[RPZ] R: Bind, rpz and views
marc.evans at umbradata.com
Mon Dec 19 11:49:54 UTC 2011
I believe that what Vernon is suggesting is the best approach, e.g. when
the number of users is greater than the number of combinations of
policy files used by the users, define 1 view per combination and then
have the users be associated with the view that meets the user criteria.
For example, say there are 3 files (A,B,C) and 8 users as shown here:
That would reduce down to 4 views:
which would mean that 8 file loads would occur. As the number of users
increases the overlap of the number of users sharing a view will
improve, thereby sharing resources more effectively.
On 12/19/11 6:36 AM, Job wrote:
> Hi Vernon!
> Thank you for the reply, but it is a problem to make predeterminated combination of blacklists; another issue is that every user needs an rpz personal-blacklist file, so the view must be owned only by one user.
> I am working, since some days, with Bind-Flz, it seems stable and robust... let's hope! :)
> Da: Vernon Schryver [vjs at rhyolite.com]
> Inviato: venerdì 16 dicembre 2011 20.01
> A: dnsrpz-interest at lists.isc.org; Job
> Oggetto: Re: [RPZ] Bind, rpz and views
>> From: Job<Job at colliniconsulting.it>
>> To: "dnsrpz-interest at lists.isc.org"<dnsrpz-interest at lists.isc.org>
>> i am trying to setup some blacklists foqr some users.
>> I have a file for every blacklist, example: blacaklistA blacklistB blacklistC.
>> I have to assign different combination of A B C to users.
>> I created dns bind view that, by matching source ip client, provide
>> different answer according to match-clients.
>> The problems is that, when scaling this configuration, bind
>> requests lots of memory because, if the blacklistA file is requested
>> from 100 different users in 100 different view, it loads 100 times
>> the file!
>> Is there a way to reuse that same file without loading it, in
>> memory, "n" times?
> In the BIND9 implementation, response policy zones are much the same
> as any other zone in a view. That implies that BIND9 policy zones
> have the general strengths and weaknesses of BIND9 views and zones
> for providing DNS services for large numbers of customers.
> Would it be possible to assign each of the 100 customers to one of 8
> views corresponding to the 8 possible combinations of the 3 blacklists?
> Vernon Schryver vjs at rhyolite.com
> dnsrpz-interest mailing list
> dnsrpz-interest at lists.isc.org
More information about the DNSfirewalls