DNS Blackholing
Dan Mahoney
dmahoney at isc.org
Tue Dec 4 02:00:38 UTC 2012
On Dec 3, 2012, at 5:52 PM, rvandolson at esri.com wrote:
> All;
>
> Am looking to do some DNS blackholing based on a pre-defined, dynamic list (such as DNS-BH). Am looking for feedback on approaches for this.
>
> Sounds like automatically generating an includeable config file with zone entries which point to a fairly bare zone definition file returning a honeypot IP or some such thing is fairly commonly done.
Others may offer different advice, but while that was a common way to do it in the past, a feature in most modern versions of BIND nowadays is Response Policy Zones. Explaining them in full is beyond the scope of a simple mailing list post, but a good starting point is vixie's blog entry on the ISC website here: ftp://ftp.isc.org/isc/dnsrpz/isc-tn-2010-1.txt
> We have several resolvers (caching) servers, and am curious how others out there handle those. Do you set up each as a master or do the master/slave thing? Presumably the former do avoid needless duplication of the bare zone file.
See above.
> In addition, how much memory is used by BIND for each zone definition? We currently have a fairly small deployment with maybe a hundred zones tops. If we suddenly jump to 10000+ -- even if they are all very small, how much memory can we expect to be chewed up so we can plan ahead?
With RPZ, you have a single zone instead of 10,000. It shows promise and much better scaling, as well as the ability to replicate your single policy zone via standard AXFR/IXFR metrics. SpamHaus is currently making some of their data available in this format:
http://www.spamhaus.org/news/article/669/
-Dan Mahoney
More information about the bind-users
mailing list