[DNSfirewalls] rpz firewall + whitelisting

Vadim Pavlov pvm_job at mail.ru
Tue Aug 27 16:14:24 UTC 2019 

Just in case. 
Do not forget that every single rule consumes memory. It is ok for hundreds or a few thousands indicators. E.g. with 2.5M RPZ rules bind consumes 1.2Gb-2Gb of RAM.

Vadim
> On Aug 27, 2019, at 08:46, Lee <ler762 at gmail.com> wrote:
> 
> On 8/26/19, Vernon Schryver <vjs at rhyolite.com> wrote:
>>> From: Brian Dickson <brian.peter.dickson at gmail.com>
>>> To: Bob Harold <rharolde at umich.edu>
>>> Cc: dnsfirewalls at lists.redbarn.org
>> 
>>>> If your local list and the third party list are separate RPZ zones,
>>>> then
>>>> it should be almost fine, I think.  Each zone is processed separately,
>>>> and
>>>> the first zone that matches takes effect.  The third party would not
>>>> match,
>>>> but yours would.  I know that sounds confusing, you might want to test
>>>> it.
>>>> 
>>> The implementation I am familiar with, uses a bit-field (32 bits) for
>>> zone
>>> membership.
>> 
>> Would that be my second implementation for ISC in BIND9?
> 
> Wow!  The guy that wrote the code!!  I have to ask .. instead of me having to do
> 
> $ cat db.test-rpz
> $ORIGIN rpz.test.
> @ IN SOA localhost. admin ( 2019082418 6h 15 1d 1s )
> IN NS  localhost.
>                 2o7.net CNAME .
>               *.2o7.net CNAME .
>             112.2o7.net CNAME .
>           *.112.2o7.net CNAME .
>         102.112.2o7.net CNAME .
>       *.102.112.2o7.net CNAME .
>     com.102.112.2o7.net CNAME .
>   *.com.102.112.2o7.net CNAME .
> bcbsks.com.102.112.2o7.net CNAME rpz-passthru.
> ; === end ===
> 
> Would it be possible for me to do
>                 2o7.net CNAME .
>               *.2o7.net CNAME .
> bcbsks.com.102.112.2o7.net CNAME rpz-passthru.
> 
> and for you to automagically fill in the intervening space for me:
>             112.2o7.net CNAME .
>           *.112.2o7.net CNAME .
>         102.112.2o7.net CNAME .
>       *.102.112.2o7.net CNAME .
>     com.102.112.2o7.net CNAME .
>   *.com.102.112.2o7.net CNAME .
> 
> Thanks
> Lee
> _______________________________________________
> DNSfirewalls mailing list
> DNSfirewalls at lists.redbarn.org
> http://lists.redbarn.org/mailman/listinfo/dnsfirewalls

More information about the DNSfirewalls mailing list