DNS Blackholing

Noel Butler noel.butler at ausics.net
Wed Dec 5 11:45:06 UTC 2012

On Wed, 2012-12-05 at 09:13 +0000, Phil Mayers wrote:

> On 12/04/2012 06:35 PM, Barry S. Finkel wrote:
> > A question from the OP that has not yet been answered -
> > Make the zones masters on all servers.
> Surely not for RPZ? The whole point with RPZ is that you have one zone 
> containing all the blacklists, master in one place, and slave it in all 
> the others.
> For traditional DNS blacklisting (one zone per blacklisted name/suffix) 
> sure, but I'm honestly not sure why anyone would start out down that 
> road today with RPZ available.
> _

response times would be a good reason
an RPZ zone still goes through the motions

forged (local empty) zone:
dig  mmmm.xxxtoolbar.com
;; Query time: 0 msec

(all local zones hte same , 0 msec)

dig bobi.at
;; Query time: 996 msec

(avg response time it seems for RPZ'd zones)

So it sure as hell doesnt work the same as a forged "empty" zones

RPZ is awesome if you want to wallgarden a hostname, but for just speedy
dropping, empty zone beats it hands down even if it is messier requiring
its own zone.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20121205/d0ce03f5/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20121205/d0ce03f5/attachment.bin>

More information about the bind-users mailing list