Date: Tue, 22 Jul 2008 20:07:09 +0200 (CEST) From: sthaug@nethelp.no To: dougb@FreeBSD.org Cc: freebsd-stable@freebsd.org Subject: Re: FreeBSD 7.1 and BIND exploit Message-ID: <20080722.200709.74704291.sthaug@nethelp.no> In-Reply-To: <48860CBA.6010903@FreeBSD.org> References: <200807221552.m6MFqgpm009488@lurza.secnetix.de> <20080722162024.GA1279@lava.net> <48860CBA.6010903@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> If you're interested in a resolver-only solution (and that is not a > bad way to go) then you should evaluate dns/unbound. It is a > lightweight resolver-only server that has a good security model and > already implements query port randomization. It also has the advantage > of being maintained, and compliant to 21st Century DNS standards > including DNSSEC (which, btw, is the real solution to the response > forgery problem, it just can't be deployed universally before 8/5). I've been trying out unbound-1.0.1 on a 7.0-STABLE box (2.67 GHz i86, uniprocessor, 32 bit mode, 2 GB memory). Don't know what I'm doing wrong so far - but I've been unable to scale Unbound to more than a couple of hundred q/s. Any more than that and I get serious (several hundred ms) delays on lots of queries, including stuff which is known to be in the cache. I'll be doing some more Unbound tests the next few days. For now, both CNS and PowerDNS handle our load (around 2.5K q/s) fine. Steinar Haug, Nethelp consulting, sthaug@nethelp.no
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080722.200709.74704291.sthaug>