Reverse DNS lookups on accept in network
gale at sefer.org
Tue Apr 9 16:24:08 CEST 2013
Answering my own question:
I retract the proposal for changes here.
Although the function Network.accept
does an implied reverse DNS lookup,
it does so lazily. So the actual lookup
should not happen unless the library client
actually tries to use the host name.
As for the Hackage problem, this problem
is inherent to CGI, which is what Hackage
currently uses. The CGI protocol supplies
the resolved client host name to the web
application in an environment variable. So
the web server (Apache in this case) will
always have do a reverse DNS lookup by definition.
(Environment variables are strict. Too bad.)
So until we upgrade to a complete rewrite of
Hackage (any day now, right?), I guess the
only solution is to access Hackage via a
proxy on a host whose reverse DNS is
On Tue, Apr 9, 2013 at 3:54 PM, Yitzchak Gale <gale at sefer.org> wrote:
> I noticed that the accept function in the network library,
> unlike the underlying C function, does a reverse DNS
> lookup every time it accepts a connection.
> This seems to be the cause of an acute problem:
> Hackage is nearly unusable for people whose ISP
> has broken reverse DNS, since every request to
> the server delays for 30 seconds or more while
> waiting for the broken reverse DNS server to time
> out. I know, the ISP should fix it, or the user should
> switch to a different ISP, but that isn't always practical.
> In particular, Roman, our expert from Odessa, is
> experiencing this problem. And he is hosting a
> Haskell Hackathon, OdHack, in just a few weeks
> time. I am concerned that all participants in the
> Hackathon might also be susceptible, which would
> be a Very Bad Thing.
> I'll note that nowadays it seems to be widely
> accepted "best practice" to avoid per-connection
> RDNS lookup, e.g., by configuring web servers
> to log IP addresses instead of domain names.
> So there are two questions here: one is whether
> we need a change to the the network and/or
> cgi packages (and possibly others), and the other
> is how to solve the hackage problem promptly.
> My first thought on the first question is to add
> a new function acceptRaw or accept' to network
> that skips the lookup, and then change cgi to
> use it. But I would also support changing accept
> itself to skip the lookup always.
More information about the Libraries