DNS accept filter

David Malone dwmalone at maths.tcd.ie
Wed Oct 17 13:25:02 UTC 2012

I'm not sure if this is of interest to anyone, but I wrote a FreeBSD
accept filter for DNS a few years ago. An accept filter is a socket
option that you can use to tell the kernel to wait before the
accept() syscall returns. In this case, the accept filter delays
the return of accept until there is a full DNS request in the buffer.

Named already tries to use FreeBSD's data-ready accept filter, but
I've been using the patch below to make it use the DNS filter, if
it is available. Would be interest in taking this into the BIND


(Note, to use the filter, you have to patch named and load the kernel
module, "kldload accf_dns", and then restart named.)

Index: bin/named/interfacemgr.c
RCS file: /home/ncvs/src/contrib/bind9/bin/named/interfacemgr.c,v
retrieving revision 1.8
diff -u -r1.8 interfacemgr.c
--- bin/named/interfacemgr.c    5 Apr 2012 04:29:35 -0000       1.8
+++ bin/named/interfacemgr.c    17 Oct 2012 13:00:13 -0000
@@ -328,7 +328,9 @@
         * If/when there a multiple filters listen to the
         * result.
-       (void)isc_socket_filter(ifp->tcpsocket, "dataready");
+       if (isc_socket_filter(ifp->tcpsocket, "dnsready") != ISC_R_SUCCESS)
+               isc_socket_filter(ifp->tcpsocket, "dataready");
        result = ns_clientmgr_createclients(ifp->clientmgr,
                                            ifp->ntcptarget, ifp,

More information about the bind-users mailing list