How to refuse IP's with no reverse DNS with Apache2 or iptables?

Question

With Apache2, or iptables, is there a way to refuse visitors if their IP has no reverse DNS, or does not resolve at all?

I have a website targeted to a specific population who has valid reverse DNS. Some spammers and hackers who do not have a reverse DNS come and try to spam/hack my site.

They get refused/denied by my spam blocker but I still want to prevent them to access my website.

Just be careful: You're making connection acceptance dependent on DNS - not only are you going to have false failures due to slow DNS servers, EVERYONE is going to get slow service because you have to do a DNS lookup on them. — Michael Kohne, Jul 31 '10 at 12:13

score 5 · Answer 1 · answered Jul 31 '10 at 13:24

I wouldn't do this on Apache level due the slowness of the DNS queries.

Instead I would do this behind the curtains. For example, put some self-written shell/perl script to tail the Apache access log, do the dns queries and if they fail, then just add the ip address to (temporary) ban list. You could probably do this with fail2ban if you're not willing to write some Perl for yourself.

Anyway, be careful! Even some legit visitors might not have a resolvable dns name.

score 0 · Accepted Answer · answered Jul 31 '10 at 11:55

You could easily do it in php or you favorite language (for php http://php.net/manual/en/function.gethostbyaddr.php). Perhaps if you approve of the visiting client by checking their reverse DNS status you then "log them in" in a similar fashion to a normal username/password login.

Normally .htaccess files or iptables may be a better solution, but since you have a very peculiar request, you may need the flexibility of a scripting language.

score 0 · Answer 3 · answered Jul 31 '10 at 14:50

0

Several people have pointed out that this is typically a bad idea due to slow DNS resolution. But if you want to do it you can do it with mod_access:

http://httpd.apache.org/docs/2.0/mod/mod_access.html

answered Jul 31 '10 at 14:50

pehrs

8,749
29
46

Thanks for the link, but you didn't say how. :( – Weboide Jul 31 '10 at 15:01
Click the link? You add an allow with the top-domains you want to allow and a deny all. Then all reverse lookups the fails will block access. – pehrs Aug 05 '10 at 09:03

score 0 · Answer 4 · answered Jan 31 '11 at 02:33

0

In your statement(s) just add something like:

Order Deny,Allow
Deny from all
Allow from .com .gov .org .edu

You'll want to add your local private lan, 127.0.0.1, etc...

answered Jan 31 '11 at 02:33

George Beranek

1

This works, but could get messy fast (especially with the ability to purchase anything you want as a TLD these days). `mod_access` (or doing the lookup in your software rather than Apache) is probably a better choice. – voretaq7 Dec 04 '12 at 17:10

How to refuse IP's with no reverse DNS with Apache2 or iptables?

4 Answers4