scripts-to-block-domains

Grant Taylor gtaylor at tnetconsulting.net
Mon Jul 13 19:44:33 UTC 2020


On 7/13/20 12:44 AM, MEjaz wrote:
> Hell  all,

Hi,

> I have an requirement from our  national Cyber security to block several 
> thousand forged domains from our recursive servers, Is there any way we 
> can add clause in named.conf to scan such bogus domain list without 
> impacting the performance of the servers.

$RPZ++

If you can't use RPZ, then you /can/ create skeleton zones to make your 
server authoritative for the zones in question.  However, there are 
drawbacks to this regarding performance based on the number and size of 
all the additional zones.

I would strongly recommend RPZ, or the new Response Policy Service, 
which there are a few commercial implementations of.  RPS is for DNS 
what milters are for mail servers.

   RPZ is a ""static list.
   RPS is an active / dynamic service.

Note:  Response Policy Zones can be updated via normal dynamic DNS methods.



-- 
Grant. . . .
unix || die

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4013 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20200713/e66bcd8f/attachment.bin>


More information about the bind-users mailing list