minimum cache times?

Eivind Olsen eivind at aminor.no
Tue Oct 5 18:00:38 UTC 2010 

--On 5. oktober 2010 13.46.30 -0400 "Atkins, Brian (GD/VA-NSOC)" 
<Brian.Atkins2 at va.gov> wrote:
> Currently, we use DNS to blackhole bad domains. The list of bad domains
> are provided to us from another government entity or vetted by an
> enterprise security team.

How do you implement this list? By putting those domains into your 
named.conf (or some included configuration file) as authoritative domains, 
pointing to a common dummy zonefile, and then reloading/restarting BIND?
If you do it like this and restart BIND, you'll automatically lose the old 
cached information anyway.
If you instead add to named.conf and do "rndc reconfig", I don't think it 
will drop previously cached information.
Depending on how you do this - is it feasible to do "rndc flushname 
old.cached.domain" on these domains?

> The servers I manage are the DNS servers of last resort for our internal
> clients before hitting up root. However, they are not the only DNS
> servers available to the clients - there are several hundred internal
> servers, mostly windows servers, that handle client queries. I have no
> control over them.

Are all those DNS servers pointing to your server as their forwarder, or 
will any change you do on your server still have next to no impact since 
these other servers bypass you anyway?

In other words, is your setup something like this:

[clients] --> [X amount of DNS servers you don't control] --> [YOUR DNS 
server] --> Internet

?

> So, when I add new domains to my block list, I am at the mercy of the
> bad domain's TTL. I have had DNS cache thwarting my ability to block the
> bad domain, sometimes for several days.

If the information is cached at your internal servers which _you_ have no 
control over, you'll still be at the mercy of any long TTL.

> Basically, I want to make the block occur within a couple of hours after
> implementation - hence setting the max-cache-ttl.
> I realize that there are other ways of to do this, but I am limited by
> my funding.

As long as you don't have control over all the different DNS servers used 
in your organization, you'll still have problems making a solution here.

Regards
Eivind Olsen

More information about the bind-users mailing list