You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Mike -- EMAIL IGNORED <m_...@yahoo.com> on 2009/08/23 02:31:25 UTC
[users@httpd] Proposal to Optionally Block DNS
I propose this upgrade to Apache:
Options +NoDNS
Prevents Apache from initiating DNS activity for
any reason.
I am now running my server with all DNS blocked
by iptables. Performance is thereby substantially
improved. Fortunately, I usually don't need DNS
for anything else on that box.
Mike.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: Proposal to Optionally Block DNS
Posted by Evan Platt <ev...@espphotography.com>.
At 11:37 AM 8/24/2009, you wrote:
>Since I have not looked at Apache source code, for me
>this would be at least several hours work, if not
>several days. For someone into the source code, I
>expect it to take a few minutes, to an hour or two,
>depending on structure. I would hope that such a
>person might submit a patch.
I can say with almost 100% certainty, from a few years of QA work and
12+ years of end user support, 2nd level support, and above, that a
small change never takes 'just a few minutes' or 'just an hour'. And
said change almost NEVER can be made without breaking 4 or 5 other things.
Unfortunately, you never really realize the small change you made
broke those 5 other things until months later.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: Proposal to Optionally Block DNS
Posted by Nick Kew <ni...@webthing.com>.
André Warnier wrote:
> Mike -- EMAIL IGNORED wrote:
>> I would hope that such a
>> person might submit a patch.
>>
>
> Some elements maybe to enlighten you, from someone who is, like you, a
> grateful (?) user of Apache httpd, and not a contributor of code.
It's fair enough that he makes a request for enhancement. There are
lots of them in Bugzilla, and sometimes one gets implemented.
Very occasionally a mailinglist or IRC request leads to a new feature!
If you want it more urgently than that, you have the option to
pay a developer to do the work for you. I used to be available
for that kind of task myself, and implemented Apache changes
ranging from tiny fixes up to substantial modules for a range
of clients.
--
Nick Kew
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: Proposal to Optionally Block DNS
Posted by André Warnier <aw...@ice-sa.com>.
Mike -- EMAIL IGNORED wrote:
> On Mon, 24 Aug 2009 10:57:45 -0700, Aaron Turner wrote:
>
> [...]
>> I believe Eric was agreeing with Tom's sentiment. Ie: If you think
>> this is worthwhile, please feel free to submit a patch adding this
>> feature.
>
> Since I have not looked at Apache source code, for me
> this would be at least several hours work, if not
> several days. For someone into the source code, I
> expect it to take a few minutes, to an hour or two,
> depending on structure. I would hope that such a
> person might submit a patch.
>
Some elements maybe to enlighten you, from someone who is, like you, a
grateful (?) user of Apache httpd, and not a contributor of code.
As you probably know, Apache httpd is an open source project, and also
free software. Basically it means that it is being written by people
who are not being paid for the time they spend writing it.
Considering that Apache httpd is being used succesfully on literally
hundreds of thousands of websites worldwide, one would also have to
admit that these people are competent and know what they are doing.
It also means that you get the result, a piece of software that manages
hundreds of thousands of websites worlwide and has cost thousands of
man-hours of work, entirely for free.
Apache httpd is being improved somewhat over time by people who submit
suggestions, but mainly by people who follow-up these suggestions by
contributing what is known as a "patch" (a code modification)
implementing their suggestion.
Such a suggestion, when accompanied by a patch, tends to be taken more
seriously by the Apache httpd code contributors, than a mere (relatively
gratuitious) suggestion on a user's mailing list. It is taken more
seriously, because it shows that the person who made the suggestion, at
least looked at the code, understood it to some extent, made some
change, tested it, and found it to have some benefit and no obvious
nefarious consequences.
If you are really a programmer, you will understand the world of
difference between this, and merely making a suggestion on a mailing
list, based on one particular situation, unverified and uncorroborated
by anyone else.
The way I personally understand your last paragraph above however, it
seems to imply that based on the inherent worth of your insight, you
somehow expect everyone to be in awe, and someone else to do the rest of
the work for you.
That is not how open source projects work, and certainly not Apache
httpd, where any apparently harmless change could ruin the day of 10,000
website administrators.
I am not saying that your suggestion is without merit. But although I
am a mere Apache user, knowing how central DNS is to the entire fabric
and function of the WWW, I would myself expect quite a bit more "backup"
to such a suggestion, before I even spent some time trying to figure out
what benefits it could bring, and what other consequences it might have.
Wow, if this option was set in the Apache main configuration, should it
automatically be inherited by all Virtual Hosts ? does it mean that SSL
would not work anymore ? what about "Allow from mycompany.com" ? what if
some embedded mod_perl or mod_php application tries to do a DNS lookup
via an Apache library call ?
Does the above provide some insight as to the tongue-in-cheek answers
you have been getting so far ?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] Re: Proposal to Optionally Block DNS
Posted by Mike -- EMAIL IGNORED <m_...@yahoo.com>.
On Mon, 24 Aug 2009 10:57:45 -0700, Aaron Turner wrote:
[...]
> I believe Eric was agreeing with Tom's sentiment. Ie: If you think
> this is worthwhile, please feel free to submit a patch adding this
> feature.
Since I have not looked at Apache source code, for me
this would be at least several hours work, if not
several days. For someone into the source code, I
expect it to take a few minutes, to an hour or two,
depending on structure. I would hope that such a
person might submit a patch.
Mike.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: Proposal to Optionally Block DNS
Posted by Aaron Turner <sy...@gmail.com>.
On Mon, Aug 24, 2009 at 9:36 AM, Mike -- EMAIL
IGNORED<m_...@yahoo.com> wrote:
> On Mon, 24 Aug 2009 11:32:17 -0400, Eric Covener wrote:
>
>> On Mon, Aug 24, 2009 at 4:25 AM, Tom Evans<te...@googlemail.com>
>> wrote:
>>> On Sun, 2009-08-23 at 00:31 +0000, Mike -- EMAIL IGNORED wrote:
>>>> I propose this upgrade to Apache:
>>>>
>>>> Options +NoDNS
>>>
>>> I think your mailer dropped your patch, can you resend?
>>
>> golf-clapping this one.
>
> So far, this is the only response I have received even though
> the indents indicate that there was another. It could be one
> of my banned authors.
If you read the email, it should be clear Eric was replying to Tom who
replied to you. I don't know your list of banned authors.
> In any case:
>
> I do not know what "patch" is meant.
I found this via Google: http://en.wikipedia.org/wiki/Patch_(computing)
> I am not familiar with the term "golf-clap", so I
> looked it up. I found two meanings: one would
> indicate support, and the other would indicate
> disdain.
>
> Nothing like lucid communication.
I believe Eric was agreeing with Tom's sentiment. Ie: If you think
this is worthwhile, please feel free to submit a patch adding this
feature.
--
Aaron Turner
http://synfin.net/
http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix & Windows
Those who would give up essential Liberty, to purchase a little temporary
Safety, deserve neither Liberty nor Safety.
-- Benjamin Franklin
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] Re: Proposal to Optionally Block DNS
Posted by Mike -- EMAIL IGNORED <m_...@yahoo.com>.
On Mon, 24 Aug 2009 11:32:17 -0400, Eric Covener wrote:
> On Mon, Aug 24, 2009 at 4:25 AM, Tom Evans<te...@googlemail.com>
> wrote:
>> On Sun, 2009-08-23 at 00:31 +0000, Mike -- EMAIL IGNORED wrote:
>>> I propose this upgrade to Apache:
>>>
>>> Options +NoDNS
>>
>> I think your mailer dropped your patch, can you resend?
>
> golf-clapping this one.
So far, this is the only response I have received even though
the indents indicate that there was another. It could be one
of my banned authors.
In any case:
I do not know what "patch" is meant.
I am not familiar with the term "golf-clap", so I
looked it up. I found two meanings: one would
indicate support, and the other would indicate
disdain.
Nothing like lucid communication.
Mike.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Proposal to Optionally Block DNS
Posted by Eric Covener <co...@gmail.com>.
On Mon, Aug 24, 2009 at 4:25 AM, Tom Evans<te...@googlemail.com> wrote:
> On Sun, 2009-08-23 at 00:31 +0000, Mike -- EMAIL IGNORED wrote:
>> I propose this upgrade to Apache:
>>
>> Options +NoDNS
>
> I think your mailer dropped your patch, can you resend?
golf-clapping this one.
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Proposal to Optionally Block DNS
Posted by Tom Evans <te...@googlemail.com>.
On Sun, 2009-08-23 at 00:31 +0000, Mike -- EMAIL IGNORED wrote:
> I propose this upgrade to Apache:
>
> Options +NoDNS
>
> Prevents Apache from initiating DNS activity for
> any reason.
>
> I am now running my server with all DNS blocked
> by iptables. Performance is thereby substantially
> improved. Fortunately, I usually don't need DNS
> for anything else on that box.
>
> Mike.
>
>
I think your mailer dropped your patch, can you resend?
Cheers
Tom
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] Re: Proposal to Optionally Block DNS
Posted by Mike -- EMAIL IGNORED <m_...@yahoo.com>.
On Mon, 24 Aug 2009 17:27:06 -0700, J. Greenlees wrote:
> I propose this upgrade to Apache:
> Mike -- EMAIL IGNORED wrote:
[...]
> and using:
> #
> # HostnameLookups: Log the names of clients or just their IP addresses #
> e.g., www.apache.org (on) or 204.62.129.132 (off). # The default is off
> because it'd be overall better for the net if people # had to knowingly
> turn this feature on, since enabling it means that # each client request
> will result in AT LEAST one lookup request to the # nameserver. #
> HostnameLookups Off
>
> that is already supported fails to meet your needs how?
>
> Jaqui
>
>
>
Thanks, I was not aware of this. It almost explains what I have seen,
namely DNS activity greatly increased when I started using https. But
not quite. The Apache documentation for HostnameLookups indicates there
DNS will occur in any case in mod_authz_host is in use. In my case,
"Allow from" is used, but only with "none", "all" and partial IP
addresses referring to the LAN. Most notably, this use mod_authz_host
did not change (at least by me) when I began using https. I presume,
therefore, that something else in https caused the change, although
I can't be sure of this because I did make substantial structural
changes to httpd.config .
I therefore revise my suggestion as follows:
HostnameLookups Never
Simpliciter; use with caution.
Mike.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Proposal to Optionally Block DNS
Posted by "J. Greenlees" <li...@jaqui-greenlees.net>.
Mike -- EMAIL IGNORED wrote:
> I propose this upgrade to Apache:
>
> Options +NoDNS
>
> Prevents Apache from initiating DNS activity for
> any reason.
>
> I am now running my server with all DNS blocked
> by iptables. Performance is thereby substantially
> improved. Fortunately, I usually don't need DNS
> for anything else on that box.
>
> Mike.
and using:
#
# HostnameLookups: Log the names of clients or just their IP addresses
# e.g., www.apache.org (on) or 204.62.129.132 (off).
# The default is off because it'd be overall better for the net if people
# had to knowingly turn this feature on, since enabling it means that
# each client request will result in AT LEAST one lookup request to the
# nameserver.
#
HostnameLookups Off
that is already supported fails to meet your needs how?
Jaqui
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org