[DNSfirewalls] rpz firewall + whitelisting
Paul Vixie
paul at redbarn.org
Tue Aug 27 17:17:30 UTC 2019
On Tuesday, 27 August 2019 16:14:24 UTC Vadim Pavlov wrote:
> Just in case.
> Do not forget that every single rule consumes memory. It is ok for hundreds
> or a few thousands indicators. E.g. with 2.5M RPZ rules bind consumes
> 1.2Gb-2Gb of RAM.
architecturally, BIND9 keeps both the zone data (which is unused other than
when sending or receiving IXFR or AXFR) and the derivative (parallel) RPZ
metadata in RAM (on the heap). it gets big fast.
FastRPZ keeps all of this in the file system (via mmap) and has reasonable if
not optimal locality of reference, so, the resident working set ("in RAM at
any given moment") can be quite a bit smaller than the native BIND9 RPZ.
repeating for the record... any commercial support customer of ISC (for BIND9)
or NLnetLabs (for Unbound), as well as any passive DNS participant for
Farsight (for SIE or SIE-Europe) can get licensed binary FastRPZ software for
those servers. we didn't fully open-source it because after 18 years at ISC
i've decided to stop delivering unsustainable value chains.
--
Paul
More information about the DNSfirewalls
mailing list