On Fri, 26 Oct 2018 17:37:47 +0000 Joe Dahlquist <jdahlqu...@threatstop.com> wrote:
> N6Ghost, > > Re: DNS Firewall options on bind, a shameless plug for Threatstop.com > and the first you should investigate. > > Other sources of RPZ with quality data you can look at: Farsight, > SURBL, Spamhaus > > Regards, > Joe Dahlquist > > > > > > > On 10/26/18, 9:49 AM, "bind-users on behalf of N6Ghost" > <bind-users-boun...@lists.isc.org on behalf of n6gh...@gmail.com> > wrote: > > >On Fri, 26 Oct 2018 10:52:17 -0400 > >Kevin Darcy <kevin.da...@fcagroup.com> wrote: > > > >> My basic rule of thumb is: use forwarding when connectivity > >> constraints require it. Those constraints may be architectural, > >> e.g. a multi-tiered, multi-layer network for security purposes, or > >> may be the result of screwups or unintended consequences, e.g. a > >> routing blackhole. Use forwarding to get around those blockages. > >> > >> Now, if one thinks one can use forwarding for > >> efficiency/performance ("forward first") as opposed to using it > >> for connectivity ("forward only"), then do so based on > >> *documented* , *observed* evidence, not just on assumptions or > >> conjecture. A lot of folks just take for granted that forwarding > >> to a rich cache will speed up their lookups. Maybe it will, maybe > >> it won't -- MEASURE IT. > >> > >> Also, bear in mind that while forwarding to a rich cache may help > >> your *best* case, and maybe your *average* case, it may hurt your > >> *worst* case, since in the case of a cache miss, you have your > >> wasted forwarding attempt *plus* however long it takes to fetch > >> the data yourself. Your worst case is going to be the one that > >> causes apps to time out, support calls, tickets, everyone blaming > >> the DNS infrastructure, etc. You've been warned. > >> > >> > >> - Kevin > > > >kinda my points exactly. while forwarding works, and is a useful > >tool. it is not a delegation or an authoritative zone. so, building > >critical name spaces with it should be avoid unless you have to. it > >not something you plan upfront with. thats just silly. > > > > > >> > >> On Fri, Oct 26, 2018 at 10:41 AM Bob Harold <rharo...@umich.edu> > >> wrote: > >> > >> > > >> > On Thu, Oct 25, 2018 at 4:34 PM N6Ghost <n6gh...@gmail.com> > >> > wrote: > >> >> Hi All, > >> >> > >> >> have two questions first, I am not a huge fan of using > >> >> forwarding zones and our "load balancing" team, has there zone > >> >> delegated to them in a way that needs an internal forward zone > >> >> to work properly on the inside and not rely on on internet POP. > >> >> > >> >> I want to move a core namespace to the load balancer but i want > >> >> them to let me assign them a new zone thats internally > >> >> authoritative and use it as the LB domain. > >> >> > >> >> which would be: > >> >> cname name.domain.com -> newname.newzone.domain.com > >> >> > >> >> they want: > >> >> cname name.domain.com -> newname.oldzone.domain.com > >> >> > >> >> old zone is directly delagated from outside to them so we need > >> >> an internal forward zone for it. i dont want to rely on that. > >> >> > >> >> any thoughts on this? what can i use to present to management to > >> >> win this? > >> >> > >> > > >> > The users should never see the domain that the CNAME points at, > >> > it is just an internal name used by DNS. If they can change > >> > where " newname.oldzone.domain.com" points more easily than " > >> > newname.newzone.domain.com" then they might have a valid reason > >> > to want it. Otherwise, newname.newzone.domain.com will be a > >> > faster and more reliable choice. > >> > > >> > Definitely avoid forwarding when possible. It causes slower > >> > lookups and more points of failure. (There will occasional be > >> > times when it has some advantage, or requirement.) > >> > > >> > -- > >> > Bob Harold Thanks will check it out! > >> > > >> > > >> >> > >> >> next, we where a bind shop but switched to infoblox for some > >> >> stuff and now out grew it. and are going back to bind. > >> >> > >> >> but we started using the dns firewall part of it and they > >> >> actually really liked it. any ideas for domain blacklisting? > >> >> via some sort of feed etc? what is everyone doing for that sort > >> >> of thing? > >> >> > >> >> thanks > >> >> > >> >> -N6Ghost > >> >> _______________________________________________ > >> >> Please visit https://lists.isc.org/mailman/listinfo/bind-users > >> >> to unsubscribe from this list > >> >> > >> >> bind-users mailing list > >> >> bind-users@lists.isc.org > >> >> https://lists.isc.org/mailman/listinfo/bind-users > >> >> > >> > _______________________________________________ > >> > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > >> > unsubscribe from this list > >> > > >> > bind-users mailing list > >> > bind-users@lists.isc.org > >> > https://lists.isc.org/mailman/listinfo/bind-users > >> > > >> > > > >_______________________________________________ > >Please visit https://lists.isc.org/mailman/listinfo/bind-users to > >unsubscribe from this list > > > >bind-users mailing list > >bind-users@lists.isc.org > >https://lists.isc.org/mailman/listinfo/bind-users > _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users