Contents
Active Blacklist
Active Blacklist is an advanced feature of WinBIND. This uses some logic to identify “bad clients”. Bad clients are those which have frequently queried this name server for only a small handful of records, and which have done so over and over again (ignoring the record’s TTL) in a small time frame.
The IP address of these bad clients will not be the IP address from which they’re connecting. They will set their source IP address as the target which they are trying to attack with a DNS Distributed Denial of Service. They’re trying to get your name server to join thousands of others in sending large and frequent DNS responses to the intended victim.
Active Blacklist detects this and maintains two Windows Firewall rules to block traffic to that intended target, thereby preventing your name server from participating in the DNS DDoS attack.
By blocking both Inbound and Outbound connections on the Windows Firewall you prevent further queries from the attacker, as well as preventing responses being sent to the intended victim.
Bad clients are removed from the Active Blacklist (and thus from the Windows Firewall rules) after a certain period of time. This ensures that if a bad client was running from a DHCP IP address, or was subsequently cleaned by its admin, then it won’t be forever blocked on your name server.
Active Blacklist is enabled on the Settings tab of WinBIND Control by ticking Enable Active Blacklist underneath DNS DDoS Firewall Protection.
Active Blacklist is a per-server setting, meaning that you need to run WinBIND Control and tick this box on every name server on which you want the Windows Firewall rules created and maintained.
Active Refresh
Active Refresh is another advanced feature of WinBIND. If enabled then every time the WinBIND service runs on the Designated Master it queries the database for the top 1000 queries made by clients against all of your name servers within the last 24 hours. It then runs the equivalent of a dig or nslookup against each name server for those same queries. This has the effect of keeping your most frequently requested lookups in every name server’s cache, including a proactive fresh lookup if the TTL record for that result has expired, and thus preventing the same delay whenever your clients query that record again.
Given the sheer number of DNS lookups caused by a single web page these days (which can be upwards of 100 FQDNs on busy sites) this can significantly improve perceived name server performance by the clients.
Naturally Active Refresh has excludes is own lookups from the top 1000 results – otherwise it would be artificially inflating those numbers and thus skew the statistics!
Active Refresh is enabled on the Settings tab of WinBIND Control by ticking Enable Active Refresh underneath Active Refresh.
Active Refresh is a global setting, meaning that you only need to tick this box once. You’ll then find it ticked on all other name servers whenever you run WinBIND Control.
Support & Feedback
If you have any problems, if you get any error messages, or if you have any other feedback then please get in touch – I really do want to hear from you!