Date: Fri, 28 Dec 2007 09:27:20 -0700 From: "Darren Spruell" <phatbuckett@gmail.com> To: "User Questions" <freebsd-questions@freebsd.org> Subject: Re: Blocking undesirable domains using BIND Message-ID: <839aec700712280827n24adcd51m5a16cc4e178669f7@mail.gmail.com> In-Reply-To: <47751B05.6080807@daleco.biz> References: <26ddd1750712271246j14795cf3wf8e9727f0f7cc148@mail.gmail.com> <47744048.6020202@daleco.biz> <26ddd1750712272037x594336efndcd136ee2101e3e7@mail.gmail.com> <200712280508.lBS58jLo022219@banyan.cs.ait.ac.th> <47751B05.6080807@daleco.biz>
next in thread | previous in thread | raw e-mail | index | archive | help
On Dec 28, 2007 8:49 AM, Kevin Kinsey <kdk@daleco.biz> wrote: > Olivier Nicole wrote: > >> Again, I'm not trying to convince you otherwise or say that using > >> BIND is a bad idea. It's just that I'm curious because we use > >> Squid for this sort of thing, and I was wondering why BIND instead? > > > > I think another issue is that Squid will only filter HTTP/FTP > > connections, while DNS would allow to filter any type of traffic that > > would try to go to places with a bad name. > > > > Olivier > > In the absence of egress filtering on the firewall, that > would definitely be an advantage. Does anyone use BIND > for filtering in a small to medium business environment > then? How does it perform? Performs fine. # rndc status number of zones: 17210 ... My 17000+ zones are loaded from the DNS-BH project and increase the startup time of named to about 10 seconds and bump the resident memory size up to about 55M. (AMD Duron 750MHz). There's no real performance hit per se by DNS blackholing, other than the resource utilization increase needed for handling additional zones; your name server would normally be handling these DNS lookups anyway.You're just overriding the response locally rather than recursing for it. The zones themselves typically end up being very small, like a single wildcard record pointing to 127.0.0.1 or a honeypot or whatever. DS
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?839aec700712280827n24adcd51m5a16cc4e178669f7>