[RPZ] Whitelist rather than Blacklist

Brad Tilley brad at 16s.us
Tue Mar 5 19:29:06 UTC 2013

On Fri, Mar 01, 2013 at 09:27:40PM -0800, Paul Vixie wrote:
> Brad Tilley wrote:
> > I have BIND 9.8.4 setup with a very basic RPZ zone configured to block access to certain domains. With this configuration, my purpose is to prevent clients from talking to certain domains. It's the old "enumerating badness" approach to security. So I was wondering if RPZ could be used as a whitelist rather than a blacklist. For example, rather than defining the "bad domains" that I don't want clients talking to, can I instead define "good domains" and only allow clients to talk to those? I know it seems backwards. All the examples I find about RPZ show the "block these bad domains" approach and perhaps RPZ is not intended for the "allow these good domains" approach, but I wanted to ask here. Is RPZ suitable for this?
> bizarrely, yes. since the configured response policy zones are processed
> in order, you could put your whitelist in the first rpz you subscribe
> to, and put a "block everything" rule in the second rpz you subscribe to.
> i say "bizarrely" because the idea of being able to whitelist the good
> domains, when there are hundreds of millions of domains, is something i
> would never have thought of.
> paul

I have one last question with regard to RPZ and white listing... I have to add these lines to my white list zone to allow clients to visit and effectively use Bank of America's online banking website:

www.bankofamerica.com       IN CNAME   www.bankofamerica.com.
www0.bankofamerica.com      IN CNAME   www0.bankofamerica.com.
www1.bankofamerica.com      IN CNAME   www1.bankofamerica.com.
www2.bankofamerica.com      IN CNAME   www2.bankofamerica.com.
www3.bankofamerica.com      IN CNAME   www3.bankofamerica.com.
www4.bankofamerica.com      IN CNAME   www4.bankofamerica.com.
www5.bankofamerica.com      IN CNAME   www5.bankofamerica.com.
www6.bankofamerica.com      IN CNAME   www6.bankofamerica.com.
www7.bankofamerica.com      IN CNAME   www7.bankofamerica.com.
www8.bankofamerica.com      IN CNAME   www8.bankofamerica.com.
www9.bankofamerica.com      IN CNAME   www9.bankofamerica.com.
corp.bankofamerica.com      IN CNAME   corp.bankofamerica.com.
about.bankofamerica.com     IN CNAME   about.bankofamerica.com.

Would it be possible, instead, to add lines to the white list zone such as this:

bankofamerica.com       IN CNAME   bankofamerica.com.
*.bankofamerica.com     IN CNAME   *.bankofamerica.com.

I don't think this would be possible when white listing, but I wanted to ask anyway. Black listing works similarly to that (just two lines to black list an entire domain) but I believe that's because it's simple to rewrite all as NXDOMAIN while it would be more difficult to figure out the inverse of that.

I'll also note that for many simple websites, something such as this in the white list zone is sufficient (at least per my testing):

some-simple-site.us    IN    CNAME    some-simple-site.us.

Thank you,


More information about the DNSfirewalls mailing list