[Unbound-users] [wishlist] unbound vs djbdns
Alexander Clouter
alex at digriz.org.uk
Tue Jun 14 12:50:36 UTC 2011
Kevin Chadwick <ma1l1ists at yahoo.co.uk> wrote:
>
>> For the log file with queries have you thought about this:
>> tcpdump -i xl0 dst port domain and "(" dst host [your-resolver-IP] or
>> dst host [your-resolver-IP6] ")"
>
> For security reasons, you shouldn't really parse traffic on a production
> system, though you could write the logfile and do so offline.
>
Could you elaborate? What does parsing offline buy you security wise
that a live system cannot? Privilege separation/dropping is straight
forward in the case of tcpdump/libpcap and input validation is
approximately /[a-z0-9_.]+/i and would be a problem in both the live and
offline case.
Another method is to physically decouple the collector from the parser.
Although traffic/cpu intensive, syslog'ing the output to another box
live and having it parsed (say via a syslog-ng pipe() destination) as it
appears would be perfectly feasible.
I personally would not use tcpdump and cook my own using libpcap and
probably learn how to use a DNS decoding library, but the problem space
is the same.
Cheers
--
Alexander Clouter
.sigmonster says: "Being disintegrated makes me ve-ry an-gry!" <huff, huff>
More information about the Unbound-users
mailing list