We have found that RPZ works quite well for us. We have 366825 names in our RPZ zone at present and scaling thus far has been a non-issue.
John ------------------------------------------------------------------------------- John Hascall, j...@iastate.edu Team Lead, NIADS (Network Infrastructure, Authentication & Directory Services) IT Services, The Iowa State University of Science and Technology > > On Dec 3, 2012, at 5:52 PM, rvandol...@esri.com wrote: > > > All; > > > > Am looking to do some DNS blackholing based on a pre-defined, dynamic list (such as DNS-BH). Am looking for feedback on approaches for this. > > > > Sounds like automatically generating an includeable config file with zone e ntries which point to a fairly bare zone definition file returning a honeypot I P or some such thing is fairly commonly done. > > Others may offer different advice, but while that was a common way to do it i n the past, a feature in most modern versions of BIND nowadays is Response Pol icy Zones. Explaining them in full is beyond the scope of a simple mailing lis t post, but a good starting point is vixie's blog entry on the ISC website here : ftp://ftp.isc.org/isc/dnsrpz/isc-tn-2010-1.txt > > > We have several resolvers (caching) servers, and am curious how others out there handle those. Do you set up each as a master or do the master/slave thin g? Presumably the former do avoid needless duplication of the bare zone file. > > See above. > > > In addition, how much memory is used by BIND for each zone definition? We currently have a fairly small deployment with maybe a hundred zones tops. If w e suddenly jump to 10000+ -- even if they are all very small, how much memory c an we expect to be chewed up so we can plan ahead? > > With RPZ, you have a single zone instead of 10,000. It shows promise and muc h better scaling, as well as the ability to replicate your single policy zone v ia standard AXFR/IXFR metrics. SpamHaus is currently making some of their data available in this format: > > http://www.spamhaus.org/news/article/669/ > > -Dan Mahoney > > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users