Groups > comp.protocols.dns.bind > #15976

Re: scripts-to-block-domains

Path	csiph.com!xmission!news.snarked.org!news.linkpendium.com!news.linkpendium.com!panix!usenet.stanford.edu!not-for-mail
From	Grant Taylor <gtaylor@tnetconsulting.net>
Newsgroups	comp.protocols.dns.bind
Subject	Re: scripts-to-block-domains
Date	Mon, 13 Jul 2020 13:44:33 -0600
Lines	125
Approved	bind-users@lists.isc.org
Message-ID	<mailman.703.1594669450.942.bind-users@lists.isc.org> (permalink)
References	<117301d658e1$0f6966a0$2e3c33e0$@cyberia.net.sa> <7f14c6fc-804e-bca2-96f0-eb4c71d088e1@tnetconsulting.net>
NNTP-Posting-Host	lists.isc.org
Mime-Version	1.0
Content-Type	multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="------------ms040109030006050903010106"
X-Trace	usenet.stanford.edu 1594669487 31286 149.20.1.60 (13 Jul 2020 19:44:47 GMT)
X-Complaints-To	action@cs.stanford.edu
To	bind-users@lists.isc.org
Return-Path	<gtaylor@tnetconsulting.net>
X-Original-To	bind-users@lists.isc.org
Delivered-To	bind-users@lists.isc.org
DKIM-Signature	v=1; a=rsa-sha256; c=simple/simple; d=tnetconsulting.net; s=2019; t=1594669476; bh=05y0nwBAwPfjACMIbPvMjCC7Tu+5JG1K7WLUfWPqImM=; h=Subject:To:References:From:Message-ID:Date:User-Agent: MIME-Version:In-Reply-To:Content-Type:Cc:Content-Disposition: Content-Language:Content-Transfer-Encoding:Content-Type:Date:From: In-Reply-To:Message-ID:MIME-Version:References:Reply-To: Resent-Date:Resent-From:Resent-To:Resent-Cc:Sender:Subject:To: User-Agent; b=Btn6D/C3EsvPM+WZm8tiZBU/9tN2nF6RK7W9IyY9DpvSsgychSOLKOlc7E5xPhra6 QHEzkKJOzoAUoFHe9OLeGAmKfg++BcuJSLJkuTZxWEjD4A8k8xL2ZAq/HRkqIJygUV eefwEX3iOjj91HcIGv6orHLAzqANVQKoll8tTlds=
User-Agent	Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:68.0) Gecko/20100101 Thunderbird/68.10.0
In-Reply-To	<117301d658e1$0f6966a0$2e3c33e0$@cyberia.net.sa>
X-Spam-Status	No, score=-2.2 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,GPG_SIGNED,RCVD_IN_DNSWL_NONE, SPF_HELO_PASS,SPF_PASS autolearn=disabled version=3.4.2
X-Spam-Checker-Version	SpamAssassin 3.4.2 (2018-09-13) on mx.pao1.isc.org
X-BeenThere	bind-users@lists.isc.org
X-Mailman-Version	2.1.29
Precedence	list
List-Id	BIND Users Mailing List <bind-users.lists.isc.org>
List-Unsubscribe	<https://lists.isc.org/mailman/options/bind-users>, <mailto:bind-users-request@lists.isc.org?subject=unsubscribe>
List-Archive	<https://lists.isc.org/pipermail/bind-users/>
List-Post	<mailto:bind-users@lists.isc.org>
List-Help	<mailto:bind-users-request@lists.isc.org?subject=help>
List-Subscribe	<https://lists.isc.org/mailman/listinfo/bind-users>, <mailto:bind-users-request@lists.isc.org?subject=subscribe>
X-Mailman-Original-Message-ID	<7f14c6fc-804e-bca2-96f0-eb4c71d088e1@tnetconsulting.net>
X-Mailman-Original-References	<117301d658e1$0f6966a0$2e3c33e0$@cyberia.net.sa>
Xref	csiph.com comp.protocols.dns.bind:15976

Show key headers only | View raw

[Multipart message — attachments visible in raw view] - view raw

On 7/13/20 12:44 AM, MEjaz wrote:
> Hell  all,

Hi,

> I have an requirement from our  national Cyber security to block several 
> thousand forged domains from our recursive servers, Is there any way we 
> can add clause in named.conf to scan such bogus domain list without 
> impacting the performance of the servers.

$RPZ++

If you can't use RPZ, then you /can/ create skeleton zones to make your 
server authoritative for the zones in question.  However, there are 
drawbacks to this regarding performance based on the number and size of 
all the additional zones.

I would strongly recommend RPZ, or the new Response Policy Service, 
which there are a few commercial implementations of.  RPS is for DNS 
what milters are for mail servers.

   RPZ is a ""static list.
   RPS is an active / dynamic service.

Note:  Response Policy Zones can be updated via normal dynamic DNS methods.

-- 
Grant. . . .
unix || die

Back to comp.protocols.dns.bind | Previous | Next | Find similar

Thread

Re: scripts-to-block-domains Grant Taylor <gtaylor@tnetconsulting.net> - 2020-07-13 13:44 -0600

csiph-web