Re: Performance impact of linking libwrap

[Howard Chu <hyc@symas.com>]

Michael Ströder wrote:
> Florian Weimer wrote:
> > * Michael Ströder:
> >
> > > Hmm, I will drop it since the same functionality can be easily achieved on
> > > this platform by using local kernel firewall.
> >
> > The DNS-based access rules are not available as part of the kernel
> > firewall.
>
> Good point.
>
> > For some odd reasons, a lot of people think this
> > tcpwrappers feature is insecure,
>
> Me too. ;-)
>
> > but it seems a rather convenient way
> > to get *additional* security in cases where you have proper reverse
> > lookup (with matching forward lookup) and fragmented address space
> > that does not lend itself easily to writing access rules.
>
> But it adds two additional DNS lookups to the game.

I also use dnsmasq everywhere these days. Wouldn't dream of using a 
non-cached DNS resolver.

(And btw, dnsmasq supports DNSSEC.)

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/