[Unbound-users] [wishlist] unbound vs djbdns
Alexander Clouter
alex at digriz.org.uk
Wed Jun 15 14:36:31 UTC 2011
Kevin Chadwick <ma1l1ists at yahoo.co.uk> wrote:
>
>> Bind 9 manages this just fine at our site, at excessively high loads.
>
> But we know unbound is far quicker and more secure than bind, of course
> so was djbs code.
>
We know iptables is pretty fast at filtering packets, until on an border
router you do:
iptables -I FORWARD -j LOG
It does not matter how fast unbound, bind9, djbdns or a Net::DNS parser
runs, what matters is if there is a nasty penalty when enabling logging.
Of course, I guess the point could be moot as you could also disable
such a feature too and suffer a zero performance hit.
> > > Plus assuming part of the reason you might be logging is to catch
> > > unbound-kill packets, not great.
> >
> > I think it would be better to have packets no kill unbound
> > personally...
>
> What are these, do you mean dnssec dos. Googling hasn't turned
> much up.
>
There is none, until one is discovered. :)
I'm interested in catching the packet that kills unbound (or a any other
daemon), which is why I am personally keener on a decoupled approach. It
is not necessarily better, or worse, but it deals with my problem space.
The OP wanted stats, I could not care about stats, but someone suggested
tcpdump and I felt compelled to throw my £0.02 in the bucket. An
alternative solution for me would be to just compile '-O0 -g' and leave
gdb always attached to it if I was that bothered about bad packets.
Cheers
--
Alexander Clouter
.sigmonster says: Mathematicians practice absolute freedom.
-- Henry Adams
More information about the Unbound-users
mailing list