[RPZ] Whitelist rather than Blacklist

Andrew Fried afried at isc.org
Sat Mar 9 00:41:47 UTC 2013 

Well, dynamic RPZ lists are designed to block badness in a timely
manner.  There are companies that are able to aggregate threat data in
real time and push out RPZ lists very quickly.  I'd strongly suggest
that anyone looking to implement RPZ should start off with a commercial
feed from Spamhaus and/or SURBL, then add their own listings or
additional feeds on top of those.   Both of those lists are constantly
updated in near real time. 

The kind of data that goes into an rpz could vary based on an end user's
need, but generally you'd want malware sites, phishing sites, cracked
sites and known criminal spam sites blocked.  Policy type lists would
add specialized type data such as porn, gambling, pharma, replica watch
sales and the likes.

Whitelisting has it's place for specialized circumstances, but I
personally would suggest against doing that unless absolutely
necessary.  And keep in mind that the order of the rpz zone files can
affect what gets acted upon.

Andy





On 3/8/13 5:42 PM, Tom Byrnes wrote:
> It was a (very raw) example. Wide open on what the criteria should be.
>
> Current use case that we provide is making Marcus Ranum's dictum easy across multiple, and multiple types, of firewalls. IE: Statically configured by the user.
>
> What should be the use case for a dynamic version (we've had very limited request for it, except for Pingdom, which we provide)?
>
>
>
>> -----Original Message-----
>> From: dnsrpz-interest-bounces+tomb=threatstop.com at lists.isc.org
>> [mailto:dnsrpz-interest-bounces+tomb=threatstop.com at lists.isc.org] On
>> Behalf Of Andrew Fried
>> Sent: Sunday, March 03, 2013 10:22 PM
>> To: dnsrpz-interest at lists.isc.org
>> Subject: Re: [RPZ] Whitelist rather than Blacklist
>>
>> An awful lot of malware use domains in the alexa list.  I'd be pretty
>> hesitant arbitrarily whitelisting based on a "most popular" or most used.
>>
>> Andy
>>
>> On 3/3/13 9:56 PM, Tom Byrnes wrote:
>>> If there is interest in a dynamic version of this, say the alexa 1000 as a
>> whitelist and deny all else, we can gen it @ ThreatSTOP.
>>> We already enable this in our IP product (we call it "IP Closed User Group").
>>>
>>> _______________________________________________
>>> dnsrpz-interest mailing list
>>> dnsrpz-interest at lists.isc.org
>>> https://lists.isc.org/mailman/listinfo/dnsrpz-interest
>> --
>> Andrew Fried
>> Internet Systems Consortium, Inc.
>> afried at isc.org
>> +1.650.423.1343
>>
>> _______________________________________________
>> dnsrpz-interest mailing list
>> dnsrpz-interest at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/dnsrpz-interest

-- 
Andrew Fried
Internet Systems Consortium, Inc.
afried at isc.org
+1.650.423.1343

More information about the DNSfirewalls mailing list