On Dec 3, 2012, at 5:52 PM, rvandol...@esri.com wrote: > All; > > Am looking to do some DNS blackholing based on a pre-defined, dynamic list > (such as DNS-BH). Am looking for feedback on approaches for this. > > Sounds like automatically generating an includeable config file with zone > entries which point to a fairly bare zone definition file returning a > honeypot IP or some such thing is fairly commonly done.
Others may offer different advice, but while that was a common way to do it in the past, a feature in most modern versions of BIND nowadays is Response Policy Zones. Explaining them in full is beyond the scope of a simple mailing list post, but a good starting point is vixie's blog entry on the ISC website here: ftp://ftp.isc.org/isc/dnsrpz/isc-tn-2010-1.txt > We have several resolvers (caching) servers, and am curious how others out > there handle those. Do you set up each as a master or do the master/slave > thing? Presumably the former do avoid needless duplication of the bare zone > file. See above. > In addition, how much memory is used by BIND for each zone definition? We > currently have a fairly small deployment with maybe a hundred zones tops. If > we suddenly jump to 10000+ -- even if they are all very small, how much > memory can we expect to be chewed up so we can plan ahead? With RPZ, you have a single zone instead of 10,000. It shows promise and much better scaling, as well as the ability to replicate your single policy zone via standard AXFR/IXFR metrics. SpamHaus is currently making some of their data available in this format: http://www.spamhaus.org/news/article/669/ -Dan Mahoney _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
