DNS Blackholing
John Hascall
john at iastate.edu
Tue Dec 4 18:46:37 UTC 2012
-------------------------------------------------------------------------------
John Hascall, john at iastate.edu
Team Lead, NIADS (Network Infrastructure, Authentication & Directory Services)
IT Services, The Iowa State University of Science and Technology
> On 12/4/2012 6:00 AM, John Hascall <john at iastate.edu> wrote:
> > We have found that RPZ works quite well for us.
> > We have 366825 names in our RPZ zone at present
> > and scaling thus far has been a non-issue.
> A question from the OP that has not yet been answered -
> Make the zones masters on all servers. What I did was to
> have a file in common storage accessible to each DNS server,
> and every 10 minutes a cron job would run to see if the
> file in common storage had been updated. If so, then
> the file was copied to the local disk, and an "rndc reconfig"
> command was issued to re-read the config file. Note that the
> 10-minute cron ran at a different minute on each server to insure that
> only one server was reloading at any given time.
(Assuming you have good time sync!)
We just used standard DNS tools. Our RPZ zone is hosted
on its own (virtual) server. The public recursive servers
secondary the zone. Updates to the zone are done with
'nsupdate' and then propagate outward via IXFR.
We believe this approach is simple, yet it gives us low
latency and does not introduce any single points of failure
into the DNS resolving service.
John
More information about the bind-users
mailing list