[RPZ] Whitelist rather than Blacklist
Alan Doherty
dnsrpz at alandoherty.net
Tue Mar 5 12:36:39 UTC 2013
At 06:21 04/03/2013 Monday, Andrew Fried wrote:
>An awful lot of malware use domains in the alexa list. I'd be pretty
>hesitant arbitrarily whitelisting based on a "most popular" or most used.
>
>Andy
i suppose i have to agree on the whitelisting good should (with help) be a lot less effort than blacklisting bad (as % of new bad per day/week/year far outstrips new good, though longevity of both varies wildly)
but just suggest people don't overlook that in most uses dns is used for more than web so top x sites
or all business partners and whitelisted websites, will often cause failures in mail and sometimes web-function, when whitelisted-domain changes mail provider so their MXs now point to hosts in non-whitelisted domains, or their website uses cnames or cdn's that are within non-whitelisted space
i'm not saying its not worth trying, im saying you gotta log and monitor for these cases so when/if the change happens you can investigate and respond before the complaints roll in
if only for whitelist-only web-filtering a whitelist only proxy can be much easier to control (fewer entries and more detailed) as you don't need to know about the chain of cnames between www.example.com and its actual IP
and you can allow www.google.com/path-to-plugin-js-that-partner-site-insitst-on-not-rendering-without/ without having to allow users to www.google.com
but each to their own RPZ is nonetheless a seriously powerful tool to add to the myriad available, and i would welcome seeing a public list/board/wiki sharing-point for sharing info on same such as
fictional example: if you want to add facebook you must add facebook.com + facebookscdn.net + facebookmail.org
or is such a forum already out there?
if only i had the time ;)
whitelisters.whatever with categories for mail and web and other and open commentary on reputation and 3rd party domains/urls/hosts necessary for function
More information about the DNSfirewalls
mailing list