7.3 + kqueue + apache/php + DNS lookup problem

[Chuck Swiger]

On Sep 30, 2011, at 4:31 PM, Doug Barton wrote:
> o, this is a bit of an odd one .... I've got a web server running
> apache 2.2.17 and php 5.3.5. The host itself is running 7.3-RELEASE,
> i386, and is not busy. I can do DNS queries on the command line all day
> long and they are very snappy. Using nslookup, dig, whatever.

Are you using prefork or worker/threaded MPM with Apache?

While some PHP modules claim to be threadsafe, experience has left me convinced that neither threaded PHP nor threaded mod_perl is reliable under even minimal load.  If you haven't tried using prefork MPM, consider using it, and maybe add fastcgi if you need to.

> The weirdness comes in when the httpd process needs to do a DNS lookup.
[ ... ]
> I'm open to suggestions on where to look to improve this situation.

One of the major problems with doing any DNS lookups in Apache is that you can easily encounter a DoS as all of the child processes try to resolve addresses; a malware scan coming from an IP with broken reverse DNS can cause things to grind to a halt for a few seconds.

If at all possible, do not perform any DNS resolution in Apache, either for Allow/Deny rules in Location blocks, or for log processing.

Regards,
-- 
-Chuck