DNS Blackholing
John Hascall
john at iastate.edu
Tue Dec 4 02:44:41 UTC 2012
We have found that RPZ works quite well for us.
We have 366825 names in our RPZ zone at present
and scaling thus far has been a non-issue.
John
-------------------------------------------------------------------------------
John Hascall, john at iastate.edu
Team Lead, NIADS (Network Infrastructure, Authentication & Directory Services)
IT Services, The Iowa State University of Science and Technology
>
> On Dec 3, 2012, at 5:52 PM, rvandolson at esri.com wrote:
>
> > All;
> >
> > Am looking to do some DNS blackholing based on a pre-defined, dynamic list
(such as DNS-BH). Am looking for feedback on approaches for this.
> >
> > Sounds like automatically generating an includeable config file with zone e
ntries which point to a fairly bare zone definition file returning a honeypot I
P or some such thing is fairly commonly done.
>
> Others may offer different advice, but while that was a common way to do it i
n the past, a feature in most modern versions of BIND nowadays is Response Pol
icy Zones. Explaining them in full is beyond the scope of a simple mailing lis
t post, but a good starting point is vixie's blog entry on the ISC website here
: ftp://ftp.isc.org/isc/dnsrpz/isc-tn-2010-1.txt
>
> > We have several resolvers (caching) servers, and am curious how others out
there handle those. Do you set up each as a master or do the master/slave thin
g? Presumably the former do avoid needless duplication of the bare zone file.
>
> See above.
>
> > In addition, how much memory is used by BIND for each zone definition? We
currently have a fairly small deployment with maybe a hundred zones tops. If w
e suddenly jump to 10000+ -- even if they are all very small, how much memory c
an we expect to be chewed up so we can plan ahead?
>
> With RPZ, you have a single zone instead of 10,000. It shows promise and muc
h better scaling, as well as the ability to replicate your single policy zone v
ia standard AXFR/IXFR metrics. SpamHaus is currently making some of their data
available in this format:
>
> http://www.spamhaus.org/news/article/669/
>
> -Dan Mahoney
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
More information about the bind-users
mailing list