| 1 |
On Sun, 21 Mar 2010, Mark Loeser wrote: |
| 2 |
|
| 3 |
> Please make sure that you have mirrorstats.gentoo.org in your whitelists |
| 4 |
> for your mirrors. It is a CNAME that points to the machine we have |
| 5 |
> monitoring all of the mirrors, so please only check that |
| 6 |
> mirrorstats.gentoo.org resolves to who is connecting. If the IP is blocked |
| 7 |
> by your mirror, it makes our monitoring much more difficult. |
| 8 |
|
| 9 |
Mark, |
| 10 |
|
| 11 |
Does the IP change frequently / at all? What you're asking for is |
| 12 |
atypical... |
| 13 |
|
| 14 |
Access rules for incoming traffic (especially for firewalls) typically |
| 15 |
require an IP address/network and cannot specify a host by the DNS |
| 16 |
hostname. It is probably unhealthy to depend on an external (DNS) query |
| 17 |
before deciding whether to permit or deny a packet. |
| 18 |
|
| 19 |
Access rules running at a higher (application) layer may support DNS |
| 20 |
hostnames, but not in the way you envision. For example, rsyncd.conf(5) |
| 21 |
says hosts.allow can be "a hostname. The hostname as determined by a |
| 22 |
reverse lookup will be matched (case insensitive) against the pattern. |
| 23 |
Only an exact match is allowed in." So, the current IP of 209.177.148.226 |
| 24 |
would resolve to magpie.gentoo.org, and that is the name to be specified. |
| 25 |
|
| 26 |
Apache is even more stringent. Specifying a domain name in an Allow |
| 27 |
directive "will cause Apache to perform a double reverse DNS lookup on the |
| 28 |
client IP address[...]. It will do a reverse DNS lookup on the IP address |
| 29 |
to find the associated hostname, and then do a forward lookup on the |
| 30 |
hostname to assure that it matches the original IP address. Only if the |
| 31 |
forward and reverse DNS are consistent and the hostname matches will |
| 32 |
access be allowed." |
Archives