[RPZ] Whitelist rather than Blacklist

Brad Tilley brad at 16s.us
Sat Mar 2 14:58:25 UTC 2013

On Fri, Mar 01, 2013 at 09:27:40PM -0800, Paul Vixie wrote:
> Brad Tilley wrote:
> > I have BIND 9.8.4 setup with a very basic RPZ zone configured to block access to certain domains. With this configuration, my purpose is to prevent clients from talking to certain domains. It's the old "enumerating badness" approach to security. So I was wondering if RPZ could be used as a whitelist rather than a blacklist. For example, rather than defining the "bad domains" that I don't want clients talking to, can I instead define "good domains" and only allow clients to talk to those? I know it seems backwards. All the examples I find about RPZ show the "block these bad domains" approach and perhaps RPZ is not intended for the "allow these good domains" approach, but I wanted to ask here. Is RPZ suitable for this?
> bizarrely, yes. since the configured response policy zones are processed
> in order, you could put your whitelist in the first rpz you subscribe
> to, and put a "block everything" rule in the second rpz you subscribe to.
> i say "bizarrely" because the idea of being able to whitelist the good
> domains, when there are hundreds of millions of domains, is something i
> would never have thought of.
> paul

Thank you Mr. Vixie,
I took your advice and it works exactly as you described. I have a use case where client machines will only be interacting with a few hundred domains and I wanted to try the white list approach rather than the black list approach. So far it seems to work as expected and if it works out in further testing, it will require less management than a black list.  


More information about the DNSfirewalls mailing list