< Back to LISTSERV archives

NETMAN@LISTSERV.EDUCAUSE.EDU


View:

:

[

|

Previous Message

|

Next Message

|

]

:

[

|

Previous Message

|

Next Message

|

]

:

[

|

Previous Message

|

Next Message

|

]

:

Proportional Font

LISTSERV Archives

LISTSERV Archives

NETMAN Home

NETMAN Home

NETMAN  2014

NETMAN 2014

Subject:

Re: DNS Firewalling/Blacklisting

From:

Kevin Wilcox <[log in to unmask]>

Reply-To:

The EDUCAUSE Network Management Constituent Group Listserv <[log in to unmask]>

Date:

Mon, 17 Mar 2014 09:09:26 -0400

Content-Type:

text/plain

Parts/Attachments:

Parts/Attachments

text/plain (40 lines)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, Mar 05, 2014 at 02:01:11PM -0500, John Miller wrote:

> What have people on the list done to solve this?  Is anyone using
> OpenDNS?  Infoblox's DNS Firewall?  BIND RPZ?  Your own custom
> solutions?  Which feeds do you subscribe to?

RPZ wasn't really an option when we started looking a few years ago. We
went with DLZs -- still an option in base BIND but database-backed. It's
really intended more for authoritative servers in a hosting environment
(changes are immediate, no 'rndc reload' required, etc) but it works
great for specific domains.

RPZ has a huge benefit in that you can say, 'for anything coming from
<foo nameserver>, return <this>'.

If you're looking for a sample deployment of DLZs:

http://opensecgeek.blogspot.com/2012/12/bind-part-2-dns-blackhole-via-dlzs.html
http://opensecgeek.blogspot.com/2013/01/bind-part-3-full-dlz-backed-domain.html

Now that FreeBSD has moved BIND out of the base system it's a little
dated but you can use it as a model for deploying on any platform that
runs BIND. I'll update it for FreeBSD 10, and then dig into RPZs, when
time allows.

kmw

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAlMm9AUACgkQsKMTOtQ3fKHUsgCfTVqwo5d8ZQBsntY+FCg1fEel
MUAAoLRXPXys+VCS+6dfKl+JZ2yDdBGP
=g3i9
-----END PGP SIGNATURE-----

**********
Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Top of Message | Previous Page | Permalink


Options

Log In

Log In

Get Password

Get Password


Search Archives

Search Archives


Join or Leave NETMAN

Join or Leave NETMAN


Archives

2017
2016
2015
2014
2013
2012
2011
2010
2009
2008
2007
2006
2005
2004
2003
2002
2001
2000
1999
1998

ATOM RSS1 RSS2