Well, that's encouraging, but a few thousand domains isn't quite 20K. If I do it, I'll report back and let you know how it goes.
...Tim > -----Original Message----- > From: Michael B. Smith [mailto:[EMAIL PROTECTED] > Sent: Monday, March 17, 2008 6:21 PM > To: NT System Admin Issues > Subject: RE: DNS Wildcard zones for malware protection > > Theoretically, Windows is ready to handle domain loads of "any size". I > know > there are quite a number of companies hosting many thousands of domains > using Windows DNS. > > The last time the question came up in a call I was on where DNS > developers > were on the call (which was around Windows 2003 SP1), they said that > they > believed Windows DNS was ready to go up against any other DNS server. > > The only major issue I've seen when hosting large numbers of domains > (around > a couple thousand) is the impact of defrosting the domains after a DNS > server restart. That can be I/O intensive. Bind has a similar issue. I > think > djbdns works around it by pre-salting database indices. > > The only other major issue that I've run into is that Windows DNS > doesn't > really allow you to separate being a caching server from being an > authoritative server (in the same operating system instance). > > Regards, > > Michael B. Smith > MCSE/Exchange MVP > http://TheEssentialExchange.com > > > -----Original Message----- > From: Ben Scott [mailto:[EMAIL PROTECTED] > Sent: Monday, March 17, 2008 9:06 PM > To: NT System Admin Issues > Subject: Re: DNS Wildcard zones for malware protection > > On Mon, Mar 17, 2008 at 7:39 PM, Tim Evans <[EMAIL PROTECTED]> wrote: > > I've been looking at www.malwaredomains.com and thinking about > setting up > a > > block list using their list of malicious domains. I'm thinking about > doing > > this by setting up a wildcard zone for each domain on our DNS server. > > You don't need to use a DNS wildcard record. Simply claim authority > for the domain in question, and any subdomain which might be > referenced under the domain will get an NXDOMAIN record in return. > > > Right now, the list has almost 20,000 domains. > > With that many, you might want to configure your Windows nameservers > to forward queries to different server, and do the filtering on that > server. Possibly using ISC BIND or another nameserver program. I > haven't seen any reports on Windows 2003, but MS-DNS in Windows 2000 > tended to... "have issues"... under large loads like that. It wasn't > really designed with that in mind. > > > -Is there a more efficient way to block these domains (we also have > ISA > > 2006)? > > I would be fairly surprised if ISA didn't have a web filter with > domain blacklisting facility. > > I know you can do it with Squid. > > -- Ben > > ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ > ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ > > > ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ > ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
