Blocking undesirable domains using BIND

Darren Spruell phatbuckett at
Fri Dec 28 08:27:21 PST 2007

On Dec 28, 2007 8:49 AM, Kevin Kinsey <kdk at> wrote:
> Olivier Nicole wrote:
> >> Again, I'm not trying to convince you otherwise or say that using
> >> BIND is a bad idea.  It's just that I'm curious because we use
> >> Squid for this sort of thing, and I was wondering why BIND instead?
> >
> > I think another issue is that Squid will only filter HTTP/FTP
> > connections, while DNS would allow to filter any type of traffic that
> > would try to go to places with a bad name.
> >
> > Olivier
> In the absence of egress filtering on the firewall, that
> would definitely be an advantage.  Does anyone use BIND
> for filtering in a small to medium business environment
> then?  How does it perform?

Performs fine.

# rndc status
number of zones: 17210

My 17000+ zones are loaded from the DNS-BH project and increase the
startup time of named to about 10 seconds and bump the resident memory
size up to about 55M. (AMD Duron 750MHz).

There's no real performance hit per se by DNS blackholing, other than
the resource utilization increase needed for handling additional
zones; your name server would normally be handling these DNS lookups
anyway.You're just overriding the response locally rather than
recursing for it. The zones themselves typically end up being very
small, like a single wildcard record pointing to or a
honeypot or whatever.


More information about the freebsd-questions mailing list