On 06/14/2011 07:51 PM, Jaap Akkerhuis wrote: > > > > > For security reasons, you shouldn't really parse traffic on a production > > system, though you could write the logfile and do so offline. > > ...which would be a good reason for unbound to do the logging itself. > Unbound has already parsed the DNS packet, by necessity. > > I don't understand this logic. For "security reason" one should not parse > traffic on the production box, but it is OK that unbound Someone else said "you shouldn't parse on a production box". I don't agree with that. What I'm saying is that... > (that is in prduction on this box) does parse it? ...since Unbound MUST parse the packet (obviously) and MUST be hardened against malformed DNS requests, there is no significant additional security risk in having unbound (optionally) perform the logging. There *may* be a security risk in having a separate application doing the parsing and logging; it depends on how it's written, whether parsing DNS packets is it's primary goal, and so on. It seems pretty clear that tcpdump isn't the ideal tool.