DNS Blackholing

Phil Mayers p.mayers at imperial.ac.uk
Wed Dec 5 12:33:56 UTC 2012

On 12/05/2012 11:45 AM, Noel Butler wrote:

> RPZ:
> dig bobi.at
> ;; Query time: 996 msec

You're correct that blackhole zones and RPZ have different performance 
characteristics. For others reading, this is because with RPZ, the real 
name is queried first, then RPZ applies to the answers, so if the real 
name is slow, you'll see slowness until it's in-cache.

However, once the real name is cached, 2nd and subsequent queries are 
fast. So, querying an RPZ-blocked name is at worst as slow as the 
unblocked name, and fast once it's in-cache.

Clearly a blackhole zone won't trigger a recursive query and will always 
answer immediately.

> (avg response time it seems for RPZ'd zones)
> So it sure as hell doesnt work the same as a forged "empty" zones


> RPZ is awesome if you want to wallgarden a hostname, but for just speedy
> dropping, empty zone beats it hands down even if it is messier requiring
> its own zone.

I gues this depends on your query pattern. I observe fast queries on 2nd 
access to RPZ blocked names, and we see a lot of hits to a small 
percentage of the names.

Obviously if people want to use blackholed zones, they can. In our case, 
the value of RPZ is that we can slave a feed from a trusted provider, 
which is far harder to manage if you're having to generate 675,000 
blackhole zones and run "rndc reconfig" every few minutes to catch 
fast-flux DNS for botnet control channels.

But I take your point - people need to understand the characteristics of 
the feature before deciding what's appropriate.

More information about the bind-users mailing list