[RPZ] Whitelist rather than Blacklist

Vernon Schryver vjs at rhyolite.com
Tue Mar 5 20:04:01 UTC 2013

> From: Brad Tilley <brad at 16s.us>

> www.bankofamerica.com       IN CNAME   www.bankofamerica.com.
> www0.bankofamerica.com      IN CNAME   www0.bankofamerica.com.
> www1.bankofamerica.com      IN CNAME   www1.bankofamerica.com.
> www2.bankofamerica.com      IN CNAME   www2.bankofamerica.com.
> www3.bankofamerica.com      IN CNAME   www3.bankofamerica.com.
> www4.bankofamerica.com      IN CNAME   www4.bankofamerica.com.
> www5.bankofamerica.com      IN CNAME   www5.bankofamerica.com.
> www6.bankofamerica.com      IN CNAME   www6.bankofamerica.com.
> www7.bankofamerica.com      IN CNAME   www7.bankofamerica.com.
> www8.bankofamerica.com      IN CNAME   www8.bankofamerica.com.
> www9.bankofamerica.com      IN CNAME   www9.bankofamerica.com.
> corp.bankofamerica.com      IN CNAME   corp.bankofamerica.com.
> about.bankofamerica.com     IN CNAME   about.bankofamerica.com.
> Would it be possible, instead, to add lines to the white list zone such as this:
> bankofamerica.com       IN CNAME   bankofamerica.com.
> *.bankofamerica.com     IN CNAME   *.bankofamerica.com.
> I don't think this would be possible when white listing, but I
> wanted to ask anyway. 

I doubt I understand the question, because the second pair of recores
does cover the first group of records.  The triggered record or
policy is chosen according to these ordered rules:

    Choose the triggered record in the zone that appears first in
       the response-policy option.
    Prefer QNAME to IP to NSDNAME to NSIP triggers in a single zone.
    Among NSDNAME triggers, prefer the trigger that matches the
       smallest name under the DNSSEC ordering.
    Among IP or NSIP triggers, prefer the trigger with the longest prefix.
    Among triggers with the same prefex length, prefer the IP or
        NSIP trigger that matches the smallest IP address.

The policy for the triggered record is examined only after it has been
chosen.  Whether it is PASSTHRU or anything other than DISABLED, the
search for the right policy record stops with the first triggered

> I'll also note that for many simple websites, something such as this
 >in the white list zone is sufficient (at least per my testing):
> some-simple-site.us    IN    CNAME    some-simple-site.us.

That is the obsolete expression of a PASSTHRU policy.

Are you mixing whitelist records and blacklist records in the
same response policy zone?  Instead of that, I would use two zones.
The first would have a declared, override policy of PASSTHRU in
the response-policy{} statement and would contain the white-listed zones.

The second policy zone would contain few policy records to cover
everything, such as rpz-ip records covering all of IPv4 and IPv6.

Vernon Schryver    vjs at rhyolite.com

More information about the DNSfirewalls mailing list