I am running BIND 9.18.18-0ubuntu0.22.04.1-Ubuntu (Extended Support Version) <id:>
on "22.04.3 LTS (Jammy Jellyfish)"
My use case is as follows. I need to implement a DNS firewall of sorts where different requesting clients hit different blocklists. To achieve this I'm using Response Policy Zones and Views. My setup is as follows.
My named.conf.options file (which is included in the main named.conf) contains the following
options {
directory "/var/cache/bind";
check-names master warn;
response-policy {
zone "rpz.porn.local";
zone "rpz.malware.local";
zone "rpz.drugs.local";
These are then referenced in the named.conf file as follows
include "/etc/bind/client_specific_blocklist.d/*.conf";
Example of a conf file inside that directory is :
view "10.9.0.1" {
match-clients { 10.9.0.1; };
recursion yes;
zone "rpz.porn.local" {
type master;
file "/etc/bind/categories_rpz.d/rpz.porn.local";
allow-query { 10.9.0.0/16; };
//allow-transfer { localhost; };
};
zone "rpz.malware.local" {
type master;
file "/etc/bind/db.127";
allow-query { 10.9.0.0/16; };
//allow-transfer { localhost; };
};
zone "rpz.crypto.local" {
type master;
file "/etc/bind/db.127";
allow-query { 10.9.0.0/16; };
//allow-transfer { localhost; };
};
The idea is that the client 10.9.0.1 should not be able to resolve any malware or porn domains, but they should be able to resolve the remaining categories. This is handled in the named.conf.default-zones
zone "rpz.porn.local" {
type master;
file "/etc/bind/db.127";
allow-query { 10.9.0.0/16; };
//allow-transfer {10.9.0.0/16; };
};
zone "rpz.piracy.local" {
type master;
file "/etc/bind/db.127";
allow-query { 10.9.0.0/16; };
//allow-transfer {10.9.0.0/16; };
};
My idea is - when I want to return the actual domain, I reference the db.127 file which contains a RR only for localhost. That way, Bind9 uses recursion and forwards the queries to upstream servers which I have set in the options. When I want to replace the response (i.e block a domain), I reference the rpz file. This has been working - except, the number of clients is increasing and therefore the number of views have been increasing.
When I get upto 80 or so views, my system maxes out all 4vCPUs and 8 gigs of RAM. I want to know if this is a hard limitation of Bind9 and my resources, or is it a limitation of my knowledge - in which case I would like advice on how to best achieve DNS firewalling for selective client IPs. I know I can group several IP's into a single view and toss them into the match-clients - however even if I do that, I'm going to have around a 100 views for my use case. Any help would be appreciated. From what I understand, I think that each view is treated as a separate namespace and all the RPZ files are loaded into memory per view. I am a bind9 noob here so I could definitely be wrong.
Thank you