[Pdns-users] Recursor: Black list

[Curtis Maurand]

On 10/20/2014 9:40 AM, Ciro Iriarte wrote:
> 2014-10-17 13:35 GMT-03:00 ktm at rice.edu <ktm at rice.edu>:
>>>> Hi Ciro,
>>>>
>>>> We used a CDB key value store. It was easy to use/update and had
>>>> very good performance. "grepping" is O(n*n) so it will tank as
>>>> your list grows and you really don't want to slow down your DNS
>>>> lookups.
>>>>
>>>> Regards,
>>>> Ken
>>> Hi Ken, I'll look at the LUA+CDB mix given it seems more elegant, any
>>> document specific for PDNS you can point me to?
>>>
>>> Regards,!
>>>
>> Hi,
>>
>> No PDNS specific documentation, we used the CDB map to allow the
>> blacklist to be update without needing to restart the recursor
>> and lose all the cached DNS lookups. We wrote a function similar
>> to the example Lua script using a CDB map instead.
>>
>> Regards,
>> Ken
> Hi Ken!, would you be willing to publish/share your implementation?.
> Having two different rules (two groups, each group with different
> answers), do you think it's best to use two scripts?, or just push
> more data to the CDB (A record expected + answer) and use one script?
>
> Regards,

I've been looking for a way to do this as well.  I would think that a 
separate pdns instance on a different server than your main dns would do 
the trick or have one bound to one address and a second instance bound 
to another using separate databases.  I tried setting up a zone and 
delegating it to the current DNS and that doesn't work.  It's an 
interesting problem.  Currently I'm using iptables on my mail servers, 
but that get's unwieldy and unmanageable in a hurry.  I've also done it 
with spamassassin rules, but that also get's to be unmanageable, too.

--Curtis


>

-- 
Curtis Maurand
curtis at maurand.com <mailto:curtis at maurand.com>
207-252-7748
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20141020/7a3a9977/attachment-0001.html>