Maintained by: NLnet Labs

[Unbound-users] [wishlist] unbound vs djbdns

Alexander Clouter
Tue Jun 14 14:50:36 CEST 2011


Kevin Chadwick <ma1l1ists at yahoo.co.uk> wrote:
> 
>> For the log file with queries have you thought about this:
>> tcpdump -i xl0 dst port domain and "(" dst host [your-resolver-IP] or
>> dst host [your-resolver-IP6] ")"
> 
> For security reasons, you shouldn't really parse traffic on a production
> system, though you could write the logfile and do so offline.
>
Could you elaborate?  What does parsing offline buy you security wise 
that a live system cannot?  Privilege separation/dropping is straight 
forward in the case of tcpdump/libpcap and input validation is 
approximately /[a-z0-9_.]+/i and would be a problem in both the live and 
offline case.

Another method is to physically decouple the collector from the parser.  
Although traffic/cpu intensive, syslog'ing the output to another box 
live and having it parsed (say via a syslog-ng pipe() destination) as it 
appears would be perfectly feasible.

I personally would not use tcpdump and cook my own using libpcap and 
probably learn how to use a DNS decoding library, but the problem space 
is the same.

Cheers

-- 
Alexander Clouter
.sigmonster says: "Being disintegrated makes me ve-ry an-gry!" <huff, huff>