Re: DNS Blackholing

2012-12-05 Thread Phil Mayers
On 12/05/2012 11:45 AM, Noel Butler wrote: RPZ: dig bobi.at ;; Query time: 996 msec You're correct that blackhole zones and RPZ have different performance characteristics. For others reading, this is because with RPZ, the real name is queried first, then RPZ applies to the answers, so if the

Re: DNS Blackholing

2012-12-05 Thread Noel Butler
On Wed, 2012-12-05 at 09:13 +, Phil Mayers wrote: > On 12/04/2012 06:35 PM, Barry S. Finkel wrote: > > > A question from the OP that has not yet been answered - > > Make the zones masters on all servers. > > Surely not for RPZ? The whole point with RPZ is that you have one zone > containing

Re: DNS Blackholing

2012-12-05 Thread Phil Mayers
On 12/04/2012 06:35 PM, Barry S. Finkel wrote: A question from the OP that has not yet been answered - Make the zones masters on all servers. Surely not for RPZ? The whole point with RPZ is that you have one zone containing all the blacklists, master in one place, and slave it in all the oth

Re: DNS Blackholing

2012-12-05 Thread Phil Mayers
On 12/05/2012 06:10 AM, Nick Edwards wrote: Hi All, Is there a way for RPZ zone file to act on domain AND subdomains without using two separate entries? At present I can only get them to match on one or the other unless I do example.comblah *.example.com blah I'm sure I've missed

Re: DNS Blackholing

2012-12-04 Thread Nick Edwards
Hi All, Is there a way for RPZ zone file to act on domain AND subdomains without using two separate entries? At present I can only get them to match on one or the other unless I do example.comblah *.example.com blah I'm sure I've missed the obvious, but thought I'd ask

Re: DNS Blackholing

2012-12-04 Thread Ray Van Dolson
On Tue, Dec 04, 2012 at 09:45:07AM +, Phil Mayers wrote: > On 12/04/2012 02:44 AM, John Hascall wrote: > > > >We have found that RPZ works quite well for us. > >We have 366825 names in our RPZ zone at present > >and scaling thus far has been a non-issue.ot ( > > Likewise. We have 675k entries

Re: DNS Blackholing

2012-12-04 Thread John Hascall
--- John Hascall, j...@iastate.edu Team Lead, NIADS (Network Infrastructure, Authentication & Directory Services) IT Services, The Iowa State University of Science and Technology > On 12/4/2012 6:00 AM, John Hascall wro

Re: DNS Blackholing

2012-12-04 Thread Barry S. Finkel
On 12/4/2012 6:00 AM, John Hascall wrote: We have found that RPZ works quite well for us. We have 366825 names in our RPZ zone at present and scaling thus far has been a non-issue. A question from the OP that has not yet been answered - Make the zones masters on all servers. What I did was to

Re: DNS Blackholing

2012-12-04 Thread Phil Mayers
On 12/04/2012 02:44 AM, John Hascall wrote: We have found that RPZ works quite well for us. We have 366825 names in our RPZ zone at present and scaling thus far has been a non-issue.ot ( Likewise. We have 675k entries in an RPZ zone, and performance is fine. It's genuinely surprising how many

Re: DNS Blackholing

2012-12-03 Thread John Hascall
We have found that RPZ works quite well for us. We have 366825 names in our RPZ zone at present and scaling thus far has been a non-issue. John --- John Hascall, j...@iastate.edu Team Lead, NIADS (Network Infrastructure,

Re: DNS Blackholing

2012-12-03 Thread Dan Mahoney
On Dec 3, 2012, at 5:52 PM, rvandol...@esri.com wrote: > All; > > Am looking to do some DNS blackholing based on a pre-defined, dynamic list > (such as DNS-BH). Am looking for feedback on approaches for this. > > Sounds like automatically generating an includeable config file with zone > ent