Theoretically, Windows is ready to handle domain loads of "any size". I know there are quite a number of companies hosting many thousands of domains using Windows DNS.
The last time the question came up in a call I was on where DNS developers were on the call (which was around Windows 2003 SP1), they said that they believed Windows DNS was ready to go up against any other DNS server. The only major issue I've seen when hosting large numbers of domains (around a couple thousand) is the impact of defrosting the domains after a DNS server restart. That can be I/O intensive. Bind has a similar issue. I think djbdns works around it by pre-salting database indices. The only other major issue that I've run into is that Windows DNS doesn't really allow you to separate being a caching server from being an authoritative server (in the same operating system instance). Regards, Michael B. Smith MCSE/Exchange MVP http://TheEssentialExchange.com -----Original Message----- From: Ben Scott [mailto:[EMAIL PROTECTED] Sent: Monday, March 17, 2008 9:06 PM To: NT System Admin Issues Subject: Re: DNS Wildcard zones for malware protection On Mon, Mar 17, 2008 at 7:39 PM, Tim Evans <[EMAIL PROTECTED]> wrote: > I've been looking at www.malwaredomains.com and thinking about setting up a > block list using their list of malicious domains. I'm thinking about doing > this by setting up a wildcard zone for each domain on our DNS server. You don't need to use a DNS wildcard record. Simply claim authority for the domain in question, and any subdomain which might be referenced under the domain will get an NXDOMAIN record in return. > Right now, the list has almost 20,000 domains. With that many, you might want to configure your Windows nameservers to forward queries to different server, and do the filtering on that server. Possibly using ISC BIND or another nameserver program. I haven't seen any reports on Windows 2003, but MS-DNS in Windows 2000 tended to... "have issues"... under large loads like that. It wasn't really designed with that in mind. > -Is there a more efficient way to block these domains (we also have ISA > 2006)? I would be fairly surprised if ISA didn't have a web filter with domain blacklisting facility. I know you can do it with Squid. -- Ben ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
