p.mayers at imperial.ac.uk
Wed Dec 5 12:33:56 UTC 2012
On 12/05/2012 11:45 AM, Noel Butler wrote:
> dig bobi.at
> ;; Query time: 996 msec
You're correct that blackhole zones and RPZ have different performance
characteristics. For others reading, this is because with RPZ, the real
name is queried first, then RPZ applies to the answers, so if the real
name is slow, you'll see slowness until it's in-cache.
However, once the real name is cached, 2nd and subsequent queries are
fast. So, querying an RPZ-blocked name is at worst as slow as the
unblocked name, and fast once it's in-cache.
Clearly a blackhole zone won't trigger a recursive query and will always
> (avg response time it seems for RPZ'd zones)
> So it sure as hell doesnt work the same as a forged "empty" zones
> RPZ is awesome if you want to wallgarden a hostname, but for just speedy
> dropping, empty zone beats it hands down even if it is messier requiring
> its own zone.
I gues this depends on your query pattern. I observe fast queries on 2nd
access to RPZ blocked names, and we see a lot of hits to a small
percentage of the names.
Obviously if people want to use blackholed zones, they can. In our case,
the value of RPZ is that we can slave a feed from a trusted provider,
which is far harder to manage if you're having to generate 675,000
blackhole zones and run "rndc reconfig" every few minutes to catch
fast-flux DNS for botnet control channels.
But I take your point - people need to understand the characteristics of
the feature before deciding what's appropriate.
More information about the bind-users