From francis at threatstop.com Tue Jun 5 15:47:25 2018 From: francis at threatstop.com (Francis Turner) Date: Tue, 5 Jun 2018 15:47:25 +0000 Subject: [DNSfirewalls] Precedence order of PASSTRHU in RPZ Message-ID: <479F9FCA7AB0AC4C81A9B2CB4E6F6D296C0D6FD7@mbx030-w1-co-10.exch030.domain.local> All, I've looked in various places and I want to make sure I'm correctly interpreting things What happens if I have two RPZ lines in either the same or different zones? precise.fqdn.example.com CNAME *. *.example.com CNAME rpz-passthru. Which one wins? I think it is the more specific one (precise.fqdn.example.com ). This is annoying if I want to whitelist the entire example.com domain from being blocked if it is in an RPZ zone that I get from somewhere else. In that case is there a way to override the more specific matching rule? Regards Francis Francis Turner Threat STOP Global SE Office: +1-760-542-1550 | Cell: +1-760-402-7676 francis at threatstop.com | www.threatstop.com Weaponize Your Threat Intelligence "If You Don't Build It, They Definitely Will Not Come" - P. Vixie -------------- next part -------------- An HTML attachment was scrubbed... URL: From rharolde at umich.edu Tue Jun 5 16:47:13 2018 From: rharolde at umich.edu (Bob Harold) Date: Tue, 5 Jun 2018 12:47:13 -0400 Subject: [DNSfirewalls] Precedence order of PASSTRHU in RPZ In-Reply-To: <479F9FCA7AB0AC4C81A9B2CB4E6F6D296C0D6FD7@mbx030-w1-co-10.exch030.domain.local> References: <479F9FCA7AB0AC4C81A9B2CB4E6F6D296C0D6FD7@mbx030-w1-co-10.exch030.domain.local> Message-ID: On Tue, Jun 5, 2018 at 11:47 AM Francis Turner wrote: > All, > > > > I?ve looked in various places and I want to make sure I?m correctly > interpreting things > > > > What happens if I have two RPZ lines in either the same or different zones? > > > > precise.fqdn.example.com CNAME *. > *.example.com CNAME rpz-passthru. > > > > Which one wins? > > I think it is the more specific one (precise.fqdn.example.com ). > > This is annoying if I want to whitelist the entire example.com domain > from being blocked if it is in an RPZ zone that I get from somewhere else. > > > > In that case is there a way to override the more specific matching rule? > > > > Regards > > > > Francis > > > > *Francis Turner * > > Threat STOP Global SE > > Office: +1-760-542-1550 | Cell: +1-760-402-7676 > > francis at threatstop.com | www.threatstop.com > > *Weaponize Your Threat Intelligence* > > ?If You Don?t Build It, They Definitely Will Not Come? ? P. Vixie > I think you want to take advantage of the first ordering rule: "Choose the triggered record in the zone that appears first in the response-policy option." response-policy { zone "rpz-whitelist.example.com" policy disabled; zone "rpz-blacklist.example.com" policy given; }; rpz-whitelist will always win. -- Bob Harold -------------- next part -------------- An HTML attachment was scrubbed... URL: From m3047 at m3047.net Tue Jun 5 17:02:22 2018 From: m3047 at m3047.net (Fred Morris) Date: Tue, 05 Jun 2018 10:02:22 -0700 Subject: [DNSfirewalls] Precedence order of PASSTRHU in RPZ In-Reply-To: <479F9FCA7AB0AC4C81A9B2CB4E6F6D296C0D6FD7@mbx030-w1-co-10.exch030.domain.local> References: <479F9FCA7AB0AC4C81A9B2CB4E6F6D296C0D6FD7@mbx030-w1-co-10.exch030.domain.local> Message-ID: <5B16C21E.1050307@m3047.net> 1) RPZs are processed in the order declared in the (BIND) config file, first one that fires wins. 2) (To my mild surprise) yes apparently within a zone something more specific appears to take precedence over a more broadly scoped wildcard. They are just zones after all... Best practice IMO is to have a locally managed whitelist declared before any externally sourced RPZ, and possibly to have a local catchall blacklist at the end. -- Fred Morris On 06/05/2018 08:47 AM, Francis Turner wrote: > All, > > I've looked in various places and I want to make sure I'm correctly interpreting things > > What happens if I have two RPZ lines in either the same or different zones? > > precise.fqdn.example.com CNAME *. > *.example.com CNAME rpz-passthru. > > Which one wins? > > I think it is the more specific one (precise.fqdn.example.com ). > This is annoying if I want to whitelist the entire example.com domain from being blocked if it is in an RPZ zone that I get from somewhere else. > > In that case is there a way to override the more specific matching rule? > > Regards > > Francis > From vjs at rhyolite.com Tue Jun 5 23:43:53 2018 From: vjs at rhyolite.com (Vernon Schryver) Date: Tue, 5 Jun 2018 23:43:53 GMT Subject: [DNSfirewalls] Precedence order of PASSTRHU in RPZ In-Reply-To: <5B16C21E.1050307@m3047.net> Message-ID: <201806052343.w55NhrEB035245@calcite.rhyolite.com> > From: Fred Morris > To: Francis Turner , > "dnsfirewalls at lists.redbarn.org" > 1) RPZs are processed in the order declared ... Section 5, "Precedence Rules of the RPZ draft RFC at RPZ draft draft-ietf-dnsop-dns-rpz-00 at https://tools.ietf.org/id/draft-ietf-dnsop-dns-rpz-00.html https://datatracker.ietf.org/doc/draft-ietf-dnsop-dns-rpz/history/ and so forth tries specify the zone application rules in agonizing detail. I think that text is more complete and accurate than my previous efforts and their descendents in the BIND ARM. It might be more readable. > Best practice IMO is to have a locally managed whitelist declared before > any externally sourced RPZ, I agree with that. > and possibly to have a local catchall > blacklist at the end. catch-all lists of all kinds including black and white for any firewall-like scheme tend to be sharp and dangerous tools. I'm not smart enough to use RPZ catch-all blacklists. Vernon Schryver vjs at rhyolite.com From rharolde at umich.edu Wed Jun 6 13:34:07 2018 From: rharolde at umich.edu (Bob Harold) Date: Wed, 6 Jun 2018 09:34:07 -0400 Subject: [DNSfirewalls] Precedence order of PASSTRHU in RPZ In-Reply-To: References: <479F9FCA7AB0AC4C81A9B2CB4E6F6D296C0D6FD7@mbx030-w1-co-10.exch030.domain.local> Message-ID: On Tue, Jun 5, 2018 at 12:47 PM Bob Harold wrote: > > On Tue, Jun 5, 2018 at 11:47 AM Francis Turner > wrote: > >> All, >> >> >> >> I?ve looked in various places and I want to make sure I?m correctly >> interpreting things >> >> >> >> What happens if I have two RPZ lines in either the same or different >> zones? >> >> >> >> precise.fqdn.example.com CNAME *. >> *.example.com CNAME rpz-passthru. >> >> >> >> Which one wins? >> >> I think it is the more specific one (precise.fqdn.example.com ). >> >> This is annoying if I want to whitelist the entire example.com domain >> from being blocked if it is in an RPZ zone that I get from somewhere else. >> >> >> >> In that case is there a way to override the more specific matching rule? >> >> >> >> Regards >> >> >> >> Francis >> >> >> >> *Francis Turner * >> >> Threat STOP Global SE >> >> Office: +1-760-542-1550 | Cell: +1-760-402-7676 >> >> francis at threatstop.com | www.threatstop.com >> >> *Weaponize Your Threat Intelligence* >> >> ?If You Don?t Build It, They Definitely Will Not Come? ? P. Vixie >> > > I think you want to take advantage of the first ordering rule: > "Choose the triggered record in the zone that appears first in the > response-policy option." > > response-policy { > zone "rpz-whitelist.example.com" policy disabled; > zone "rpz-blacklist.example.com" policy given; > }; > > rpz-whitelist will always win. > > -- > Bob Harold > Reading Vernon's answer, this needs to be "passthru" instead of "disabled" I have not actually tested this. response-policy { zone "rpz-whitelist.example.com" policy passthru; zone "rpz-blacklist.example.com" policy given; }; -- Bob Harold -------------- next part -------------- An HTML attachment was scrubbed... URL: