<div dir="ltr">Agree!! <div><br></div><div>Right now I have around 270000 zones added in DNS but that is with direct zones NO RPZ. And my config is 4 vCPU 8Gb RAM its running well and around 700 users<div><br></div><div>The only concern thing for me is I may need to re-write all my scripts to load those zones in RPZ format hence wondering if RPZ can really help me in boosting performance of my server and how much? </div><div><br></div><div>Because if you see with my current config I may be running 40% of the resources; with RPZ if I am achieving 30-35% then re-writing complete stuff for that 5% does not entice me. If the difference is noticeable lets say 20% then probably I can start of with that.</div><div><br></div><div>Hence wanted to know from community if they have ever tried such thing before? and if so would really appreciate if they can share their observations.</div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Mar 29, 2018 at 2:16 AM, Grant Taylor via bind-users <span dir="ltr"><<a href="mailto:bind-users@lists.isc.org" target="_blank">bind-users@lists.isc.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On 03/28/2018 12:51 AM, Blason R wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Interesting I didn't know that. Let me dig in..can I have few examples please?<br>
</blockquote>
<br></span>
RPZ zones are effectively standard zones. The only difference is that the CNAME record is used to convey information to the RPZ engine (? is that an accurate description ?) that special action should be taken.<br>
<br>
I have messed with a project where I donwload newly registered domains daily and build an RPZ zone. The intention is that I can make it appear as if domains registered within the last 1 / 7 / 14 / 28 days do not exist on my personal DNS server. The records look like the following:<br>
<br>
<a href="http://example.com" rel="noreferrer" target="_blank">example.com</a> CNAME .<br>
*.<a href="http://example.com" rel="noreferrer" target="_blank">example.com</a> CNAME .<br>
<a href="http://example.net" rel="noreferrer" target="_blank">example.net</a> CNAME .<br>
*.<a href="http://example.net" rel="noreferrer" target="_blank">example.net</a> CNAME .<br>
<a href="http://example.org" rel="noreferrer" target="_blank">example.org</a> CNAME .<br>
*.<a href="http://example.org" rel="noreferrer" target="_blank">example.org</a> CNAME .<br>
<br>
As you can see, this is really two records per domain. One for the domain w/o any subordinates, and one for the domain subordinates.<br>
<br>
I've been collecting newly registered domains for ~4 months and here's the number for each month thusfar.<br>
<br>
2017-12: 2,110,518 (Started collecting December 3rd.)<br>
2018-01: 2,932,808<br>
2018-02: 3,040,718<br>
2018-03: 3,010,168 (Still missing a few days.)<br>
<br>
I did test all of December's records in a single RPZ zone file, and they worked okay. I only say okay because it took close to a minute for named to start up and my naive OS's start up script coughted up a fur ball after 30 seconds. named was quite happy if I gave it an additional 30 secones.<br>
<br>
Note: This was running on a 1.6 GHz AMD Dual-Core E-350 APU w/ 8 GB of memory. More power efficient than a server. ¯\_(ツ)_/¯<div class="HOEnZb"><div class="h5"><br>
<br>
<br>
<br>
-- <br>
Grant. . . .<br>
unix || die<br>
<br>
<br>
</div></div><br>______________________________<wbr>_________________<br>
Please visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/<wbr>listinfo/bind-users</a> to unsubscribe from this list<br>
<br>
bind-users mailing list<br>
<a href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a><br>
<a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/<wbr>listinfo/bind-users</a><br>
<br></blockquote></div><br></div>