RRL probably not useful for DNS IP blacklists, was Re: New Versions of BIND are available (9.9.4, 9.8.6, and 9.6-ESV-R10)

Noel Butler noel.butler at ausics.net
Sun Sep 22 03:11:46 UTC 2013 

On Fri, 2013-09-20 at 14:12 +0000, Vernon Schryver wrote:

> > From: Shane Kerr <shane at isc.org>
> 
> > With a 50% packet loss and 3 retries you'll have about 1 in 16 lookups
> > fail, right? If you've got enough legitimate lookups going on to
> > trigger RRL then you're going to get lots of failures.
> 
> If 6% is "lots", then yes.
> 


it certainly is, I accept 1% error margins, anything more, then its too
high.
If I was still managing public ISP DNS, then 0.01% error margin would be
even a bit high, but then again, their I wouldnt be running views :)



> 
> > > limit NXDOMAIN responses to xxxxxxxx/24 for zen.spamhaus.org ,=20
> 
> > This doesn't indicate that anything actually failing for the querying
> > hosts, just that they are issuing a lot of queries.
> 
> indeed.
> 
> 


but the end result was, that RRL filtering was filytering, as per my
other message,  however, ns0 is now using RRL in a view  and has thus
far (just over 24 hours) not given us any problems,  NS 1 and 2 have
always been pure authoritative, so never effected.


> 
> The potential RRL problem is when you provide high volume DNSBL service


that problem is removed now since the internal view for caching wont be
filtered when querying them, and our internal dnsbl has never needed to
be RL'd since although public access is allowed, its volume is too low
to be measurable compared to the well known ones :)

Thanks for clearing up hte options, seems it should all be good now.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20130922/b1420eba/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: face-smile.png
Type: image/png
Size: 873 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20130922/b1420eba/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20130922/b1420eba/attachment.bin>

More information about the bind-users mailing list