[DNSfirewalls] rpz firewall + whitelisting

Paul Vixie paul at redbarn.org
Tue Aug 27 17:17:30 UTC 2019

On Tuesday, 27 August 2019 16:14:24 UTC Vadim Pavlov wrote:
> Just in case.
> Do not forget that every single rule consumes memory. It is ok for hundreds
> or a few thousands indicators. E.g. with 2.5M RPZ rules bind consumes
> 1.2Gb-2Gb of RAM.

architecturally, BIND9 keeps both the zone data (which is unused other than 
when sending or receiving IXFR or AXFR) and the derivative (parallel) RPZ 
metadata in RAM (on the heap). it gets big fast.

FastRPZ keeps all of this in the file system (via mmap) and has reasonable if 
not optimal locality of reference, so, the resident working set ("in RAM at 
any given moment") can be quite a bit smaller than the native BIND9 RPZ.

repeating for the record... any commercial support customer of ISC (for BIND9) 
or NLnetLabs (for Unbound), as well as any passive DNS participant for 
Farsight (for SIE or SIE-Europe) can get licensed binary FastRPZ software for 
those servers. we didn't fully open-source it because after 18 years at ISC 
i've decided to stop delivering unsustainable value chains.


More information about the DNSfirewalls mailing list