cs-host, host header and destination

Discussion:

(too old to reply)

Paul

2004-03-04 17:11:15 UTC

Hi,
I have always thought that the destination for a request was determined by
the contents of the host header and thus the cs-host field in the logs. I
expected to see either my websites IP address or a domain name that resolved
to my IP address. I have been seeing both domain names that do not resolve
to my IP address as well as NULL values in this field a small percentage of
the time. If this means that this field does not determine the destination,
how is a request routed to my website? What is this called so I can do a
search and find out more about how requests get routed to my website?
I do not own the web server, I use a web presents provider. They either do
not understand the question, don't know the answer or are deliberately not
telling me for some reason.
If I am using the wrong terminology or if there is a better terminology I
should be using, I would be grateful if you would provide that as well.
Thanks,
Paul Coleman

Paul

2004-03-05 16:12:55 UTC

Permalink

Hi,
I was about to give up posting this question at this group as no one
responded, so I though there was no one knowledgeable about this here. I
see that Kristofer Gafvert responded to a recent post about Host Headers so
I still have hope I can strike up a dialog.
My main concern with posting this question is that I am seeing IIS log
records for my web site that has a domain name in the cs-host field that
does not resolve to my IP address. I also see some records that have a NULL
value in this field. I am trying to understand how this could happen. Any
description or even URLs that point to a description that would help me
understand this would be appreciated.
Paul Coleman

Post by Paul
Hi,
I have always thought that the destination for a request was determined by
the contents of the host header and thus the cs-host field in the logs. I
expected to see either my websites IP address or a domain name that resolved
to my IP address. I have been seeing both domain names that do not resolve
to my IP address as well as NULL values in this field a small percentage of
the time. If this means that this field does not determine the destination,
how is a request routed to my website? What is this called so I can do a
search and find out more about how requests get routed to my website?
I do not own the web server, I use a web presents provider. They either do
not understand the question, don't know the answer or are deliberately not
telling me for some reason.
If I am using the wrong terminology or if there is a better terminology I
should be using, I would be grateful if you would provide that as well.
Thanks,
Paul Coleman

Kristofer Gafvert

2004-03-05 19:30:24 UTC

Permalink

Okay, let me explain this a bit, and this might be why you see this.

The CS-Host field is sent by the client. It is possible for the client to
fake this (for privacy for example, not that this is dangerous to give
out...). If the server is configured with host headers only, i dont think
that this is possible (but not completely sure).

So, let's try this with telnet. server.com is any way to make a connection
to the server (domain name, or IP)

telnet server.com 80 <enter>
GET /default.html HTTP/1.1 <enter>
Host: fakeHost.com <enter>
<enter><enter>

Now, if you look in the log file (wait until this is logged), you will see
someone "accessing the site" using fakeHost.com. This is not really true,
the client just sended the Host fakeHost.com

Everything in the logfile starting with CS is something sent from the
client, to the server. This information can be faked, and the referer is the
most common faked header. If you see these strange Host together with a
strange referer, then it is almost for sure that an add-in for the client
did this.

If the client did not send a Host, nothing is logged (except for the dash
(-)) in the logfile.

Does this explain what you are seeing? It sounds that this doesn't happen
too often, so i do not think that something is wrong with IIS.

So, to sum up:

CS-Host does not necessary have to have something to do with the actual
host. It is just the Host field sent by the client, to the server (and there
were already a connection to the server when this information was sent).
--
Regards,
Kristofer Gafvert - IIS MVP
Reply to newsgroup only. Remove NEWS if you must reply by email, but please
do not.
www.ilopia.com - FAQ and Tutorials for Windows Server 2003

Paul

2004-03-06 20:32:16 UTC

Permalink

Hi Kristofer,
This reflects what I am seeing in the logs, thanks for showing me how it
could be done. I can understand why someone would want to cloak their
sending information, I just can't imagine why anyone would want to cloak the
destination. The resources they where after where questionable, so it
raised my concerns as to what was happening. Just so I can try to
understand how it actually does get routed, could you provide me with some
keywords, like what the area and/or field is called so I can do a search and
find out how it does work. You can explain it here if you would like, I
seem to be able to understand the way you explain things.
Thanks,
Paul Coleman

Post by Kristofer Gafvert
Okay, let me explain this a bit, and this might be why you see this.
The CS-Host field is sent by the client. It is possible for the client to
fake this (for privacy for example, not that this is dangerous to give
out...). If the server is configured with host headers only, i dont think
that this is possible (but not completely sure).
So, let's try this with telnet. server.com is any way to make a connection
to the server (domain name, or IP)
telnet server.com 80 <enter>
GET /default.html HTTP/1.1 <enter>
Host: fakeHost.com <enter>
<enter><enter>
Now, if you look in the log file (wait until this is logged), you will see
someone "accessing the site" using fakeHost.com. This is not really true,
the client just sended the Host fakeHost.com
Everything in the logfile starting with CS is something sent from the
client, to the server. This information can be faked, and the referer is the
most common faked header. If you see these strange Host together with a
strange referer, then it is almost for sure that an add-in for the client
did this.
If the client did not send a Host, nothing is logged (except for the dash
(-)) in the logfile.
Does this explain what you are seeing? It sounds that this doesn't happen
too often, so i do not think that something is wrong with IIS.
CS-Host does not necessary have to have something to do with the actual
host. It is just the Host field sent by the client, to the server (and there
were already a connection to the server when this information was sent).
--
Regards,
Kristofer Gafvert - IIS MVP
Reply to newsgroup only. Remove NEWS if you must reply by email, but please
do not.
www.ilopia.com - FAQ and Tutorials for Windows Server 2003

Post by Paul
Hi,
I have always thought that the destination for a request was determined by
the contents of the host header and thus the cs-host field in the logs.

Post by Kristofer Gafvert

Post by Paul
expected to see either my websites IP address or a domain name that

resolved

Post by Paul
to my IP address. I have been seeing both domain names that do not

resolve

Post by Paul
to my IP address as well as NULL values in this field a small percentage

Post by Paul
the time. If this means that this field does not determine the

destination,

Post by Paul
how is a request routed to my website? What is this called so I can do a
search and find out more about how requests get routed to my website?
I do not own the web server, I use a web presents provider. They either

Post by Paul
not understand the question, don't know the answer or are deliberately not
telling me for some reason.
If I am using the wrong terminology or if there is a better terminology I
should be using, I would be grateful if you would provide that as well.
Thanks,
Paul Coleman

Kristofer Gafvert

2004-03-06 21:55:46 UTC

Permalink

Hello,

See if this can help you understand:

http://www.ilopia.com/temp/clientToServer.html

What i think that you are looking for is information about how the
communication between a webbrowser and client is done, and then how that
request is handled by the server, and the response back. So keywords would
be:

communication webserver client webbrowers

I have however not found much information about this in any IIS books (but i
haven't looked that hard for it either). I think that this is covered more
by programming books, since it is of more value to programmers to know how
this is done.
--
Regards,
Kristofer Gafvert - IIS MVP
Reply to newsgroup only. Remove NEWS if you must reply by email, but please
do not.
www.ilopia.com - FAQ and Tutorials for Windows Server 2003

Post by Paul
Hi Kristofer,
This reflects what I am seeing in the logs, thanks for showing me how it
could be done. I can understand why someone would want to cloak their
sending information, I just can't imagine why anyone would want to cloak the
destination. The resources they where after where questionable, so it
raised my concerns as to what was happening. Just so I can try to
understand how it actually does get routed, could you provide me with some
keywords, like what the area and/or field is called so I can do a search and
find out how it does work. You can explain it here if you would like, I
seem to be able to understand the way you explain things.
Thanks,
Paul Coleman

the

Post by Kristofer Gafvert
most common faked header. If you see these strange Host together with a
strange referer, then it is almost for sure that an add-in for the client
did this.
If the client did not send a Host, nothing is logged (except for the dash
(-)) in the logfile.
Does this explain what you are seeing? It sounds that this doesn't happen
too often, so i do not think that something is wrong with IIS.
CS-Host does not necessary have to have something to do with the actual
host. It is just the Host field sent by the client, to the server (and

there

Post by Kristofer Gafvert
were already a connection to the server when this information was sent).
--
Regards,
Kristofer Gafvert - IIS MVP
Reply to newsgroup only. Remove NEWS if you must reply by email, but

please

Post by Kristofer Gafvert
do not.
www.ilopia.com - FAQ and Tutorials for Windows Server 2003

Post by Paul
Hi,
I have always thought that the destination for a request was

determined

Post by Paul
by

Post by Kristofer Gafvert

Post by Paul
the contents of the host header and thus the cs-host field in the logs.

Post by Kristofer Gafvert

Post by Paul
expected to see either my websites IP address or a domain name that

resolved

Post by Paul
to my IP address. I have been seeing both domain names that do not

resolve

Post by Paul
to my IP address as well as NULL values in this field a small percentage

Post by Paul
the time. If this means that this field does not determine the

destination,

Post by Paul
how is a request routed to my website? What is this called so I can

Post by Paul
a

Post by Kristofer Gafvert

Post by Paul
search and find out more about how requests get routed to my website?
I do not own the web server, I use a web presents provider. They either

Post by Paul
not understand the question, don't know the answer or are deliberately

not

Post by Kristofer Gafvert

Post by Paul
telling me for some reason.
If I am using the wrong terminology or if there is a better

terminology

Post by Paul
I

Post by Kristofer Gafvert

Post by Paul
should be using, I would be grateful if you would provide that as well.
Thanks,
Paul Coleman

Paul

2004-03-07 01:27:53 UTC

Permalink

Hi Kristofer,
That is a great explanation and it raises a new question. First, I was more
looking for how, in the example you gave "telnet server.com 80 <enter>",
that "server.com" was passed as the destination and what the area of the
packet (if that is the correct term) was called and more specificly what the
name of the field is called. Also if this information or field is avalable
to be included in the IIS logs.

We connected to the server www.ilopia.com on port 80, which was looked up

to be 217.208.8.97. >We then sent a request for the page index.html and the
Host Header information was >www.microsoft.com. The webserver does not care
if the domain name www.microsoft.com is looked >up to be the same IP as the
webserver. What the webserver only care about is that there was a >request
for this Host, so it is either on the WebServer, or not. It does not try to
look it up in any way, >using external resources. And since I have a Host
Header for www.microsoft.com on this server, the >client got back a page!

It says "since I have a Host Header for www.microsoft.com on this server"
and I was wondering where and how that was set in IIS.

Thanks,
Paul Coleman

Hello,
http://www.ilopia.com/temp/clientToServer.html
What i think that you are looking for is information about how the
communication between a webbrowser and client is done, and then how that
request is handled by the server, and the response back. So keywords would
communication webserver client webbrowers
I have however not found much information about this in any IIS books (but i
haven't looked that hard for it either). I think that this is covered more
by programming books, since it is of more value to programmers to know how
this is done.
--
Regards,
Kristofer Gafvert - IIS MVP
Reply to newsgroup only. Remove NEWS if you must reply by email, but please
do not.
www.ilopia.com - FAQ and Tutorials for Windows Server 2003

the

Post by Paul
destination. The resources they where after where questionable, so it
raised my concerns as to what was happening. Just so I can try to
understand how it actually does get routed, could you provide me with some
keywords, like what the area and/or field is called so I can do a search

and

Post by Paul
find out how it does work. You can explain it here if you would like, I
seem to be able to understand the way you explain things.
Thanks,
Paul Coleman

Post by Kristofer Gafvert
Okay, let me explain this a bit, and this might be why you see this.
The CS-Host field is sent by the client. It is possible for the client