[DNSfirewalls] rpz firewall + whitelisting
Vernon Schryver
vjs at rhyolite.com
Tue Aug 27 17:16:04 UTC 2019
On 8/27/19, Vadim Pavlov <pvm_job at mail.ru> wrote:
> Just in case.
> Do not forget that every single rule consumes memory. It is ok for hundreds
> or a few thousands indicators but it may be an issue if you have more or a
> low end server. E.g. I’ve tested with 2.5M RPZ rules (2 rules per indicator)
> - bind9 consumes 1.2Gb-2Gb of RAM, PowerDNS about 600Mb.
FastRPZ uses significantly less memory per rule, but the point is
valid. 2.5M rules is not an impossible number of RPZ rules. I think
some of Spamhaus' policy zones are about that large.
Please let me point again at
https://www.ietf.org/archive/id/draft-ietf-dnsop-dns-rpz-00.txt
That document is supposed to say all that can be said about RPZ without
needing to look at any code.
Vernon Schryver vjs at rhyolite.com
More information about the DNSfirewalls
mailing list