FreeBSD 7.1 and BIND exploit
sthaug at nethelp.no
sthaug at nethelp.no
Tue Jul 22 18:34:15 UTC 2008
> If you're interested in a resolver-only solution (and that is not a
> bad way to go) then you should evaluate dns/unbound. It is a
> lightweight resolver-only server that has a good security model and
> already implements query port randomization. It also has the advantage
> of being maintained, and compliant to 21st Century DNS standards
> including DNSSEC (which, btw, is the real solution to the response
> forgery problem, it just can't be deployed universally before 8/5).
I've been trying out unbound-1.0.1 on a 7.0-STABLE box (2.67 GHz i86,
uniprocessor, 32 bit mode, 2 GB memory).
Don't know what I'm doing wrong so far - but I've been unable to scale
Unbound to more than a couple of hundred q/s. Any more than that and
I get serious (several hundred ms) delays on lots of queries, including
stuff which is known to be in the cache.
I'll be doing some more Unbound tests the next few days. For now, both
CNS and PowerDNS handle our load (around 2.5K q/s) fine.
Steinar Haug, Nethelp consulting, sthaug at nethelp.no
More information about the freebsd-stable
mailing list