: 49312 1/4/4 A 128.121.243.228 (195)
21:35:59.672200 IP 64.150.176.124.53474 > 64.150.176.124.53: 49313+ AAAA? twitter.com. (29)
21:35:59.683878 IP 64.150.176.124.53 > 64.150.176.124.53474: 49313 0/1/0 (101)
21:36:17.836086 IP 64.150.176.124.56524 > 64.150.176.124.53: 28023+ PTR? 21.69.246.84.in-addr.arpa. (43)
21:36:17.853354 IP 64.150.176.124.55220 > 64.150.176.124.53: 49185+ PTR? 21.69.246.84.in-addr.arpa. (43)
21:36:19.474482 IP 64.150.176.124.50299 > 64.150.176.124.53: 7708+ PTR? 21.69.246.84.in-addr.arpa. (43)
21:36:20.132784 IP 64.150.176.124.61257 > 64.150.176.124.53: 12803+ PTR? 21.69.246.84.in-addr.arpa. (43)
21:36:22.635179 IP 64.150.176.124.53 > 64.150.176.124.56524: 28023 NXDomain 0/1/0 (108)
21:36:22.635573 IP 64.150.176.124.53 > 64.150.176.124.55220: 49185 NXDomain 0/1/0 (108)
21:36:22.635920 IP 64.150.176.124.53 > 64.150.176.124.50299: 7708 NXDomain 0/1/0 (108)
21:36:22.636263 IP 64.150.176.124.53 > 64.150.176.124.61257: 12803 NXDomain 0/1/0 (108)
21:36:22.637252 IP 64.150.176.124.61768 > 64.150.176.124.53: 28023+ PTR? 21.69.246.84.in-addr.arpa. (43)
21:36:22.637860 IP 64.150.176.124.63095 > 64.150.176.124.53: 49185+ PTR? 21.69.246.84.in-addr.arpa. (43)
21:36:22.638530 IP 64.150.176.124.58129 > 64.150.176.124.53: 7708+ PTR? 21.69.246.84.in-addr.arpa. (43)
21:36:22.639123 IP 64.150.176.124.63343 > 64.150.176.124.53: 12803+ PTR? 21.69.246.84.in-addr.arpa. (43)
21:36:22.639416 IP 64.150.176.124.53 > 64.150.176.124.61768: 28023 NXDomain 0/1/0 (108)
21:36:22.640674 IP 64.150.176.124.53 > 64.150.176.124.63095: 49185 NXDomain 0/1/0 (108)
21:36:22.641883 IP 64.150.176.124.53 > 64.150.176.124.58129: 7708 NXDomain 0/1/0 (108)
21:36:22.643083 IP 64.150.176.124.53 > 64.150.176.124.63343: 12803 NXDomain 0/1/0 (108)

What is weird is I am getting a totally different ip logged to the access log.
 
Does [cmd=]dig @localhost -x 87.248.113.14 +short[/cmd] give you a result? It should if your DNS server runs like it should.
 
The IP addresses are reversed. That's how PTR records are queried.
21.69.246.84.in-addr.arpa. == 84.246.69.21
 
Yep:

Code: 
64-150-176-124# dig @localhost -x 87.248.113.14 +short
f1.us.www.vip.ird.yahoo.com.
64-150-176-124#
 
I understand the reverse of the ip, when I said I am getting a totally different one, I mean completely different, not even in the same netblock.
 
Do you have other services running, like a mailserver? There are a lot of processes querying PTR records, so you may be seeing those. If Apache sees IP addresses and they don't show up in tcpdump on port 53, Apache is not querying PTR records, for whatever reason.
 
Yes I have other processes running, so I assume it is possible that apache is not querying at all.

Any idea where to start to figure that out?

What I did find interesting was the reference to twitter.com that is coming from the webpage....there is a twitter link on the main page.....so when it is loading it apparently is querying that, but it never queries for the person querying the page or so it seems.
 
If you're using e.g. a recent version of Firefox: it will prefetch the DNS record for any link it encounters on a web page.

Is your httpd-default.conf actually "Include"d from httpd.conf?

$ grep ^Include /usr/local/etc/apache22/httpd.conf
 
Yes, it is included.

Ok, here is what I am going to do....I am going to completely restart the entire machine...see if that resolves whatever issue I may be having.
 
Ok now we seem to be seeing some things coming through that look better.....but I am too tired to continue tonight. I will follow up on this tomorrow.

Thanks for the assistance....it was and is greatly appreciated.
 
You must log in or register to reply here.
Back
Top