On 23 Sep 2013, at 15:59, Vernon Schryver <v...@rhyolite.com> wrote:
>> From: Eliezer Croitoru <elie...@ngtech.co.il> > >>> Major DNSBL providers have years since limited anonymous clients for >>> business or other reasons. For example, I think Spamhaus limits >>> anonymous clients to fewer than 3 queries/second. > >> and I doubt they use RRL in the application level.. > >> I assume they limit that on either IPTABLES\FW level. > > The only technical reason I know that might stop Spamhaus and the > Spamhaus mirrors from using RRL to throttle anonymous DNSBL clients > is the lingering enthusiasm for RBLDNSD and rsync in the DNSBL community. > RBLDNSD+rsync made sense before the (de facto standard) DNS protocol > had incremental zone transfers and updates. It is a bug today. > That use of RBLDNSD+rsync has become a serious problem. Among the > problems it causes are: > > - IPv6 DNS server caches > If IXFR were used to distribute DNSBL data, then wildcards > for cover entire CDIR blocks (both IPv4 and IPv6) could be > published and there would be no IPv6 cache explosion issue. > > - Authentication > RBLDNSD doesn't support DNSSEC, so that any of the many men > in the middle between small DNSBL clients and the servers > they use can "improve" passing DNSBL data. > > I know nothing about how Spamhaus and the Spamhaus DNSBL mirrors control > access, but I doubt they use firewalls except to completely block > persistently abusive clients. Firewalls trying to rate limit need to > keep state, and stateful firewalls are infamous for collapsing under > the weight of irrelevant state when someone tries to apply them to > this kind of problem. > > >> What is the way to provide DBSBL using bind?? > > BIND and other full featured DNS implementations are used to answer > DNSBL requests as well as requests for records in larger and more > frequently changing DNS zones than any of the DNSBLs. Consider what > happens in the major gTLDs today. Things have changed since RBLDNSD > appeared and when a change to example.com took weeks. > > Consider the fact that some Spamhaus DNSBL zones are available as RPZ > zones. See https://www.google.com/search?q=dns+rpz Some, not all. As a matter of interest, if one had a DNSBL with 5.5 million entries (i.e. 5.5 million IPs): 1) What needs to be done to rewrite that to a BIND zone? 2) What sort of machine would be required to load that zone? 3) How long would it take to load into BIND? TIA Simon >> I was looking for something like that but I am sure a dynamic DB is >> needed for the task right? > > Large DNSBLs are not very dynamic, because they have relatively few > changes per day. From another perspective, with the popularity of > dynamically updating forward and reverse DNS zones as end-user IP > addresses changes, why isn't the the machinery in any full featured > DNS implementation a "dyanamic DB"? The term "database" should not > imply "sql" or even "relational." > > > Vernon Schryver v...@rhyolite.com > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users