From owner-freebsd-questions@FreeBSD.ORG Fri Dec 28 16:27:21 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1A94A16A417 for ; Fri, 28 Dec 2007 16:27:21 +0000 (UTC) (envelope-from phatbuckett@gmail.com) Received: from wa-out-1112.google.com (wa-out-1112.google.com [209.85.146.181]) by mx1.freebsd.org (Postfix) with ESMTP id CC01313C46E for ; Fri, 28 Dec 2007 16:27:20 +0000 (UTC) (envelope-from phatbuckett@gmail.com) Received: by wa-out-1112.google.com with SMTP id k17so5908116waf.3 for ; Fri, 28 Dec 2007 08:27:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=lKggD5/btdBJS7nTuVmNyB/Mwc6yBSKhvCoFlh31eNE=; b=Z3tswNAfUt4MbguBWY+ekeyHZHf36fJOVWQ8nMYwuNGQAOxmw3lPcFWsGMYe3SCWwvbnJ5v1I97ysndwEG0JZQsUlmUaALsrkkLFNAcVvfDeHsRfnj6QPAU8n7/IQBgy4TrUgMPqZ31ZpyP19GPdWmVc0gSADQQPZRAFGKsie5c= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=Q/TwH+E36Oc/A0dqrI+5Pb0HRV5+I4iZBcIfENyC9O5jfcFFMEjuFtQekF+LocTm8KKrCgcmCe3TzTRaEgXTlBX6eY+eoZufcb4amixqQVxm/kK2dh5MqSZmlYdIlLT6nWSOzTsLYdHjRy4dcBokfsdFnyBEDntR5wc5LRsG03o= Received: by 10.114.13.1 with SMTP id 1mr9176992wam.106.1198859240548; Fri, 28 Dec 2007 08:27:20 -0800 (PST) Received: by 10.114.47.12 with HTTP; Fri, 28 Dec 2007 08:27:20 -0800 (PST) Message-ID: <839aec700712280827n24adcd51m5a16cc4e178669f7@mail.gmail.com> Date: Fri, 28 Dec 2007 09:27:20 -0700 From: "Darren Spruell" To: "User Questions" In-Reply-To: <47751B05.6080807@daleco.biz> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <26ddd1750712271246j14795cf3wf8e9727f0f7cc148@mail.gmail.com> <47744048.6020202@daleco.biz> <26ddd1750712272037x594336efndcd136ee2101e3e7@mail.gmail.com> <200712280508.lBS58jLo022219@banyan.cs.ait.ac.th> <47751B05.6080807@daleco.biz> Cc: Subject: Re: Blocking undesirable domains using BIND X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Dec 2007 16:27:21 -0000 On Dec 28, 2007 8:49 AM, Kevin Kinsey wrote: > Olivier Nicole wrote: > >> Again, I'm not trying to convince you otherwise or say that using > >> BIND is a bad idea. It's just that I'm curious because we use > >> Squid for this sort of thing, and I was wondering why BIND instead? > > > > I think another issue is that Squid will only filter HTTP/FTP > > connections, while DNS would allow to filter any type of traffic that > > would try to go to places with a bad name. > > > > Olivier > > In the absence of egress filtering on the firewall, that > would definitely be an advantage. Does anyone use BIND > for filtering in a small to medium business environment > then? How does it perform? Performs fine. # rndc status number of zones: 17210 ... My 17000+ zones are loaded from the DNS-BH project and increase the startup time of named to about 10 seconds and bump the resident memory size up to about 55M. (AMD Duron 750MHz). There's no real performance hit per se by DNS blackholing, other than the resource utilization increase needed for handling additional zones; your name server would normally be handling these DNS lookups anyway.You're just overriding the response locally rather than recursing for it. The zones themselves typically end up being very small, like a single wildcard record pointing to 127.0.0.1 or a honeypot or whatever. DS