[DNSfirewalls] Recommended bind versions etc. for RPZ consuming servers

Francis Turner francis at threatstop.com
Fri Jan 24 23:09:34 UTC 2014

I've noticed that the bind9 packages in most linux distros (debian, Ubuntu, red hat etc.) seem to be of the 9.8.4 vintage (plus or minus a subversion or 2). In many cases these can support RPZ but they obviously don't have all the latest fixes to handle multiple RPZ performance hits and so on.

They do however seem to generally work if you give them one feed and don't try the more recent RPZ things (e.g. rpz-client-IP , rpz-drop and rpz-TCP-only).

Is this considered acceptable or should RPZ clients use a more recent bind version (e.g. 9.9.4)?

If the latter is there a document anyone can point me to that explains how a minimally cluefull linux sysadmin goes about getting  9.9.4 running on his machine. My experience is that the packagers tend to help a lot with all the install busywork (creating the start/stop scripts, simple named.conf, rndc etc.) that is exceptionally easy to get wrong and which varies slightly by distro. I'd greatly prefer NOT to have to write this myself but I may do so if there really aren't any good references.



Francis J.M. Turner
VP Product Management & OEM - http://www.threatstop.com/

ThreatSTOP(tm) Inc, "Stop Botnets Stealing from You!"
email: francis at threatstop.com skype: francis.turner.threatstop
fixed: +1-760-542-1550    cell:  +1-760-402-7676

That knowledge which stops at what it does not know, is the
highest knowledge.           -- Chuang Tzu, 4th c. B.C.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.redbarn.org/pipermail/dnsfirewalls/attachments/20140124/10822bbf/attachment.html>

More information about the DNSfirewalls mailing list