This article explains how to enable reverse Domain Name System (DNS) lookup for all versions of Internet Information Services (IIS).
When reverse DNS lookups are enabled on the web server, the IP address of each web client that connects to the IIS server is resolved to a DNS name, and the DNS name instead of the web client IP address is placed in the IIS log files. Enabling reverse DNS also affects what CGI and ISAPI extensions see as a value of the Remote_Host variable.
Microsoft KB article 297795 gives a step-by-step demonstration how to enable RDNS for IIS4, IIS5 and IIS6, but all you need to do is run the following in a command prompt from the ADScripts folder:
For IIS4 run:
adsutil set w3svc/EnableReverseDNS TRUEFor IIS5 and IIS6 run:
cscript adsutil.vbs set /wesvc/EnableReverseDNS "TRUE"In IIS7, you must install the IP and Domain Restrictions role service for the Web Server (IIS) role. You can do this in Server Manager or from the command line using the following command:
ServerManagerCMD -install Web-IP-SecurityIn Windows Server 2008 R2, the ServerManagerCMD.exe program is deprecated and has been replaced with the ServerManager Powershell cmdlets. The following two cmdlets are used to install the IP and Domain Restrictions role service:
Import-Module ServerManagerNow that the role service is installed, you can configure reverse DNS lookups, as follows:
Add-WindowsFeature Web-IP-Security
- Open Internet Information Services (IIS) Manager.
- Navigate to the Server Name in the Connections pane. If you only want to enable reverse lookups on a particular website, navigate to that website.
- Double-click IP Address and Domain Restrictions in the center pane and click Edit Feature Settings in the Actions pane.
- Put a checkmark in Enable domain name restrictions and click OK.
Restricting access by domain name requires a DNS reverse lookup on each connection. This is a very expensive operation and will dramatically affect server performance. Are you sure you want to enable restrictions based on domains?Clicking Yes will enable reverse lookups for all clients connecting to the web server. I have not noticed any more than a 1-2% increase in CPU performance and the websites are just as performant as before.
Each of these changes go into effect immediately. There is no need to restart IIS.
Jeff, this is a really good blog post for enhancing the readability of the log files.
ReplyDeleteBut what about Web Stat analysis software which tries to handle the reverse lookup by itself. Do you have any experiences, if enabling the reverse lookup on IIS side breaks the import of IIS logfiles by the analysis software?
T.
Thanks, Thomas. It depends on whether the Web Stat software uses the IIS logs for analysys or generates its own logs. SurfControl, for example, doesn't read the IIS logs, so there would be no impact.
ReplyDelete