From owner-freebsd-stable@FreeBSD.ORG Tue Jul 22 18:34:15 2008 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A22701065680 for ; Tue, 22 Jul 2008 18:34:15 +0000 (UTC) (envelope-from sthaug@nethelp.no) Received: from bizet.nethelp.no (bizet.nethelp.no [195.1.209.33]) by mx1.freebsd.org (Postfix) with SMTP id E25B98FC20 for ; Tue, 22 Jul 2008 18:34:14 +0000 (UTC) (envelope-from sthaug@nethelp.no) Received: (qmail 47736 invoked from network); 22 Jul 2008 18:07:33 -0000 Received: from bizet.nethelp.no (HELO localhost) (195.1.209.33) by bizet.nethelp.no with SMTP; 22 Jul 2008 18:07:33 -0000 Date: Tue, 22 Jul 2008 20:07:09 +0200 (CEST) Message-Id: <20080722.200709.74704291.sthaug@nethelp.no> To: dougb@FreeBSD.org From: sthaug@nethelp.no In-Reply-To: <48860CBA.6010903@FreeBSD.org> References: <200807221552.m6MFqgpm009488@lurza.secnetix.de> <20080722162024.GA1279@lava.net> <48860CBA.6010903@FreeBSD.org> X-Mailer: Mew version 3.3 on Emacs 21.3 / Mule 5.0 (SAKAKI) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: freebsd-stable@freebsd.org Subject: Re: FreeBSD 7.1 and BIND exploit X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Jul 2008 18:34:15 -0000 > If you're interested in a resolver-only solution (and that is not a > bad way to go) then you should evaluate dns/unbound. It is a > lightweight resolver-only server that has a good security model and > already implements query port randomization. It also has the advantage > of being maintained, and compliant to 21st Century DNS standards > including DNSSEC (which, btw, is the real solution to the response > forgery problem, it just can't be deployed universally before 8/5). I've been trying out unbound-1.0.1 on a 7.0-STABLE box (2.67 GHz i86, uniprocessor, 32 bit mode, 2 GB memory). Don't know what I'm doing wrong so far - but I've been unable to scale Unbound to more than a couple of hundred q/s. Any more than that and I get serious (several hundred ms) delays on lots of queries, including stuff which is known to be in the cache. I'll be doing some more Unbound tests the next few days. For now, both CNS and PowerDNS handle our load (around 2.5K q/s) fine. Steinar Haug, Nethelp consulting, sthaug@nethelp.no