-----BEGIN PGP SIGNED MESSAGE-----
On Wed, Mar 05, 2014 at 02:01:11PM -0500, John Miller wrote:
> What have people on the list done to solve this? Is anyone using
> OpenDNS? Infoblox's DNS Firewall? BIND RPZ? Your own custom
> solutions? Which feeds do you subscribe to?
RPZ wasn't really an option when we started looking a few years ago. We
went with DLZs -- still an option in base BIND but database-backed. It's
really intended more for authoritative servers in a hosting environment
(changes are immediate, no 'rndc reload' required, etc) but it works
great for specific domains.
RPZ has a huge benefit in that you can say, 'for anything coming from
<foo nameserver>, return <this>'.
If you're looking for a sample deployment of DLZs:
Now that FreeBSD has moved BIND out of the base system it's a little
dated but you can use it as a model for deploying on any platform that
runs BIND. I'll update it for FreeBSD 10, and then dig into RPZs, when
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
-----END PGP SIGNATURE-----
Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.