Skip to content

BIND RPZ vs unbound dns firewall

Jump to bottom
Chris Buijs edited this page Dec 12, 2017 · 8 revisions

This is not a bake-off, just trying to sketch a versus based on usability and requirements.

unbound-dns-firewall:

  • Used Unbound, one of the best DNS engines out there.
  • Fast, small memory footprint, did I say fast?
  • Lists simpler to maintain
  • Load-times blazing fast, even if lists contain huge amounts of entries
  • Better, more understandable logging
  • Easier to modify (python script/module)
  • Use regexp if needed (can complicate)
  • Lot of public lists on github/etc usable

BIND RPZ:

  • RPZ Zones can be transfered using standard DNS AXFR/IXFR
  • Not the fastest DNS engine in the world
  • RPZ Zone syntax and configuration quite complex
  • Logging cumbersome.
  • RPZ adds to load-times.
  • IP CIDR/Ranges supported
  • No regexp
  • No extra tools/scripts/etc needed (could be a con as well)
  • No real public lists availble in RPZ (most of them paid/subscribe)

Clone this wiki locally