# Hostname Lookup



## dpalme (Dec 23, 2009)

I have noticed that although hostname lookup is enabled in the apache httpd-default.conf file my logs are still only showing the ip addresses.

I checked the resolv.conf file and I have the following entries:


```
search phx.dedicated.codero.com
nameserver 127.0.0.1
nameserver 64.150.176.124
nameserver 69.64.66.10
```

What else could I be missing?


----------



## DutchDaemon (Dec 23, 2009)

Did you actually restart Apache? And is your nameserver on localhost seeing those queries?


----------



## dpalme (Dec 23, 2009)

I have not changed the settings, they were that way from the start.  Yes, I have restarted apache several times.....


----------



## DutchDaemon (Dec 23, 2009)

Try putting the second nameserver first. The lookups may be timing out, and Apache is not very patient when that happens.


----------



## dpalme (Dec 23, 2009)

Did that, issued a KILLALL -HUP httpd to restart apache and still the same result.

I took the ip address and did a nslookup on it, and it came back imemdiately with the host name.....

Do I need to restart the name server as well?


----------



## DutchDaemon (Dec 23, 2009)

Please restart Apache the 'normal' way, i.e. `# /usr/local/etc/rc.d/apache22 restart` or `# apachectl graceful/restart`.

If your own nameserver (the localhost one) responds to a `$ dig -x ip.add.re.ss +short` command with a hostname (not every IP address has a hostname), there's no reason why Apache wouldn't get that result as well.


----------



## dpalme (Dec 23, 2009)

Yes it responds with the ip address, and I restarted apache using the restart command, still getting the same results.

could it be something to do with my dns server ?


----------



## DutchDaemon (Dec 23, 2009)

Whether Apache looks up an IP address, or you do from the same server, both will look in /etc/resolv.conf where to find the DNS server. So if your command-line lookups work, then so should Apache's.

Try `# tcpdump -s 0 -pnli lo0 port 53` to see if and when your DNS gets queried. If you see a log line being added to the Apache log, you should see a packet exchange on localhost:53.


----------



## dpalme (Dec 23, 2009)

Well I ran that from the command line, queried one of the domains and nothing showed up on the screen.....although I am not really sure what I am looking for.

The acess_log file shows the hit.


----------



## dpalme (Dec 23, 2009)

Ok something is happening because now I am getting all kinds of hits....

Here is sample:

```
1:29:39.902339 IP 64.150.176.124.56428 > 64.150.176.124.53: 62993+ PTR? 4.128.108.113.in-addr.arpa. (44)
21:29:39.902541 IP 64.150.176.124.53 > 64.150.176.124.56428: 62993 NXDomain 0/1/0 (88)
21:29:39.903401 IP 64.150.176.124.50823 > 64.150.176.124.53: 62993+ PTR? 4.128.108.113.in-addr.arpa. (44)
21:29:39.903612 IP 64.150.176.124.53 > 64.150.176.124.50823: 62993 NXDomain 0/1/0 (88)
21:29:40.802249 IP 64.150.176.124.64685 > 64.150.176.124.53: 19680+ PTR? 4.128.108.113.in-addr.arpa. (44)
21:29:40.802457 IP 64.150.176.124.53 > 64.150.176.124.64685: 19680 NXDomain 0/1/0 (88)
21:29:40.803369 IP 64.150.176.124.57867 > 64.150.176.124.53: 19680+ PTR? 4.128.108.113.in-addr.arpa. (44)
21:29:40.803577 IP 64.150.176.124.53 > 64.150.176.124.57867: 19680 NXDomain 0/1/0 (88)
21:29:41.569865 IP 64.150.176.124.49255 > 64.150.176.124.53: 55219+ PTR? 4.128.108.113.in-addr.arpa. (44)
21:29:41.570078 IP 64.150.176.124.53 > 64.150.176.124.49255: 55219 NXDomain 0/1/0 (88)
21:29:41.570984 IP 64.150.176.124.51245 > 64.150.176.124.53: 55219+ PTR? 4.128.108.113.in-addr.arpa. (44)
21:29:41.571192 IP 64.150.176.124.53 > 64.150.176.124.51245: 55219 NXDomain 0/1/0 (88)
```

the apache logs still only show the ip address though


----------



## DutchDaemon (Dec 23, 2009)

That is quite possible. The NXdomain signifies that no PTR record was found, so the IP address does not resolve to a hostname. These are not queries on localhost, though. Try putting 127.0.0.1 back at the top of /etc/resolv.conf.


----------



## dpalme (Dec 23, 2009)

No I have not.

/etc/resolv.conf is as follows:


```
earch phx.dedicated.codero.com
nameserver 64.150.176.124
nameserver 127.0.0.1
nameserver 69.64.66.10
```


----------



## dpalme (Dec 23, 2009)

This is weird because I restarted the tcpdump command you gave me and requeried one of the domains and now I am getting nothing again.


----------



## dpalme (Dec 23, 2009)

Ok, I logged off and logged back on and tried it again and I got the following:


```
21:35:59.271430 IP 64.150.176.124.59368 > 64.150.176.124.53: 49312+ A? twitter.com. (29)
21:35:59.671350 IP 64.150.176.124.53 > 64.150.176.124.59368: 49312 1/4/4 A 128.121.243.228 (195)
21:35:59.672200 IP 64.150.176.124.53474 > 64.150.176.124.53: 49313+ AAAA? twitter.com. (29)
21:35:59.683878 IP 64.150.176.124.53 > 64.150.176.124.53474: 49313 0/1/0 (101)
21:36:17.836086 IP 64.150.176.124.56524 > 64.150.176.124.53: 28023+ PTR? 21.69.246.84.in-addr.arpa. (43)
21:36:17.853354 IP 64.150.176.124.55220 > 64.150.176.124.53: 49185+ PTR? 21.69.246.84.in-addr.arpa. (43)
21:36:19.474482 IP 64.150.176.124.50299 > 64.150.176.124.53: 7708+ PTR? 21.69.246.84.in-addr.arpa. (43)
21:36:20.132784 IP 64.150.176.124.61257 > 64.150.176.124.53: 12803+ PTR? 21.69.246.84.in-addr.arpa. (43)
21:36:22.635179 IP 64.150.176.124.53 > 64.150.176.124.56524: 28023 NXDomain 0/1/0 (108)
21:36:22.635573 IP 64.150.176.124.53 > 64.150.176.124.55220: 49185 NXDomain 0/1/0 (108)
21:36:22.635920 IP 64.150.176.124.53 > 64.150.176.124.50299: 7708 NXDomain 0/1/0 (108)
21:36:22.636263 IP 64.150.176.124.53 > 64.150.176.124.61257: 12803 NXDomain 0/1/0 (108)
21:36:22.637252 IP 64.150.176.124.61768 > 64.150.176.124.53: 28023+ PTR? 21.69.246.84.in-addr.arpa. (43)
21:36:22.637860 IP 64.150.176.124.63095 > 64.150.176.124.53: 49185+ PTR? 21.69.246.84.in-addr.arpa. (43)
21:36:22.638530 IP 64.150.176.124.58129 > 64.150.176.124.53: 7708+ PTR? 21.69.246.84.in-addr.arpa. (43)
21:36:22.639123 IP 64.150.176.124.63343 > 64.150.176.124.53: 12803+ PTR? 21.69.246.84.in-addr.arpa. (43)
21:36:22.639416 IP 64.150.176.124.53 > 64.150.176.124.61768: 28023 NXDomain 0/1/0 (108)
21:36:22.640674 IP 64.150.176.124.53 > 64.150.176.124.63095: 49185 NXDomain 0/1/0 (108)
21:36:22.641883 IP 64.150.176.124.53 > 64.150.176.124.58129: 7708 NXDomain 0/1/0 (108)
21:36:22.643083 IP 64.150.176.124.53 > 64.150.176.124.63343: 12803 NXDomain 0/1/0 (108)
```

What is weird is I am getting a totally different ip logged to the access log.


----------



## DutchDaemon (Dec 23, 2009)

Does [cmd=]dig @localhost -x 87.248.113.14 +short[/cmd] give you a result? It should if your DNS server runs like it should.


----------



## DutchDaemon (Dec 23, 2009)

The IP addresses are reversed. That's how PTR records are queried.
21.69.246.84.in-addr.arpa. == 84.246.69.21


----------



## dpalme (Dec 23, 2009)

Yep:


```
64-150-176-124# dig @localhost -x 87.248.113.14 +short
f1.us.www.vip.ird.yahoo.com.
64-150-176-124#
```


----------



## dpalme (Dec 23, 2009)

I understand the reverse of the ip, when I said I am getting a totally different one, I mean completely different, not even in the same netblock.


----------



## dpalme (Dec 23, 2009)

This makes absolutely no sense at all.


----------



## DutchDaemon (Dec 23, 2009)

Do you have other services running, like a mailserver? There are a lot of processes querying PTR records, so you may be seeing those. If Apache sees IP addresses and they don't show up in tcpdump on port 53, Apache is not querying PTR records, for whatever reason.


----------



## dpalme (Dec 23, 2009)

Yes I have other processes running, so I assume it is possible that apache is not querying at all.

Any idea where to start to figure that out?

What I did find interesting was the reference to twitter.com that is coming from the webpage....there is a twitter link on the main page.....so when it is loading it apparently is querying that, but it never queries for the person querying the page or so it seems.


----------



## DutchDaemon (Dec 23, 2009)

If you're using e.g. a recent version of Firefox: it will prefetch the DNS record for any link it encounters on a web page.

Is your httpd-default.conf actually "Include"d from httpd.conf?

`$ grep ^Include /usr/local/etc/apache22/httpd.conf`


----------



## dpalme (Dec 23, 2009)

I will double check it but I do believe it is.


----------



## dpalme (Dec 23, 2009)

Yes, it is included.

Ok, here is what I am going to do....I am going to completely restart the entire machine...see if that resolves whatever issue I may be having.


----------



## dpalme (Dec 23, 2009)

Ok now we seem to be seeing some things coming through that look better.....but I am too tired to continue tonight.  I will follow up on this tomorrow.

Thanks for the assistance....it was and is greatly appreciated.


----------



## dpalme (Dec 24, 2009)

well after a hard reboot, everything seems to now be working.  NO other changes were made so I have no idea what was going on..... oh well, chaulk it up to a gremlin apparently.

Thanks for the help......

Douglas


----------

