Avoid Phishing using DNS

Sat Jan 17 04:30:53 EST 2009

* Daniel Zilli <zilli.daniel at gmail.com> [Sat, 17 Jan 2009 09:16:57 +0700]:
>
> Did anyone find performance issue with this implementation ?  Because in
> theory, for a medium network environment this
> can become a problem. Imagine that malware list growing and
> dozens/hundreds  of user requesting the server at same time.... 
>
> I didn't do any test, so I would like to know if someone already did.
> Anyhow, for tiny and small organisation.. this is a great
> tool for security issue.
>
This is the format[1] of our blacklisting system:
----
ac56 at ipserv0:~$ head /etc/maradns/db.blacklist 
ghust.gabis.co.kr.      A 212.219.138.188 ~
*.ghust.gabis.co.kr.    A 212.219.138.188 ~
ghust.gabis.co.kr.      MX 0 ids.it.soas.ac.uk. ~
*.ghust.gabis.co.kr.    MX 0 ids.it.soas.ac.uk. ~
ghust.gabis.co.kr.      TXT 'dnshijack : malware : sandbox.bleedingthreats.net : 2008-03' ~

easweuijintungenfunsa.com.      A 212.219.138.188 ~
*.easweuijintungenfunsa.com.    A 212.219.138.188 ~
easweuijintungenfunsa.com.      MX 0 ids.it.soas.ac.uk. ~
*.easweuijintungenfunsa.com.    MX 0 ids.it.soas.ac.uk. ~

ac56 at ipserv0:~$ wc /etc/maradns/db.blacklist 
 105384  491811 4716037 /etc/maradns/db.blacklist
----

With 20k unique domains blacklisted we[1] have not seen any performance 
issues.  The servers are 2xIntel Xeon's 2.80GHz and there are two 
servers...I have never seen MaraDNS use more then 0.1% of the CPU and 
the response is always instantaneous.

You should bear in mind, it's never the users workstations knocking out 
the majority of the DNS requests, where I work 95%+ of the requests we 
make come from our SMTP servers.

Cheers

[1] I'm thinking about removing the MX entries, but so far it's not 
	given me any complaints
[2] a university with 600 staff and 3000 students

-- 
Alexander Clouter
.sigmonster says: If God is One, what is bad?
                  		-- Charles Manson