[RPZ] Whitelist rather than Blacklist

Paul Vixie paul at redbarn.org
Sat Mar 2 05:27:40 UTC 2013

Brad Tilley wrote:
> I have BIND 9.8.4 setup with a very basic RPZ zone configured to block access to certain domains. With this configuration, my purpose is to prevent clients from talking to certain domains. It's the old "enumerating badness" approach to security. So I was wondering if RPZ could be used as a whitelist rather than a blacklist. For example, rather than defining the "bad domains" that I don't want clients talking to, can I instead define "good domains" and only allow clients to talk to those? I know it seems backwards. All the examples I find about RPZ show the "block these bad domains" approach and perhaps RPZ is not intended for the "allow these good domains" approach, but I wanted to ask here. Is RPZ suitable for this?

bizarrely, yes. since the configured response policy zones are processed
in order, you could put your whitelist in the first rpz you subscribe
to, and put a "block everything" rule in the second rpz you subscribe to.

i say "bizarrely" because the idea of being able to whitelist the good
domains, when there are hundreds of millions of domains, is something i
would never have thought of.


More information about the DNSfirewalls mailing list