Avoid Phishing using DNS
alex at digriz.org.uk
Sat Jan 17 04:30:53 EST 2009
* Daniel Zilli <zilli.daniel at gmail.com> [Sat, 17 Jan 2009 09:16:57 +0700]:
> Did anyone find performance issue with this implementation ? Because in
> theory, for a medium network environment this
> can become a problem. Imagine that malware list growing and
> dozens/hundreds of user requesting the server at same time....
> I didn't do any test, so I would like to know if someone already did.
> Anyhow, for tiny and small organisation.. this is a great
> tool for security issue.
This is the format of our blacklisting system:
ac56 at ipserv0:~$ head /etc/maradns/db.blacklist
ghust.gabis.co.kr. A 22.214.171.124 ~
*.ghust.gabis.co.kr. A 126.96.36.199 ~
ghust.gabis.co.kr. MX 0 ids.it.soas.ac.uk. ~
*.ghust.gabis.co.kr. MX 0 ids.it.soas.ac.uk. ~
ghust.gabis.co.kr. TXT 'dnshijack : malware : sandbox.bleedingthreats.net : 2008-03' ~
easweuijintungenfunsa.com. A 188.8.131.52 ~
*.easweuijintungenfunsa.com. A 184.108.40.206 ~
easweuijintungenfunsa.com. MX 0 ids.it.soas.ac.uk. ~
*.easweuijintungenfunsa.com. MX 0 ids.it.soas.ac.uk. ~
ac56 at ipserv0:~$ wc /etc/maradns/db.blacklist
105384 491811 4716037 /etc/maradns/db.blacklist
With 20k unique domains blacklisted we have not seen any performance
issues. The servers are 2xIntel Xeon's 2.80GHz and there are two
servers...I have never seen MaraDNS use more then 0.1% of the CPU and
the response is always instantaneous.
You should bear in mind, it's never the users workstations knocking out
the majority of the DNS requests, where I work 95%+ of the requests we
make come from our SMTP servers.
 I'm thinking about removing the MX entries, but so far it's not
given me any complaints
 a university with 600 staff and 3000 students
.sigmonster says: If God is One, what is bad?
-- Charles Manson
More information about the list