[RPZ] Whitelist rather than Blacklist
brad at 16s.us
Tue Mar 5 19:29:06 UTC 2013
On Fri, Mar 01, 2013 at 09:27:40PM -0800, Paul Vixie wrote:
> Brad Tilley wrote:
> > I have BIND 9.8.4 setup with a very basic RPZ zone configured to block access to certain domains. With this configuration, my purpose is to prevent clients from talking to certain domains. It's the old "enumerating badness" approach to security. So I was wondering if RPZ could be used as a whitelist rather than a blacklist. For example, rather than defining the "bad domains" that I don't want clients talking to, can I instead define "good domains" and only allow clients to talk to those? I know it seems backwards. All the examples I find about RPZ show the "block these bad domains" approach and perhaps RPZ is not intended for the "allow these good domains" approach, but I wanted to ask here. Is RPZ suitable for this?
> bizarrely, yes. since the configured response policy zones are processed
> in order, you could put your whitelist in the first rpz you subscribe
> to, and put a "block everything" rule in the second rpz you subscribe to.
> i say "bizarrely" because the idea of being able to whitelist the good
> domains, when there are hundreds of millions of domains, is something i
> would never have thought of.
I have one last question with regard to RPZ and white listing... I have to add these lines to my white list zone to allow clients to visit and effectively use Bank of America's online banking website:
www.bankofamerica.com IN CNAME www.bankofamerica.com.
www0.bankofamerica.com IN CNAME www0.bankofamerica.com.
www1.bankofamerica.com IN CNAME www1.bankofamerica.com.
www2.bankofamerica.com IN CNAME www2.bankofamerica.com.
www3.bankofamerica.com IN CNAME www3.bankofamerica.com.
www4.bankofamerica.com IN CNAME www4.bankofamerica.com.
www5.bankofamerica.com IN CNAME www5.bankofamerica.com.
www6.bankofamerica.com IN CNAME www6.bankofamerica.com.
www7.bankofamerica.com IN CNAME www7.bankofamerica.com.
www8.bankofamerica.com IN CNAME www8.bankofamerica.com.
www9.bankofamerica.com IN CNAME www9.bankofamerica.com.
corp.bankofamerica.com IN CNAME corp.bankofamerica.com.
about.bankofamerica.com IN CNAME about.bankofamerica.com.
Would it be possible, instead, to add lines to the white list zone such as this:
bankofamerica.com IN CNAME bankofamerica.com.
*.bankofamerica.com IN CNAME *.bankofamerica.com.
I don't think this would be possible when white listing, but I wanted to ask anyway. Black listing works similarly to that (just two lines to black list an entire domain) but I believe that's because it's simple to rewrite all as NXDOMAIN while it would be more difficult to figure out the inverse of that.
I'll also note that for many simple websites, something such as this in the white list zone is sufficient (at least per my testing):
some-simple-site.us IN CNAME some-simple-site.us.
More information about the DNSfirewalls