RE: minimum cache times?

Tue, 05 Oct 2010 11:03:52 -0700

--On 5. oktober 2010 13.46.30 -0400 "Atkins, Brian (GD/VA-NSOC)" <brian.atki...@va.gov> wrote: 
Currently, we use DNS to blackhole bad domains. The list of bad domains
are provided to us from another government entity or vetted by an
enterprise security team.



How do you implement this list? By putting those domains into your 
named.conf (or some included configuration file) as authoritative domains, 
pointing to a common dummy zonefile, and then reloading/restarting BIND?
If you do it like this and restart BIND, you'll automatically lose the old 
cached information anyway.
If you instead add to named.conf and do "rndc reconfig", I don't think it 
will drop previously cached information.
Depending on how you do this - is it feasible to do "rndc flushname 
old.cached.domain" on these domains?



The servers I manage are the DNS servers of last resort for our internal
clients before hitting up root. However, they are not the only DNS
servers available to the clients - there are several hundred internal
servers, mostly windows servers, that handle client queries. I have no
control over them.



Are all those DNS servers pointing to your server as their forwarder, or 
will any change you do on your server still have next to no impact since 
these other servers bypass you anyway?


In other words, is your setup something like this:


[clients] --> [X amount of DNS servers you don't control] --> [YOUR DNS 
server] --> Internet


?


So, when I add new domains to my block list, I am at the mercy of the
bad domain's TTL. I have had DNS cache thwarting my ability to block the
bad domain, sometimes for several days.



If the information is cached at your internal servers which _you_ have no 
control over, you'll still be at the mercy of any long TTL.



Basically, I want to make the block occur within a couple of hours after
implementation - hence setting the max-cache-ttl.
I realize that there are other ways of to do this, but I am limited by
my funding.



As long as you don't have control over all the different DNS servers used 
in your organization, you'll still have problems making a solution here.


Regards
Eivind Olsen

_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users






















					Reply via email to