httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Richards <p.richa...@elsevier.co.uk>
Subject Re: security holes and other fun stuff
Date Tue, 16 Jul 1996 10:17:06 GMT
Dean Gaudet writes:
 > In article <hot.mailing-lists.new-httpd-199607160042.BAA00790@originat.demon.co.uk>,
 > >Not true. 
 > 
 > What's not true?  That the API is working?  Gee the IRIX, BSDI, Solaris,

That netscape are closer to being able to do the right thing.

 > Ahh so now you're saying that HTTP is the culprit and it's bad and
 > everything because it opens a new TCP connection for each request.
 > So your solution to this problem is that a browser should do DNS on
 > every hit... or they have to write their own resolver routines (which

I don't understand the concerns of that last paragraph. Bind does all
this for you and it's a library so it's linked into the app anyway.  My
gripe with Netscape is that their DNS code circumvents functionality I have
in my underlying OS and I can't control it's behaviour. It has nothing to
do with passing back the timeout to the application. At some point you
have to call some function or another to get the current ip address for the
fqdn and that function has to check the ttl and decide whether to contact
the server or not. If you set up a caching server on your box then bind does
all this perfectly well, if you're not running a caching server then the
correct behaviour *IS* to contact a server. The Netscape solution isn't
anything more clever than this, they've just embedded all this DNS
functionality into the application itself.

 > No they won't drop.  Not unless you actually drop the old address.
 > Generally I do this (IRIX syntax):
 > 
 >     ifconfig ec0 NEW.A.B.C; ifconfig ec0 alias OLD.X.Y.Z

Yeah well, OK, you have to actually drop the old address, what you're doing
above is adding another not changing the old one :-)

 > I don't deny that it can't happen with "working" code.  I'm telling you
 > that working code is an ideal.  We're living in the real world, where
 > broken code is the norm.
 > 
 > Frankly I don't care about 4 accesses per day 1 month after a renumbering.
 > But I do care about the one to two week range where I saw hundreds to
 > thousands of accesses despite the fact that the DNS had fully propagated.

Well this is odd but I'd bet it's more likely configuration errors rather
then broken code. If others have seen this I'd be interested in looking
into the problem some more since it might change my mind about the way
I do some things.

Incidentally, your DNS settings are a little odd. Having a ttl of 1/2
day when your zone transfers only happen daily seems redundant to me
since you can't update your tables more than once a day so why force
clients to expire the cache twice a day.

 > This argument is pointless.  I really think there are security flaws with
 > Apache's advocation of DNS in configuration files.  If the Apache Group
 > doesn't care about it (I've not received one response, even privately,
 > which supports my view) then I'll shut up.  It's not just an Apache
 > issue -- I'm certain that if we were to investigate Netscape or NCSA or
 > other servers that allow DNS in their configuration files then we'd find
 > the same problems.

Some of the points you made I understood and was concerned about but I
had trouble following your argument so I'm not entirely clear on what
exactly you're worries are regarding the DNS issues. I'm still
rereading some of them.

Mime
View raw message