Maintained by: NLnet Labs

[Unbound-users] [wishlist] unbound vs djbdns

Alexander Clouter
Wed Jun 15 16:36:31 CEST 2011


Kevin Chadwick <ma1l1ists at yahoo.co.uk> wrote:
> 
>> Bind 9 manages this just fine at our site, at excessively high loads.
> 
> But we know unbound is far quicker and more secure than bind, of course
> so was djbs code.
>
We know iptables is pretty fast at filtering packets, until on an border 
router you do:

iptables -I FORWARD -j LOG

It does not matter how fast unbound, bind9, djbdns or a Net::DNS parser 
runs, what matters is if there is a nasty penalty when enabling logging.  
Of course, I guess the point could be moot as you could also disable 
such a feature too and suffer a zero performance hit.

> > > Plus assuming part of the reason you might be logging is to catch
> > > unbound-kill packets, not great.
> >
> > I think it would be better to have packets no kill unbound
> > personally...
>
> What are these, do you mean dnssec dos. Googling hasn't turned
> much up.
>
There is none, until one is discovered. :)

I'm interested in catching the packet that kills unbound (or a any other
daemon), which is why I am personally keener on a decoupled approach. It
is not necessarily better, or worse, but it deals with my problem space.
The OP wanted stats, I could not care about stats, but someone suggested
tcpdump and I felt compelled to throw my £0.02 in the bucket.  An
alternative solution for me would be to just compile '-O0 -g' and leave
gdb always attached to it if I was that bothered about bad packets.

Cheers

-- 
Alexander Clouter
.sigmonster says: Mathematicians practice absolute freedom.
                  		-- Henry Adams