DNS Blackholing

[Dan Mahoney]

On Dec 3, 2012, at 5:52 PM, rvandolson at esri.com wrote:

> All;
> 
> Am looking to do some DNS blackholing based on a pre-defined, dynamic list (such as DNS-BH).  Am looking for feedback on approaches for this.
> 
> Sounds like automatically generating an includeable config file with zone entries which point to a fairly bare zone definition file returning a honeypot IP or some such thing is fairly commonly done.

Others may offer different advice, but while that was a common way to do it in the past, a feature in most modern versions of  BIND nowadays is Response Policy Zones.  Explaining them in full is beyond the scope of a simple mailing list post, but a good starting point is vixie's blog entry on the ISC website here: ftp://ftp.isc.org/isc/dnsrpz/isc-tn-2010-1.txt

> We have several resolvers (caching) servers, and am curious how others out there handle those.  Do you set up each as a master or do the master/slave thing?  Presumably the former do avoid needless duplication of the bare zone file.

See above.

> In addition, how much memory is used by BIND for each zone definition?  We currently have a fairly small deployment with maybe a hundred zones tops.  If we suddenly jump to 10000+ -- even if they are all very small, how much memory can we expect to be chewed up so we can plan ahead?

With RPZ, you have a single zone instead of 10,000.  It shows promise and much better scaling, as well as the ability to replicate your single policy zone via standard AXFR/IXFR metrics.  SpamHaus is currently making some of their data available in this format:

http://www.spamhaus.org/news/article/669/

-Dan Mahoney