Blackholing / Load help
Mark_Andrews at isc.org
Tue Nov 29 23:11:21 UTC 2005
> Content-Type: text/plain;
> Content-Transfer-Encoding: 7bit
> For a multitude of reasons we are managing a very large blackhole list on
> our DNS servers. One of the reasons i mentioned a month or so ago in this
> list in that we get a huge number of bogus ANY ANY queries to our servers
> from DNS attacks. Anyway not what I'm here to discuss.
> What I'm wondering is if there is a limitation to the size of the blackhole
> list and is it's size directly proportional to processing power.
There is no limit other than the memory required to support it.
> For example, if we have 15,000 ip's in that list and the servers are having
> trouble answering queries (often failling to respond) will increase the
> power of the machine processor and memory wise help that problem, or is the
> problem inherit within the BIND applicatoin and it just can't process a file
> that big?
> Also i know you can subnet the entries in that file. Does that help or
> hinder BIND when processing the file? If i have 15,000 individual IP's
> versus say 10,000 CIDR listings which is easier for BIND to process.
Individual addresses are treated as /32 or /128.
> Any help would be much appreciated. We are on the verge of throwing new
> machines out onto network nationwide and I want to size them accordingly.
The acl code is pretty simple. See lib/dns/acl.c.
> Also seperately did anyone know that you can not put a CIDR less the /9 in
> the blackhole list? If you do bind immediatly throws SERVFAIL on any query
> you try to make from any IP.
I can't parse the above. An example would help.
> scott mclaughlin
> sr. systems engineer
> v:360/759/9605 | f:360/906/9824
> -. . ...- . .-. .- .-. --. ..- . .-- .. - .... .- -. .. -.. .. --- -
> .-.-.- - .... . -.-- -.. .-. .- --. -.-- --- ..- -.. --- .-- -. -
> --- - .... . .. .-. .-.. . ...- . .-.. - .... . -. -... . .- -
> -.-- --- ..- .-- .. - .... . -..- .--. . .-. .. . -. -.-. . .-.-.-
> Find me on googleIM @ srv1054
> - "ACK and you shall receive."
> - "In The Beginning there was nothing, which exploded"
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users