Maintained by: NLnet Labs

[Unbound-users] [wishlist] unbound vs djbdns

Kevin Chadwick
Tue Jun 14 22:56:39 CEST 2011


On Tue, 14 Jun 2011 17:57:15 +0100
Phil Mayers wrote:

> Bind 9 manages this just fine at our site, at excessively high loads.
> 

But we know unbound is far quicker and more secure than bind, of course
so was djbs code.


> >
> > Plus assuming part of the reason you might be logging is to catch
> > unbound-kill packets, not great.  
> 
> I think it would be better to have packets no kill unbound personally...
> 

What are these, do you mean dnssec dos. Googling hasn't turned
much up.


> >
> > Using a specific logging/recording tool means it becomes independent on
> > the DNS server you use.  
> 
> It's also another bit of software to install, update, configure and 
> manage. It's another independent DNS parser, which may or may not be as 
> robust as the DNS parser in a high-volume recursive resolver. And it 
> lacks access to internal resolver state, which the logging may or may 
> not want to record e.g.

I agree here, but I have a couple of thoughts ignoring performance which
as stated is why it won't happen.

It will likely be more secure than the tcpdump incarnation but will it
reduce security of unbound without tcpdump at all. Hardly I guess,
there's no deep packet inspection, but many have some sort of NOC
anyway.