Avoid Phishing using DNS

Alexander Clouter alex at digriz.org.uk
Sat Jan 17 04:30:53 EST 2009

* Daniel Zilli <zilli.daniel at gmail.com> [Sat, 17 Jan 2009 09:16:57 +0700]:
> Did anyone find performance issue with this implementation ?  Because in
> theory, for a medium network environment this
> can become a problem. Imagine that malware list growing and
> dozens/hundreds  of user requesting the server at same time.... 
> I didn't do any test, so I would like to know if someone already did.
> Anyhow, for tiny and small organisation.. this is a great
> tool for security issue.
This is the format[1] of our blacklisting system:
ac56 at ipserv0:~$ head /etc/maradns/db.blacklist 
ghust.gabis.co.kr.      A ~
*.ghust.gabis.co.kr.    A ~
ghust.gabis.co.kr.      MX 0 ids.it.soas.ac.uk. ~
*.ghust.gabis.co.kr.    MX 0 ids.it.soas.ac.uk. ~
ghust.gabis.co.kr.      TXT 'dnshijack : malware : sandbox.bleedingthreats.net : 2008-03' ~

easweuijintungenfunsa.com.      A ~
*.easweuijintungenfunsa.com.    A ~
easweuijintungenfunsa.com.      MX 0 ids.it.soas.ac.uk. ~
*.easweuijintungenfunsa.com.    MX 0 ids.it.soas.ac.uk. ~

ac56 at ipserv0:~$ wc /etc/maradns/db.blacklist 
 105384  491811 4716037 /etc/maradns/db.blacklist

With 20k unique domains blacklisted we[1] have not seen any performance 
issues.  The servers are 2xIntel Xeon's 2.80GHz and there are two 
servers...I have never seen MaraDNS use more then 0.1% of the CPU and 
the response is always instantaneous.

You should bear in mind, it's never the users workstations knocking out 
the majority of the DNS requests, where I work 95%+ of the requests we 
make come from our SMTP servers.


[1] I'm thinking about removing the MX entries, but so far it's not 
	given me any complaints
[2] a university with 600 staff and 3000 students

Alexander Clouter
.sigmonster says: If God is One, what is bad?
                  		-- Charles Manson

More information about the list mailing list