On Aug 10, 2010, at 8:23 AM, Stephen Frost wrote:
> * Peter Eisentraut (pete...@gmx.net) wrote:
>> On mån, 2010-08-09 at 13:56 -0500, Kevin Grittner wrote:
>>> Some IP addresses have several host names, including in reverse
>>> lookup; how is that handled?
>>
>> This is not possible, or at least the C library APIs don't expose it.
>> Compare the getnameinfo() and getaddrinfo() man pages, for example.
>
> Don't know how it happens at a technical level, but I've definitely seen
> it happen before.. Particularly with Windows domains where they don't
> have "clean-up reverse DNS" enabled. Manifests itself by having
> different host names show up on successive requests... Evil in any
> case.
Multiple hostnames for a given IP address are supported just fine
by the DNS. Some C library APIs support this just fine, others
(such as getnameinfo) have been simplified to make them more
pleasant to use for the common case of displaying a text representation
of an IP address in a friendly manner with simple code, at the expense
of actually returning correct data.
So getnameinfo() is not suitable for this particular usage. If an
IP address has multiple hostnames then what getnameinfo() will
return isn't well-defined (and I believe there's been a trickle of
bugs in implementations such that sometimes they won't return
any hostname if there are multiple ones configured in the DNS).
Any approach to restrict based on hostnames will either need to
just work with forward DNS resolution of hostnames configured
in pg_hba.conf to create a list of IP addresses to compare against
an incoming connection, or it'll need to use a more general
interface to get the reverse DNS of an incoming connection (e.g.
gethostbyaddr(), less elegant as that is) before checking forward
DNS.
The former approach won't work if we want to support wildcard
hostnames ("accept connections from *.example.com") - and
that's the only useful functionality that adding hostname based
ACLs provides, I think. If we want to do that, we need to use
gethostbyaddr() to get all the claimed hostnames via reverse
DNS, and for each of those that matches our ACL do a
getaddrinfo() to check it resolves to the connecting IP.
This is something that's pretty common to do in the email world,
so stealing some robust code from there might be an idea.
Cheers,
Steve
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
