Blackholing / Load help

[McLaughlin, Scott]

So its strictly a memory thing?  We see the processor load go up greatly
from a list of 7k to a list of 15k, so it seemed that the server got bogged
down with a larger file.  Which made us think faster box would deal with it
much better.

>> Individual addresses are treated as /32 or /128.
>>The acl code is pretty simple.  See lib/dns/acl.c.

Based on that and the above response the only impact of listing everything
with a CIDR is the file becomes smaller using less memory?  But as far as
BIND is concerned it takes the same amount of effort to process the IP
regardless of its CIDR?  That's good to know.

>>The acl code is pretty simple.  See lib/dns/acl.c. 

Thanks for the code reference we'll check it out.

>>I can't parse the above.  An example would help.

Sorry was being vague.  I also meant /8 not /9.  Its not super important,
just thought it might be a bug.

For example if I put this into the blackhole list:

192.0.0.0/8    
the DNS server starts throwing SERVFAILs against any IP making a query
against it.  But if I change that to

192.0.0.0/9 or any smaller mask it behaves as expected.

Thanks for your help Mark.


-----Original Message-----
From: Mark_Andrews at isc.org [mailto:Mark_Andrews at isc.org] 
Sent: Tuesday, November 29, 2005 3:11 PM
To: McLaughlin, Scott
Cc: bind-users at isc.org
Subject: Re: Blackholing / Load help 


> Content-Type: text/plain;
> 	charset="us-ascii"
> Content-Transfer-Encoding: 7bit
> Hello,
>  
> For a multitude of reasons we are managing a very large blackhole list 
> on our DNS servers.  One of the reasons i mentioned a month or so ago 
> in this list in that we get a huge number of bogus ANY ANY queries to 
> our servers from DNS attacks.  Anyway not what I'm here to discuss.
>  
> What I'm wondering is if there is a limitation to the size of the 
> blackhole list and is it's size directly proportional to processing power.

	There is no limit other than the memory required to support it.
  
> For example, if we have 15,000 ip's in that list and the servers are 
> having trouble answering queries (often failling to respond) will 
> increase the power of the machine processor and memory wise help that 
> problem, or is the problem inherit within the BIND applicatoin and it 
> just can't process a file that big?
>  
> Also i know you can subnet the entries in that file.  Does that help or
> hinder BIND when processing the file?   If i have 15,000 individual IP's
> versus say 10,000 CIDR listings which is easier for BIND to process.

	Individual addresses are treated as /32 or /128.
  
> Any help would be much appreciated.  We are on the verge of throwing 
> new machines out onto network nationwide and I want to size them
accordingly.

	The acl code is pretty simple.  See lib/dns/acl.c.
  
> Also seperately did anyone know that you can not put a CIDR less the 
> /9 in the blackhole list?  If you do bind immediatly throws SERVFAIL 
> on any query you try to make from any IP.

	I can't parse the above.  An example would help.
 
> scott mclaughlin
> sr. systems engineer
> v:360/759/9605 | f:360/906/9824
>  
> -. . ...- . .-.   .- .-. --. ..- .   .-- .. - ....   .- -.   .. -.. .. ---
-
> .-.-.-   - .... . -.--   -.. .-. .- --.   -.-- --- ..-   -.. --- .-- -.
-
> ---   - .... . .. .-.   .-.. . ...- . .-..   - .... . -.   -... . .- -
> -.-- --- ..-   .-- .. - ....   . -..- .--. . .-. .. . -. -.-. . .-.-.- 
>  
> Find me on googleIM @ srv1054
> http://www.google.com/talk/
> 
> 
> - "ACK and you shall receive."
> - "In The Beginning there was nothing, which exploded"
> 
>  
> 
> 
> 
> 
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org