Apache started to resolve IP addresses to their canonical names in the raw access logs on November 25, 2017

2 replies [Last post]
amenex
Offline
Joined: 01/03/2015

My ISP uses Apache-controlled servers. My cPanel Raw Access logs contained IPV4 addresses exclusively until November 25, whereupon the server software began resolving those IPV4 addresses to their canonical names. That change rendered their server data irretrievable, but for the Internet history of the servers, which I can for the most part still retrieve with Dig (installed for Trisquel as "DNS Query Tool" (homepage: http://jodrell.net/projects/gresolver) or with another popular Internet search tool.

For some canonical names, especially the ones ending in ...example.com, many Dig resolutions are to 92.242.140.21, which is a UK error handling site, essentially useless for discovering the original IP address of the site requesting HEAD / HTTP data from my domain. A few .RU canonical names are similarly irretrievable or resolve to a number of servers, hiding the folks who have no other interest in the data on my site, and who are still attempting HEAD / HTTP requests in spite of being blocked with my domain's .htaccess file.

As the IPV4's and their servers have been requesting HEAD / HTTP data since September, 2016 through intermediate .RU, .LV and .NL domain URL's with no useful results, they are probably pestering other domains also. Apache's recent S/W change makes it more difficult to track their IP addresses and servers.

George Langford

amenex
Offline
Joined: 01/03/2015

Starting to answer my own question; it turns out that Apache's access log setting for HostnameLookup has been changed from |off| to |on| as of November 25, 2017.

To make that determination, I started here:
https://httpd.apache.org/docs/1.3/logs.html.

My access logs are following the syntax described here:
https://httpd.apache.org/docs/1.3/logs.html#combined.

The HostnameLookup settings are described here:
https://httpd.apache.org/docs/1.3/mod/core.html#hostnamelookups.

It would appear that the HostnameLookup settings are not under my control, so it is becoming a matter of getting the attention of my ISP's support staff and explaining the [unforeseen [?] consequences of the change, which actually slows down the performance of their server[s?] as well as obfuscating the malevolent servers that the change has started to obfuscate.

George Langford

amenex
Offline
Joined: 01/03/2015

[Solved]
On December 6th I wrote to Security at cPanel about the referenced situation,
and within a matter of hours my domain's Recent Visitor logs stopped showing
canonical names and reverted to the requestors' IP addresses.

George Langford