On Wed, 26 Nov 2014 07:53:20 +0100 Matthias Leisi <matth...@leisi.net> wrote:
> Yes, such an approach might initially double the amount of queries > and has an increased risk of not getting DNS responses, but on the > other hand such "tree information" can be nicely cached with > reasonably long TTLs, even for the fast-paced DNSBLs out there. It's not worth the complexity. I ran an analysis quite a few years ago on the cache efficiency of DNSBLs and they're shockingly low. I collected all the IPs seen on a very busy mail server and calculated how many cache hits we'd get with Spamhaus lookups --- I believe Spamhaus has a TTL of 15 minutes. I'll have to dig up the exact numbers, but I recall something like a 90% cache *miss* rate. Commercial DNSBLs count on a low cache hit rate; otherwise they wouldn't be able to detect heavy users as easily. DNS turns out not to be a very efficient way to distribute reputation data because it changes too often. Having a local authoritative DNS server serving up the reputation zone is fine, but using public caching DNS servers to query it is a waste of resources. I'll try to dig up my results and also the Perl script I used for log analysis. Regards, David.
