DNS Blackholing
Noel Butler
noel.butler at ausics.net
Wed Dec 5 11:45:06 UTC 2012
On Wed, 2012-12-05 at 09:13 +0000, Phil Mayers wrote:
> On 12/04/2012 06:35 PM, Barry S. Finkel wrote:
>
> > A question from the OP that has not yet been answered -
> > Make the zones masters on all servers.
>
> Surely not for RPZ? The whole point with RPZ is that you have one zone
> containing all the blacklists, master in one place, and slave it in all
> the others.
>
> For traditional DNS blacklisting (one zone per blacklisted name/suffix)
> sure, but I'm honestly not sure why anyone would start out down that
> road today with RPZ available.
> _
response times would be a good reason
an RPZ zone still goes through the motions
forged (local empty) zone:
dig mmmm.xxxtoolbar.com
<snip>
;; Query time: 0 msec
(all local zones hte same , 0 msec)
RPZ:
dig bobi.at
;; Query time: 996 msec
(avg response time it seems for RPZ'd zones)
So it sure as hell doesnt work the same as a forged "empty" zones
RPZ is awesome if you want to wallgarden a hostname, but for just speedy
dropping, empty zone beats it hands down even if it is messier requiring
its own zone.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20121205/d0ce03f5/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20121205/d0ce03f5/attachment.bin>
More information about the bind-users
mailing list