Discussion:
[Unbound-users] blacklisting
Rodrigo Contreras
2015-01-19 02:22:05 UTC
Permalink
Hi,

I am new to Unbound, and am exploring the idea of using it as a blacklist
cache. I wonder if someone has successfully configured to run with a
blacklist stored in memory. I have read Jan-Piet Mens bloc and it
recommends redis. I have read about memcached a bit, and it seems like
equivalent for the DNS resolution process. Apart from that, anyone else has
experiences to share about performance using unbound with the python module
and a backend database for blacklisting?

I thank you all.

Regards,

Rodrigo Contreras
Stephane Lapie
2015-01-19 03:02:59 UTC
Permalink
Hi,

First of all, I wonder what you are trying to blacklist, because it
would probably be simpler to just implement something using Unbound's
local zones.

Now, about dynamic blacklisting in real-time... (especially when you
need to do it for everything under the Sun)
You will have to be aware of the following :
- Unbound will cache results that resolve positively
- If you decide to reject something with a SERVFAIL, cache won't apply.
- Cache hits will not trigger the python module
- But any cache miss will trigger the python module, which can become a
big problem.

So, it will greatly depend on how many clients are accessing your DNS
server, but a complex blacklist for which you have to access the
database backend each and every time will be a pain to use. Keep in
mind, with the python module on top of things, you will have to react
extremely fast, which means you will probably need to store a lot of
data in-memory, or at the very least, access your backend with a local
UNIX socket.

As an experiment against water torture attacks, I had tried the
following structure as an experiment :
Unbound -> Python module (client) -> UNIX daemon (doing the purging of
data) -> Postgres

It works fine for less than a thousand clients, but once you go above
that threshold, it just takes too much time to process anything and
every query ends with a timeout.

You also have the following article where someone linked Unbound to an
LDAP server :
http://jpmens.net/2011/08/09/extending-unbound-with-python-module/
Though, this probably has the same performance issues I mentioned.

Cheers,
Post by Rodrigo Contreras
Hi,
I am new to Unbound, and am exploring the idea of using it as a
blacklist cache. I wonder if someone has successfully configured to
run with a blacklist stored in memory. I have read Jan-Piet Mens bloc
and it recommends redis. I have read about memcached a bit, and it
seems like equivalent for the DNS resolution process. Apart from that,
anyone else has experiences to share about performance using unbound
with the python module and a backend database for blacklisting?
I thank you all.
Regards,
Rodrigo Contreras
_______________________________________________
Unbound-users mailing list
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
--
Stephane LAPIE, EPITA SRS, Promo 2005
"Even when they have digital readouts, I can't understand them."
--MegaTokyo
Loading...