Hello, I agree, it doesn't make sense to do DNS resolution on proxy IPs.
What I mean is that I do not think it is possible to implement a logic in Tomcat that does the reverse DNS on the IP of the client (or proxy) only if there is no information in the x-forwarded-for header, this is done in different sections of the request flow inside Tomcat. It is why I think if the reverse DNS of the IP provided in x-forwarded-for is implemented, it should be configured using a different attribute than "enableLookups". Regards, Yann Nicolas 2014-02-21 10:11 GMT-06:00 Christopher Schultz <ch...@christopherschultz.net >: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Yann, > > On 2/21/14, 8:53 AM, Yann Nicolas wrote: > > Thanks a lot André and Mark, > > > > I understand your advice on performance degradation due to reverse > > DNS. It makes sense to me to disable the lookups at Tomcat level > > and search for the hostname asynchronously when storing logs (we > > store audit in DB, then it makes even more sense do this async). I > > will probably go for this solution. > > > > This is another topic, but as far as I understand (from Java7 > > javadoc), InetAddress is already implementing a cache. But it is > > not clear to me if it is for hosname resolution (obtain the IP from > > hostname) or reverse DNS (obtain hostname from IP). Perhaps it > > makes sense to have our own cache of IP -> host mapping. > > > > Anyway, as suggested by Mark, I will create an issue in BugZilla > > because I think it can make sense in some context to do the reverse > > DNS lookup in Tomcat natively when using a load balancer. However I > > am not sure if it should be better to have a new Tomcat attribute > > for this (like enableRemoteIpLookups) instead of using the > > attribute enableLookups, because perhaps you do not want to lookups > > of the proxies IP but just the remoteIp (x-forwarded-for). > > Honestly, it seems kind of silly to do reverse-lookup on your own load > balancers: you should know their IP addresses already and there should > only be a few of them. What's the point in doing DNS resolution on them? > > - -chris > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQIcBAEBCAAGBQJTB3rDAAoJEBzwKT+lPKRYETUP/16UThlf328IzqChMez4A/EW > +fjtzmuRuYanUatRQoxVi9Z2ckAeJO22whOMLbD16VhItgmm/YDn3wOO8wWEq5sv > Zyb+xHlyvYpThOQ8hf/ejpx7RzqRmlr8aDZiOmyBBeGop/e84AxEk/2k0fHKRn2w > uz+Zw8oZhhcq8UMhd6xqMk8Xs4VCRgyH6SvUo9OWARw2YkQv9Dj/zw5Pl1m3WM+U > +Uz6NQbC8js5aUe1gZgDUUds7dFN3oLqLiuL9nY614sU8OTk4Qdwoo6i6tPKYArF > m+C5Aya+SlfgKOgLRHyrjaWRNa+hOjldqq2kjxGhEWgtQq904hUhOuj7kWPBI/zt > z6hdG3lmwj/heUpe/mbNXahcZ0A/UFuENT93BHVRj7ZwZHUA6Q8Qnv55Y4yFBqTd > 2w3cZgQzGZSE0z/3qetkYd+ey2DjezLrRXHQZKb3isY3s4rlzDxNZ8dvlGY0JVdi > CVLyzb/sbNe0v6F+EkjVIzhRn3b1iFvvsleD3pmlsWeslNsKHnDTjWDVOKdK/590 > Dyg3xGXFSAF0x3inF5S8z1QLKEem+wml/7TxW0UAC0cGAX/48DU3o1tXVa7qUYLr > cQQUvhs/TAtpg661EQERSI/WUMpZwcyEG7djz+byLVJBppzwn1txf8ZY0H67N+1H > wwOUN5i68TXYlp8/DTrj > =EHo/ > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
