[Unbound-users] [wishlist] unbound vs djbdns
p.mayers at imperial.ac.uk
Tue Jun 14 22:36:59 UTC 2011
On 06/14/2011 07:51 PM, Jaap Akkerhuis wrote:
> > For security reasons, you shouldn't really parse traffic on a production
> > system, though you could write the logfile and do so offline.
> ...which would be a good reason for unbound to do the logging itself.
> Unbound has already parsed the DNS packet, by necessity.
> I don't understand this logic. For "security reason" one should not parse
> traffic on the production box, but it is OK that unbound
Someone else said "you shouldn't parse on a production box". I don't
agree with that. What I'm saying is that...
> (that is in prduction on this box) does parse it?
...since Unbound MUST parse the packet (obviously) and MUST be hardened
against malformed DNS requests, there is no significant additional
security risk in having unbound (optionally) perform the logging.
There *may* be a security risk in having a separate application doing
the parsing and logging; it depends on how it's written, whether parsing
DNS packets is it's primary goal, and so on. It seems pretty clear that
tcpdump isn't the ideal tool.
More information about the Unbound-users