views-based RPZ

Carlos Horowicz carlos at planisys.com
Sat Aug 24 12:37:43 UTC 2024 

Hi Greg,

thanks for your insights.

Ok so the limit of 64 response policy zones applies to one view.

I wonder, assuming the views are orthogonal (no overlapping of CIDRs, as 
in an ISP assigning CIDRs to local loops):

1. is there an algorithm in bind9 or out there that quickly maps a 
client IP address to a CIDR, e.g. a something like a binary tree 
quicksearch ? or balanced red-black tree ? top-down sequential 
processing sounds very inefficient.

2. if RPZ records are held in memory, why would an RPZ zone need to be 
stored n times if there are n orthogonal views ? That is, why the more 
views the more memory needed. Maybe you meant the qpcache, to store 
different answers, though I don't understand how that works.

Best regards

Carlos

On 24/08/2024 08:36, Greg Choules wrote:
> Hi Carlos.
> If you have enough RAM it should be possible to create multiple views, 
> each with a zone (primary or secondary, up to you) that contains the 
> RPZ data for that view and a response-policy that uses that zone.
>
> The limit on number of zones is per response-policy block. But if 
> you're using separate blocks inside each view, each r-p block 
> referring to only one zone, then that limit is not relevant.
>
> Bear in mind that views are processed top down, so if you have a lot 
> of them it can take a (relatively) long time to match clients to the 
> ones at the bottom. Also, by default, each view has its own cache, 
> hence the need for a lot of RAM.
>
> I would try it out on a lab server first.
>
> Hope that helps.
> Cheers, Greg
>
> On Fri, 23 Aug 2024 at 20:43, Carlos Horowicz via bind-users 
> <bind-users at lists.isc.org> wrote:
>
>     Hello List,
>
>     an ISP has brought a case where several customers do not agree
>     with our web interface portal that lets select different RPZ zones
>     to be activated for a set of resolvers that are common to all
>     customers. They even belong to different countries where some
>     domains are banned.
>
>     Given the case that I start treating provisioned CIDRs from
>     customers as a base for views, does bind9.18.* support a huge
>     number of views with different rpz zones activated per view ?
>
>     I recall having read in the documentation about a limitation of 64
>     rpz zones in total, is this a number that can be configured, or
>     even be set to "unlimited"  ?
>
>     Thanks in advance
>
>     Carlos Horowicz
>     Planisys
>
>     -- 
>     Visit https://lists.isc.org/mailman/listinfo/bind-users to
>     unsubscribe from this list
>
>     ISC funds the development of this software with paid support
>     subscriptions. Contact us at https://www.isc.org/contact/ for more
>     information.
>
>
>     bind-users mailing list
>     bind-users at lists.isc.org
>     https://lists.isc.org/mailman/listinfo/bind-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20240824/7f38c24f/attachment.htm>

More information about the bind-users mailing list