[RPZ] Whitelist rather than Blacklist

Brad Tilley brad at 16s.us
Sat Mar 2 02:31:56 UTC 2013


I have BIND 9.8.4 setup with a very basic RPZ zone configured to block access to certain domains. With this configuration, my purpose is to prevent clients from talking to certain domains. It's the old "enumerating badness" approach to security. So I was wondering if RPZ could be used as a whitelist rather than a blacklist. For example, rather than defining the "bad domains" that I don't want clients talking to, can I instead define "good domains" and only allow clients to talk to those? I know it seems backwards. All the examples I find about RPZ show the "block these bad domains" approach and perhaps RPZ is not intended for the "allow these good domains" approach, but I wanted to ask here. Is RPZ suitable for this?



More information about the DNSfirewalls mailing list