[RPZ] R: Bind, rpz and views

Marc Evans marc.evans at umbradata.com
Mon Dec 19 11:49:54 UTC 2011

Hello Francesco,

I believe that what Vernon is suggesting is the best approach, e.g. when 
the number of users is greater than the number of combinations of 
policy files used by the users, define 1 view per combination and then 
have the users be associated with the view that meets the user criteria. 
For example, say there are 3 files (A,B,C) and 8 users as shown here:

1: A
2: A,B
3: A,B,C
4: A,B
5: A,B,C
6: B,C
7: B,C
8: A

That would reduce down to 4 views:

V1: A
V2: A,B
V3: A,B,C
V4: B,C

which would mean that 8 file loads would occur. As the number of users 
increases the overlap of the number of users sharing a view will 
improve, thereby sharing resources more effectively.

- Marc

On 12/19/11 6:36 AM, Job wrote:
> Hi Vernon!
> Thank you for the reply, but it is a problem to make predeterminated combination of blacklists; another issue is that every user needs an rpz personal-blacklist file, so the view must be owned only by one user.
> I am working, since some days, with Bind-Flz, it seems stable and robust... let's hope! :)
> Francesco
> ________________________________________
> Da: Vernon Schryver [vjs at rhyolite.com]
> Inviato: venerdì 16 dicembre 2011 20.01
> A: dnsrpz-interest at lists.isc.org; Job
> Oggetto: Re: [RPZ] Bind, rpz and views
>> From: Job<Job at colliniconsulting.it>
>> To: "dnsrpz-interest at lists.isc.org"<dnsrpz-interest at lists.isc.org>
>> i am trying to setup some blacklists foqr some users.
>> I have a file for every blacklist, example: blacaklistA blacklistB blacklistC.
>> I have to assign different combination of A B C to users.
>> I created dns bind view that, by matching source ip client, provide
>> different answer according to match-clients.
>> The problems is that, when scaling this configuration, bind
>> requests lots of memory because, if the blacklistA file is requested
>> from 100 different users in 100 different view, it loads 100 times
>> the file!
>> Is there a way to reuse that same file without loading it, in
>> memory, "n" times?
> In the BIND9 implementation, response policy zones are much the same
> as any other zone in a view.  That implies that BIND9 policy zones
> have the general strengths and weaknesses of BIND9 views and zones
> for providing DNS services for large numbers of customers.
> Would it be possible to assign each of the 100 customers to one of 8
> views corresponding to the 8 possible combinations of the 3 blacklists?
> Vernon Schryver    vjs at rhyolite.com
> _______________________________________________
> dnsrpz-interest mailing list
> dnsrpz-interest at lists.isc.org
> https://lists.isc.org/mailman/listinfo/dnsrpz-interest

More information about the DNSfirewalls mailing list