On 12/05/2012 11:45 AM, Noel Butler wrote:
RPZ: dig bobi.at ;; Query time: 996 msec
You're correct that blackhole zones and RPZ have different performance characteristics. For others reading, this is because with RPZ, the real name is queried first, then RPZ applies to the answers, so if the real name is slow, you'll see slowness until it's in-cache.
However, once the real name is cached, 2nd and subsequent queries are fast. So, querying an RPZ-blocked name is at worst as slow as the unblocked name, and fast once it's in-cache.
Clearly a blackhole zone won't trigger a recursive query and will always answer immediately.
(avg response time it seems for RPZ'd zones) So it sure as hell doesnt work the same as a forged "empty" zones
Sure.
RPZ is awesome if you want to wallgarden a hostname, but for just speedy dropping, empty zone beats it hands down even if it is messier requiring its own zone.
I gues this depends on your query pattern. I observe fast queries on 2nd access to RPZ blocked names, and we see a lot of hits to a small percentage of the names.
Obviously if people want to use blackholed zones, they can. In our case, the value of RPZ is that we can slave a feed from a trusted provider, which is far harder to manage if you're having to generate 675,000 blackhole zones and run "rndc reconfig" every few minutes to catch fast-flux DNS for botnet control channels.
But I take your point - people need to understand the characteristics of the feature before deciding what's appropriate.
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
