Maintained by: NLnet Labs

[Unbound-users] [wishlist] unbound vs djbdns

Phil Mayers
Wed Jun 15 00:36:59 CEST 2011


On 06/14/2011 07:51 PM, Jaap Akkerhuis wrote:
>
>      >
>      >  For security reasons, you shouldn't really parse traffic on a production
>      >  system, though you could write the logfile and do so offline.
>
>      ...which would be a good reason for unbound to do the logging itself.
>      Unbound has already parsed the DNS packet, by necessity.
>
> I don't understand this logic. For "security reason" one should not parse
> traffic on the production box, but it is OK that unbound

Someone else said "you shouldn't parse on a production box". I don't 
agree with that. What I'm saying is that...

> (that is in prduction on this box) does parse it?

...since Unbound MUST parse the packet (obviously) and MUST be hardened 
against malformed DNS requests, there is no significant additional 
security risk in having unbound (optionally) perform the logging.

There *may* be a security risk in having a separate application doing 
the parsing and logging; it depends on how it's written, whether parsing 
DNS packets is it's primary goal, and so on. It seems pretty clear that 
tcpdump isn't the ideal tool.