DNS Blackholing

John Hascall john at iastate.edu
Tue Dec 4 02:44:41 UTC 2012 

We have found that RPZ works quite well for us.
We have 366825 names in our RPZ zone at present
and scaling thus far has been a non-issue.

John
-------------------------------------------------------------------------------
John Hascall, john at iastate.edu
Team Lead, NIADS (Network Infrastructure, Authentication & Directory Services)
IT Services, The Iowa State University of Science and Technology

> 
> On Dec 3, 2012, at 5:52 PM, rvandolson at esri.com wrote:
> 
> > All;
> > 
> > Am looking to do some DNS blackholing based on a pre-defined, dynamic list 
(such as DNS-BH).  Am looking for feedback on approaches for this.
> > 
> > Sounds like automatically generating an includeable config file with zone e
ntries which point to a fairly bare zone definition file returning a honeypot I
P or some such thing is fairly commonly done.
> 
> Others may offer different advice, but while that was a common way to do it i
n the past, a feature in most modern versions of  BIND nowadays is Response Pol
icy Zones.  Explaining them in full is beyond the scope of a simple mailing lis
t post, but a good starting point is vixie's blog entry on the ISC website here
: ftp://ftp.isc.org/isc/dnsrpz/isc-tn-2010-1.txt
> 
> > We have several resolvers (caching) servers, and am curious how others out 
there handle those.  Do you set up each as a master or do the master/slave thin
g?  Presumably the former do avoid needless duplication of the bare zone file.
> 
> See above.
> 
> > In addition, how much memory is used by BIND for each zone definition?  We 
currently have a fairly small deployment with maybe a hundred zones tops.  If w
e suddenly jump to 10000+ -- even if they are all very small, how much memory c
an we expect to be chewed up so we can plan ahead?
> 
> With RPZ, you have a single zone instead of 10,000.  It shows promise and muc
h better scaling, as well as the ability to replicate your single policy zone v
ia standard AXFR/IXFR metrics.  SpamHaus is currently making some of their data
 available in this format:
> 
> http://www.spamhaus.org/news/article/669/
> 
> -Dan Mahoney
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
 from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>

More information about the bind-users mailing list