Rather a late response I think. When I setup the rules I spoke about RPZ was just a gleam in someone's eyes.
My post discussed the relative merit of iptables vs. blackholes and didn't mention RPZ. RPZ may be a better solution but it requires one to stop and upgrade BIND to get it. -----Original Message----- From: bind-users-bounces+jlightner=water....@lists.isc.org [mailto:bind-users-bounces+jlightner=water....@lists.isc.org] On Behalf Of Michelle Konzack Sent: Wednesday, October 26, 2011 9:01 PM To: bind-users@lists.isc.org Subject: Re: DNS Sinkhole in BIND Hello Lightner, Jeff, Am 2011-10-17 13:28:43, hacktest Du folgendes herunter: > While setting up blackholes in BIND works fine when I did this on > Linux I found that setting up iptables to do drops for known bad > IPs/ranges was slightly better as the traffic never gets to BIND in > the first place as it is stopped at kernel level. It simply DROPs the > packet without telling the bad guys why packets didn't go through. > > Example rules for various IPs that have annoyed me in the past: > -A RH-Firewall-1-INPUT -s 68.222.240.22 -j DROP > -A RH-Firewall-1-INPUT -s 203.142.82.222 -j DROP > -A RH-Firewall-1-INPUT -s 217.54.97.137 -j DROP > -A RH-Firewall-1-INPUT -s 217.219.20.226 -j DROP > -A RH-Firewall-1-INPUT -s 218.212.248.7 -j DROP ...and you get the hell on you ass if you have several 1000 of them! In this case, bind9 with RPZ is cheaper. Thanks, Greetings and nice Day/Evening Michelle Konzack -- ##################### Debian GNU/Linux Consultant ###################### Development of Intranet and Embedded Systems with Debian GNU/Linux Internet Service Provider, Cloud Computing <http://www.itsystems.tamay-dogan.net/> itsystems@tdnet Jabber linux4miche...@jabber.ccc.de Owner Michelle Konzack Gewerbe Strasse 3 Tel office: +49-176-86004575 77694 Kehl Tel mobil: +49-177-9351947 Germany Tel mobil: +33-6-61925193 (France) USt-ID: DE 278 049 239 Linux-User #280138 with the Linux Counter, http://counter.li.org/ Athena(r), Created for the Cause(tm) Making a Difference in the Fight Against Breast Cancer --------------------------------- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. ---------------------------------- _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users