[DNSfirewalls] Precedence order of PASSTRHU in RPZ

Bob Harold rharolde at umich.edu
Tue Jun 5 16:47:13 UTC 2018


On Tue, Jun 5, 2018 at 11:47 AM Francis Turner <francis at threatstop.com>
wrote:

> All,
>
>
>
> I’ve looked in various places and I want to make sure I’m correctly
> interpreting things
>
>
>
> What happens if I have two RPZ lines in either the same or different zones?
>
>
>
> precise.fqdn.example.com CNAME *.
> *.example.com CNAME  rpz-passthru.
>
>
>
> Which one wins?
>
> I think it is the more specific one (precise.fqdn.example.com ).
>
> This is annoying if I want to whitelist the entire example.com domain
> from being blocked if it is in an RPZ zone that I get from somewhere else.
>
>
>
> In that case is there a way to override the more specific matching rule?
>
>
>
> Regards
>
>
>
> Francis
>
>
>
> *Francis Turner *
>
> Threat STOP Global SE
>
> Office: +1-760-542-1550 | Cell: +1-760-402-7676
>
> francis at threatstop.com | www.threatstop.com
>
> *Weaponize Your Threat Intelligence*
>
> “If You Don’t Build It, They Definitely Will Not Come” – P. Vixie
>

I think you want to take advantage of the first ordering rule:
"Choose the triggered record in the zone that appears first in the
response-policy option."

 response-policy {
zone "rpz-whitelist.example.com" policy disabled;
zone "rpz-blacklist.example.com" policy given;
};

rpz-whitelist will always win.

-- 
Bob Harold
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.redbarn.org/pipermail/dnsfirewalls/attachments/20180605/8879b1fb/attachment-0001.html>


More information about the DNSfirewalls mailing list